When two hospital systems merge, they do not just combine facilities. They combine old networks, legacy applications, Active Directory environments, endpoints, vendors, and security gaps. This blog explains the technical gaps that turn hospital mergers into breach events and the security framework IT leaders need from pre-close through post-integration validation.
Hospital mergers and acquisitions are becoming more common – 72 hospital M&A transactions closed in 2024.
At the same time, research analyzing HHS OCR breach data from 2010 to 2022 found that the probability of a data breach more than doubles during a two-year window surrounding a hospital M&A.
Ransomware attacks on merging hospitals also increased during this period, with 4.6% of merger deals involving a reported ransomware attack.
Every deal creates the same security problem: two organizations with different security postures, different EHR platforms, and different vendor ecosystems become one network. The weakest link in either environment becomes the weakest link in both.
The deal closes, systems begin to connect, and the IT team inherits a new risk environment it did not build.
That environment often includes legacy applications, unmanaged endpoints, third-party integrations, overlapping identities, and incomplete documentation. In healthcare, those gaps do not stay technical for long.
They affect operations, care continuity, and patient data security. Also worth noting is that the financial benefits of mergers and acquisitions in healthcare often overshadow the security risks they create.
The 2024 Change Healthcare attack illustrated this at scale. An acquired company’s remote access server, running 40-year-old legacy payment processing software, missing MFA, and never upgraded post-acquisition, became the entry point for a breach that exposed 100 million patients and cost UnitedHealth Group an estimated $2.9 billion.
The target wasn’t a hospital. It was a clearinghouse hospitals had trusted and connected to.
Because hospital mergers do not just combine organizations. They combine attack surfaces.
What the Acquiring Hospital Actually Inherits
The due diligence process for hospital M&A is built to surface financial and legal issues. Cybersecurity gaps are harder to expose before closing because technical access is limited, timelines are compressed, and third-party dependencies are not always fully visible.
As one CISO at a major health system noted, “When you buy an organization, you typically don’t know everything you’re buying.”
That inherited risk usually shows up in four places.
First, there are parallel clinical and administrative environments that remain live long after the acquisition. Multiple EHR platforms, imaging systems, and departmental tools continue operating with different patch cycles and access controls. In practice, 44% of acquired hospitals never switch to the acquiring system’s EHR, meaning dual or triple environments persist for years with independent patch cycles and access controls.
Second, there are inherited endpoints and servers that fall outside visibility. In August 2024, a healthcare organization experienced unauthorized access and data exfiltration from a server inherited through an acquisition. The server had no EDR agents and no logging capability, and the breach went undetected until it was investigated. The activity had been invisible since day one.
Third, every vendor and integration connected to the acquired entity becomes part of the combined risk surface. Billing tools, labs, scheduling systems, imaging vendors, remote access tools, and outsourced service providers all create possible paths into the environment.
Fourth, the acquirer may inherit a compromise that began before the transaction closed. Average dwell time in healthcare breaches is 279 days. An attacker who gained access to the target network before the deal closed may still be present months after integration. You won’t know until you look.
Where Hospital Network Security Fails During Integration
Most breaches and overlooked vulnerabilities discovered after hospital mergers trace back to a small set of repeatable failures.
- Network Trust Is Extended Too Early
Integration pressure is real. Clinical teams want access, leadership wants operational alignment, and the business case depends on systems working together quickly. That often leads to network connectivity before validation.
CommonSpirit Health is the clearest warning. A ransomware attack originating in one acquired facility cascaded across 140 hospitals in 21 states. Once environments are connected without proper segmentation and validation, one compromise can affect the full system.
- Identity & Active Directory Risk Is Underestimated
Hospital mergers often create overlapping domains, inherited privileges, stale accounts, and service accounts that no one wants to touch because they support clinical systems. That makes identity consolidation one of the highest-risk parts of integration.
If orphaned accounts remain active, privileged service accounts stay over-permissioned, or trust relationships are created without full review, an attacker can move from one part of the network to another with very little resistance.
- Legacy Systems Remain Exposed on the Live Network
Acquired clinical applications, imaging systems, and older devices often cannot be patched or migrated quickly because migration is expensive, disruptive to care delivery, and takes months.
So, they stay on the live network. They become the easiest targets in the combined environment: known platforms, known vulnerabilities, no EDR, no monitoring. Lateral movement is used in over 70% of successful healthcare breaches. A legacy system that cannot be secured is a persistent foothold for any attacker who reaches it.
A Security Checklist for Hospital M&A You Can Apply
KLEAP treats compliance and security as operating disciplines. That same logic applies here. Cybersecurity for hospitals in an M&A context must be treated like a structured program with defined milestones and accountable owners.
- Pre-close: Due Diligence as a Security Workstream
Before closing, the goal is to identify obvious external exposure, likely inherited risk, and contractual blind spots.
This includes external attack surface assessment of public-facing systems, breach history review through HHS OCR records, vendor and compliance questionnaires, and deal language that requires disclosure of known incidents, unresolved vulnerabilities, and material security issues.
That work helps establish whether the acquirer is inheriting technical debt that will become part of its own hospital network security burden on Day 1.
- Day 1 to 30: Identify, Contain, & Establish Visibility
The acquired environment should be treated as untrusted until it is assessed. That means no broad trust by default.
The first 30 days should focus on deploying endpoint visibility, conducting compromise assessment, inventorying inherited vendor connections, establishing logging and SIEM coverage, and enforcing MFA on every remote access path.
The point is simple: you cannot protect what you cannot see, and you cannot safely integrate what you have not assessed.
- Day 31 to 90: Assess, Segment, & Validate
After initial triage, the work shifts to structured assessment and control hardening.
This is where formal risk assessment, network segmentation, identity review, and legacy system isolation must happen. Systems that cannot be secured immediately should not remain broadly reachable. Access should be restricted, monitored, and segmented according to operational needs.
For hospital mergers, this period is also where assumptions need to be tested.
How Penetration Testing IS the Validation Gate
Penetration testing after integration answers the question that matters most: Did connecting these environments create exploitable paths that did not exist before?
That is why penetration testing in hospital M&A should not be treated as an option, because the risk lies in the combined design: shared credentials, cross-environment trust, inherited access paths, and weak segmentation between parent and acquired systems.
What makes penetration testing the validation gate is the gap between designed security and deployed security. Gartner research indicates that 99% of firewall breaches result from misconfigurations. A penetration test reveals what was actually built. In a hospital merger, where engineers from two different organizations are connecting environments under deadline pressure, that gap between intended and actual is reliably at its widest.
The evidence from live environments confirms this. Across 268 penetration tests, Rapid7 found that testers were able to abuse at least one network misconfiguration in 80% of engagements, and exploit at least one in-production vulnerability in 84%.
A post-integration assessment should validate whether an attacker can move laterally across connected sites, whether segmentation between clinical and administrative zones actually holds, whether Active Directory trusts create escalation paths, and whether inherited remote access methods or legacy assets expose patient data security across the broader environment.
OCR’s Risk Analysis Initiative has produced several enforcement actions to date, and in most of them, OCR concluded that the regulated entity had failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to its ePHI.
The consistent finding was that they could not demonstrate their controls had been tested and validated against their actual environment. HIPAA’s §164.308(a)(8) evaluation standard requires technical evaluation after environmental or operational changes. Connecting a newly acquired hospital network qualifies.
The 2024 HIPAA Security Rule NPRM proposes making annual penetration testing an explicit requirement. Integrating hospital networks without independent validation means operating on assumptions that regulators, insurers, and patients cannot afford.
Documentation matters here as much as testing. If an OCR inquiry follows a breach, organizations need to show what was assessed, what was found, what was remediated, and how validation was performed.
Why Hospital M&A Needs a Concierge Model for Security & Compliance Service Delivery
Hospital M&A is a growth event, but it also creates a concentrated period of inherited cyber risk. The integration window may last months. The exposure created during that period can last much longer if identity, segmentation, vendor access, and legacy systems are not handled with discipline.
That is where KLEAP fits. We help healthcare organizations assess inherited environments, review hospital network security across locations, validate segmentation and identity exposure, and conduct penetration testing that turns integration assumptions into a documented, defensible security posture.
