M&A Cyber Success Depends on Communication, an Honest Evaluation of Each Side’s Strengths & Risks, and an Open Mind

In the evolving healthcare landscape, mergers and acquisitions (M&A) have become a cornerstone strategy for health systems seeking operational efficiencies and expanded care delivery. However, the convergence of multiple organizations introduces a unique set of cybersecurity challenges. Greg Sieg, CISO for the University of Michigan Regional Health Network, provides valuable insights into managing cybersecurity during these critical transitions.

Scroll down to watch or listen to the full interview; or subscribe to healthsystemCIO on your favorite podcasting channel

M&A Complexity and Cybersecurity

For health systems, M&A activity creates a trifecta of challenges spanning the pre-merger, post-merger, and integration phases. Sieg’s leadership spans multiple entities, including Michigan Medicine, University of Michigan Health West, and University of Michigan Health Sparrow, offering a firsthand perspective on these complexities. “We’re essentially in multiple phases at once,” Sieg explains. “With West, we’re three-quarters of the way through integration, while Sparrow is at the beginning stages. Each stage demands unique strategies to maintain communication, align teams, and secure systems.”

This simultaneous management underscores the intricate dynamics of healthcare M&A, where varied organizational cultures, IT infrastructures, and security protocols must coalesce under a unified framework.

Communication: The Bedrock of Successful Integration

Throughout the M&A process, Sieg emphasizes the critical role of communication in aligning cybersecurity priorities across merged entities. “Open lines of communication are key,” he asserts. “It’s about ensuring CTOs, CIOs, and frontline staff stay informed, enabling teams to move in the right direction together.”

Establishing trust between cybersecurity teams is particularly crucial on “day one” of a merger when risks are most acute. Sieg elaborates: “You’re meeting people for the first time and addressing potential vulnerabilities immediately. Clear and transparent communication with leadership and frontline staff helps build the trust needed to identify and mitigate risks effectively.”

Strategic Tools and Application Rationalization

Standardization across IT systems is often seen as a critical objective in the integration phase. Yet Sieg advocates for a pragmatic approach: “We’re calling it a ‘do-what-makes-sense’ approach. We’re not ripping things out just to rip them out. Instead, we assess contracts, prioritize by need, and align our tools and strategies to address gaps.”

This method enables his team to evaluate which tools provide the best functionality while balancing the need for seamless integration. “We were fortunate to find that many of our major security tools were already aligned, reducing the need for drastic changes,” Sieg says.

An essential early step in Sieg’s playbook is inventory management. “One of the first things we did was inventory our tools and contracts,” he notes. “Understanding what you have, and where the gaps are, allows you to create a roadmap for rationalization and risk mitigation.”

Addressing the New Risk Profile

One of the most immediate concerns post-merger is the heightened risk profile. Sieg describes this as a pivotal focus: “Day one is all about identifying red flags—unpatched vulnerabilities, exposed systems, or any other risks that could compromise security. You don’t have time to wait. It’s head-down work to ensure systems are secure and operational.”

He highlights the need for collaboration with the acquired entity’s security teams: “You need to understand their biggest risks and fears quickly.