Securing a Hospital Acquisition: A 90-Day Cyber Risk Plan for Mergers & Acquisitions

In this high-stakes environment, the first 90 days are critical to gain control of the new environment, protect patient data, and lay a foundation for long-term security. 

This plan outlines a phased approach to quickly secure a newly acquired hospital, methodically addressing urgent risks from Day 0 through Day 90 post-acquisition. The roadmap is broken into three phases:

Phase 1: Day 0–30 - Rapid Visibility & Containment

Speed is essential. The first month is about illuminating every corner of the new IT environment and plugging in obvious security gaps. Attackers often strike during this chaotic transition, so defense must move fast.

• Full Asset Discovery
  • Identify 100% of assets, information, servers, PCs, laptops, legacy medical equipment, IoT devices, applications, user accounts.
  • Hospitals joining via M&A often have outdated or unmanaged devices (aka “Shadow IT”) never inventoried under enterprise standards.
  • Deploy automated scanning tools and network mappers to rapidly build an asset inventory.
• Immediate Identity Lockdown
  • Compromised credentials are a top attack vector in healthcare breaches, and M&A churn leaves identity gaps.
  • Enforce multi-factor authentication (MFA) for all user logins, especially remote access and privileged accounts.
  • Don’t forget service accounts and generic accounts, these may need to be adjusted or closely monitored.
• Network Segmentation of Critical Systems
  • New hospitals bring new network pathways, some less secure. Implement or tighten segmentation quickly.
  • Isolate high-risk networks, legacy EHR infrastructure, older operating systems, and medical devices that can’t be patched.
  • This prevents a single compromised device from cascading across the enterprise.
• Initial HIPAA Risk Analysis
  • Don’t wait until after full integration to assess compliance. HIPAA requires covered entities to conduct an accurate and thorough risk analysis of PHI confidentiality and security (45 CFR §164.308(a)(1)), and regulators penalize organizations for failing to do this promptly.
  • In the first 30 days, perform an accelerated HIPAA Security Risk Analysis focused on the acquired entity.
    • Scope + Speed:
      • Targeted review of the acquired entity’s PHI footprint, how PHI is stored, transmitted, and processed, completed within 30 days.
    • Safeguard Evaluation:
      • Rapid assessment of administrative, physical, and technical controls using HIPAA and NIST 800-30/800-66 frameworks:
        • Encryption protocols (at rest/in transit)
        • Role-based access to EHR and PHI systems
        • Incident response plans and breach notification readiness
    • Methodology:
      • Leverage existing asset inventories, conduct stakeholder interviews, and use risk scoring to prioritize findings. Include:
        • Threat likelihood and impact ratings
        • Mapping to HIPAA Security Rule standards
        • Use of templates or automation to accelerate documentation
    • High-Risk Identification:
      • Flag critical gaps (e.g., unencrypted backups, default credentials, missing audit logs) for immediate remediation planning.
    • Due Diligence Evidence:
      • Document findings, decisions, and mitigation steps to demonstrate compliance posture to OCR in case of an incident.

By Day 30: You should have a full asset inventory, tighter identity and network controls, and a clear view of the biggest compliance and security gaps. The environment is stabilized, visibility is gained, and immediate risks are contained, setting the stage for deeper risk management.

Phase 2: Day 31–60 - Risk Prioritization & Control Alignment

Integration shifts from triage to careful assessment and planning. Now that you know what you have, it’s time to prioritize risks and align the new acquisition with your enterprise’s security framework.

• Enterprise Risk Analysis (Deep Dive)
  • Use formal risk assessment methodologies to evaluate the hospital’s risks.
  • Analyze threats, vulnerabilities, likelihood, and impact for each scenario.
  • Use a consistent framework, such as the NIST Cybersecurity Framework (CSF) categories: Identify, Protect, Detect, Respond, Recover, to systematically spot gaps across safeguard types. This structured analysis moves you beyond ad-hoc fixes and enables quantification of risk, essential for communicating with executives and allocating resources.
  • By the end, you should have a ranked list of risks with a mitigation roadmap.
• Align Controls and Policies with Standards
  • Begin closing the gap between the acquired hospital’s security controls and your organization’s standards.
  • Update or implement policies and technical controls so the new entity doesn’t remain a weak link.
  • If your enterprise follows NIST SP 800-53 Rev. 5, NIST CSF 2.0 or other frameworks, start bringing the hospital into alignment.
  • NIST emphasizes Governance and Supply Chain Risk, ensure the hospital adopts governance practices (risk committee meetings, executive oversight) and assesses critical suppliers.
  • In 2025, CMS’s ARC-AMPE framework (Acceptable Risk Controls for ACA, Medicaid, and Partner Entities) became the gold standard for healthcare organizations in federal programs, replacing MARS-E. ARC-AMPE mandates 402 security and privacy controls aligned with NIST SP 800-53 Rev. 5, a significant uplift (2).
  • If ARC-AMPE compliance is in scope (e.g., Medicaid/ACA systems), start mapping controls to ARC-AMPE’s baseline (2). This may mean implementing new controls like enhanced audit logging, stricter data access governance, or privacy impact assessments.
• Vendor and Partner Risk Triage
  • Acquisitions inherit a web of third-party relationships, health information exchanges (HIE), billing companies, device maintenance providers.
  • In 2025, business associates were involved in over one-third of major health data breaches, representing 42% of affected patient records.
  • Conduct a rapid vendor risk assessment for all critical third parties. Identify which vendors have network access or handle sensitive data.
  • Verify up-to-date security attestations (SOC 2, HITRUST) or recent risk assessments.
  • Pay special attention to health information exchange connections or others that interface with patient data.
  • If a vendor looks risky, consider isolating or pausing their access until remediation.
• Continuous Monitoring and Anomaly Detection
  • In Phase 1, you rolled out basic monitoring tools. Now, double down on continuous monitoring.
  • Ensure endpoints and network feeds report into your Security Information and Event Manager (SIEM) and/or Security Operations Center.
  • Establish baseline behaviors, typical hours, normal data flows, so anomalies are easier to spot.
  • Deploy endpoint detection and response (EDR) agents on newly integrated endpoints to catch suspicious processes or lateral movement.
  • Turn on cloud monitoring such as a cloud access security broker (CASB) or cloud logging. Identity analytics to watch for unusual account activity. 

By Day 60: You should have a solid grasp of the risk landscape and a clear action plan. Risks are prioritized, the security program is aligned, third-party defenses are shored up, and active monitoring is in place. Integration is moving from assessment to execution, laying the groundwork for full integration and resilience (4).

Phase 3: Day 61–90 Integration & Resilience

The final stretch focuses on long-term integration and resilience. Most urgent gaps have been identified, and interim protections are in place. Now unify operations and fortify the combined entity to withstand ongoing cyber threats as a single, coordinated enterprise. 

• Unified Logging and SIEM Integration
  • Merge the hospital’s logs and security telemetry into your centralized SIEM or logging platform.
  • Work with IT to establish log forwarding from all hospital systems, EHR databases, domain controllers, virtual private network (VPN) gateways, HVAC controllers, into the main security operations center (SOC) SIEM.
  • If the hospital uses a different SIEM, decommission or connect those systems.
  • Integrate threat intelligence feeds and detection rules to ensure consistent and proactive analytics.
• Incident Response Playbook Consolidation
  • Merging organizations means merging incident response (IR) processes. Any mismatch can be disastrous during a real incident.
  • Consolidate and update IR playbooks and teams. Bring together the hospital’s IR team with your own and create a single playbook for common scenarios.
  • Run tabletop exercises or simulations to walk through joint incident scenarios.
  • The outcome: one unified incident response plan covering the entire organization, so everyone knows their role under pressure.
• Business Continuity and Disaster Recovery (BCDR) Validation
  • Cyber resilience isn’t just about stopping attacks; it’s about recovering if one succeeds.
  • In the final 30 days, spotlight BCDR testing involved the new hospital .
  • Test worst-case scenarios in a controlled way. Examples include:
    • Simulated ransomware attack locking out EHR access
    • Sudden data center outage during peak patient volume
    • Communication failure between hospital and cloud-based lab systems
  • Exercises should include clinical leadership; cyber incidents directly affect patient care.
  • Test emergency downtime procedures. If separate data centers or cloud services exist, ensure there’s a plan if those fail (3).
• Security Policy Harmonization & Training
  • Solidify the human element of integration. By now, policies are likely updated; ensure they’re rolled out to new staff.
  • Provide targeted security awareness training to employees of the acquired hospital, orienting them to your organization’s policies and expectations.
  • Update compliance and evidence collection under frameworks like ARC-AMPE or HIPAA.
  • If auditors come knocking, the new hospital should produce the same evidence (risk assessment reports, training records) as the rest of the enterprise. 

Bottom Line: A hospital acquisition doesn’t have to mean a cyber crisis. With a clear, phased strategy, you can rapidly bring a new facility up to par with your security standards, protect sensitive data from day one, and satisfy regulators that you’re managing risk proactively. With the 90-day framework above, you can take charge of the narrative and ensure that growth of your health system doesn’t equate to growth in breach risk.

Coalfire’s Healthcare GRC Advisory team has extensive experience guiding health systems through such transitions. We help operationalize HIPAA risk analyses, enterprise risk assessments, and frameworks like ARC-AMPE into actionable roadmaps for security improvement and regulatory compliance. 

Reach out to our Healthcare GRC Advisory team to learn how we can support your journey. Let’s ensure your next merger leads to greater strength, not greater risk, in your cybersecurity posture.