Cyber Risk Is a Deal Risk: What Health Care Investors Need to Know Now

By John Santana, CISSP, CCSFP, CHQP

Private equity investors pride themselves on identifying value others overlook. But in health care, one of the most material risks to operational performance, regulatory compliance, and long-term value is often missed—or underestimated. That risk is cybersecurity.

For many portfolio companies, cyber threats don’t show up in the profit-and-loss statement until after they’ve detonated. But when they do, the impact can be staggering: ransomware that halts care delivery, breaches that trigger multimillion-dollar regulatory scrutiny, and data loss that irreversibly damages trust among patients, vendors, and customers. This isn’t a theoretical risk anymore; it’s a systemic one, and it’s growing more sophisticated by the month.

Over the past 3 years, I’ve had the opportunity to assess dozens of health care organizations backed by private equity including—but not limited to—middle-market physician and specialty practice groups, dental service organizations, pharmaceuticals, digital health and health IT entities, and contract research and contract manufacturing organizations. While each operates in a different niche with significant risk profile variance, the themes that emerge are consistent: rapid growth, limited to no dedicated cybersecurity governance, and exposure that’s far greater than most investors realize.

From Technical Risk to Material Threat

Cybersecurity is often viewed as a line item on the IT budget. But in a health care context, it’s far more than that. When core clinical systems go offline, procedures get delayed. When sensitive data are compromised, brand equity and patient trust erode. These are not hypothetical risks, they are investment risks.

Health care continues to top the charts as the most targeted and most expensive sector for cyber incidents. In 2024 alone, over 275 million health records were exposed, with breach costs averaging over $10 million per incident. These figures only account for direct costs, not the secondary effects on valuation or exit timelines.

What makes health care especially vulnerable, among other things, is its rapidly expanding digital footprint. With more data being shared across more platforms—from remote patient monitoring tools to cloud-based electronic health records and multiple layers of downstream subcontractors—the attack surface grows exponentially.

Meanwhile, many portfolio companies operate with legacy systems, under-resourced IT teams, and limited internal controls.

The Weakest Links Are Often the Most Overlooked

Among the most common gaps I’ve seen is the absence of structured cybersecurity governance and risk management programs. Procedures and controls are applied ad hoc, with little to no formal documentation and no grounding in an established Industry cybersecurity framework, such as the National Institute of Standards and Technology (NIST), 405(d), or HITRUST.

One of the most consistent weak points across all sectors? Data protection and loss prevention (DLP), or total lack thereof. This isn’t just about compliance—it’s about visibility and control. Organizations frequently struggle with data classification, handling, retention, and destruction policies. Tools for detecting the unauthorized movement of sensitive data—whether involving clinical trial results, proprietary intellectual properity, or patient identifiers—are either misconfigured or missing entirely. This lack of oversight greatly increases the risk for unnecessary data hoarding, unintentional or malicious data leakage, and potential noncompliance with vendor/customer master services or business associate agreements.

Even companies not formally regulated under the Health Insurance Portability and Accountability Act (HIPAA) may be handling valuable information that adversaries are more than happy to monetize. The absence of oversight can create a false sense of immunity. If anything, those unregulated corners of the ecosystem often harbor the greatest vulnerabilities.

The New Breach Economy

Investor-backed companies are particularly attractive to threat actors. Their growth trajectories often outpace their internal controls. They’re publicly visible, well-funded, and eager to avoid reputational fallout. In short, they’re more likely to pay.

Even public announcements about new deals can unintentionally serve as breadcrumbs for attackers. Press releases about strategic acquisitions, new platforms, or leadership transitions are often the first data points threat actors use to build impersonation campaigns and phishing lures.

Ransom demands are rising in parallel. One recent study cited an average health care ransom demand of $2.5 million, with actual payments often exceeding $500 000. But that’s just the starting point. Downtime, investigation costs, reputational damage, and operational disruption multiply the cost and the complexity.

What Investors Can Do Differently

So, how should investors respond?

First, cyber risk must move from a due diligence footnote to an ongoing component of value protection. Portfolio monitoring should include cybersecurity posture as a core metric, alongside financials, compliance, and quality outcomes.

Second, investors should push for formal adoption of cybersecurity frameworks tailored for health care. One federally recognized example outside of NIST is the Health Industry Cybersecurity Practices (HICP), commonly known as 405(d). It offers scalable, practical controls across key areas like email protection, identity access management, incident response, and data loss prevention. It’s not just good practice—it is what regulators are looking at as they shape future policy.

Finally, assess whether incident response and business continuity plans are real, tested programs that account for multiple scenario types (vendor outages, ransomware, business email compromise etc.)—not just documents in a binder. Cybersecurity must function like a muscle: it needs to be exercised regularly to be effective under pressure.

A Call for Operational Resilience

Ultimately, the goal isn’t to eliminate risk. That’s impossible. The goal is to reduce exposure, improve response, and build resilience. The same way firms mitigate regulatory or supply chain risks, cyber risk needs a proactive, structured, and repeatable strategy.

If you’re investing in health care, you’re investing in trust. Protecting that trust is no longer just the responsibility of the IT team—it’s a matter of governance, reputation, and long-term value. In today’s climate, ignoring that risk doesn’t just compromise security, it compromises returns.

About the Author

John Santana is a Clearwater Principal Consultant, bringing Clearwater customers extensive experience supporting Healthcare IT Risk Management initiatives. When not engaging clients with their i1 and r2 HITRUST Assessments, John is supporting Digital Health ClearAdvantage Programs through delivering Risk Analysis and Risk Response engagements, as well as providing overall Program Leadership and Governance support. John works regularly with HIPAA, NIST, HITRUST, and 405(d).