Becker Private Equity & Business Podcast: Cybersecurity in Healthcare Private Equity Featuring John Santana, Principal Consultant at Clearwater Security
Release Date: May 13, 2025

Introduction to John Santana and Clearwater Security

In this episode of the Becker Private Equity & Business Podcast, host Scott Becker welcomes John Santana, Principal Consultant at Clearwater Security. Celebrating over 7 million downloads and topping Apple’s business news charts, the podcast delves into the intricacies of private equity and business. John Santana brings invaluable expertise in assessing cybersecurity risks within private equity firms' healthcare portfolios.

John Santana [00:55]: "Now I'm on the Joe Rogan of Business podcast."

John provides an overview of Clearwater Security, highlighting its evolution from a HIPAA-focused risk advisory firm to the largest pure-play healthcare cybersecurity and compliance provider. With a dedicated team serving integrated delivery networks, digital health, health IT companies, physician practice management groups, law firms, and private equity firms specializing in healthcare, Clearwater has significantly expanded its services over the past five years.

John Santana [01:03]: "We've really evolved in the last five years, especially into a full-blown security services provider."

Unique Cybersecurity Challenges in Healthcare Private Equity

Scott Becker initiates the discussion by probing into the distinct cybersecurity challenges faced by private equity firms investing in healthcare.

Scott Becker [02:28]: "When you look at private equity firms that invest in healthcare, what kind of unique cybersecurity challenges do they face?"

John Santana explains that the healthcare sector's "highly nuanced regulatory complexities" make cybersecurity particularly challenging. Unlike industries with more uniform regulatory frameworks, healthcare portfolios often consist of diverse entities—ranging from pharmaceutical startups to large Dental Service Organizations (DSOs)—each with unique business models and compliance requirements.

John Santana [02:28]: "Healthcare is truly unique... dealing with FDA requirements, HIPAA compliance... creates those unique healthcare challenges."

This diversity necessitates tailored cybersecurity strategies that address the specific needs and regulatory obligations of each portfolio company.

Cybersecurity Due Diligence Before Closing Healthcare Investments

The conversation shifts to the critical role of cybersecurity due diligence in the investment process.

Scott Becker [03:54]: "How should private equity firms approach cybersecurity due diligence before closing a healthcare investment?"

John emphasizes that cybersecurity should no longer be an afterthought or a mere checklist item within broader IT diligence processes. Given the alarming increase in data breaches—277 million records breached last year alone—a dedicated and comprehensive approach to cybersecurity assessment is imperative.

John Santana [03:54]: "It's not good enough to just have a couple of cybersecurity questions... We need dedicated cybersecurity diligence."

He advocates for a deep dive into cybersecurity controls, evaluating not just technological measures but also the resources and capabilities of the target companies. Developing a nuanced cybersecurity strategy that aligns with the overall IT strategy is crucial "before the deal's even closed."

Post-Investment Governance Structures and Risk Management

Once an investment is secured, maintaining robust cybersecurity governance becomes paramount. Scott Becker asks about effective strategies for ongoing risk management.

Scott Becker [05:24]: "What governance structures or risk management strategies should be implemented to monitor and improve cybersecurity?"

John outlines a multi-faceted approach:

1. Adoption of a Formal Cybersecurity Framework: If not already in place, establishing a recognized framework is the first step.

2. Establishing Minimum Standards: Implementing baseline security measures such as:

   • Security Awareness and Training: Including phishing simulations to mitigate ransomware and email compromise risks.
   • Vulnerability Management and Penetration Testing: Regular assessments to identify and address weaknesses.
   • Incident Response Programs: Developing protocols for addressing breaches.
   • Business Continuity and Disaster Recovery Plans: Ensuring organizational resilience.

John Santana [05:24]: "Developing what those minimum standards are and looking to enforce that across the board."

3. Portfolio-Level Monitoring: Utilizing common assessment frameworks (e.g., 405D) to gauge the cybersecurity maturity of each portfolio company and tailoring recommendations accordingly.

Centralized vs. Decentralized Cybersecurity Approaches

The debate between centralized and decentralized cybersecurity management is a focal point of the discussion.

Scott Becker [07:32]: "For private equity funds with diverse healthcare investments, what's the prevailing wisdom on centralized versus decentralized cybersecurity approaches?"

John acknowledges that "no two firms are the same" and that both centralized and decentralized models have their merits. He advocates for collaboration and resource sharing among security leaders across portfolio companies to enhance efficiency and effectiveness.

John Santana [07:32]: "I would encourage collaboration and resource sharing where it makes sense between the Portco security leadership."

Key recommendations include:

• Regular Meetings for Security Leaders: Facilitating the exchange of best practices and solutions to common challenges.
• Vendor Consolidation and Bulk Pricing: Leveraging collective bargaining power to reduce costs.
• Building Internal Security Capabilities: Ensuring that private equity firms, which handle sensitive information, maintain robust internal security measures.

John stresses that centralized approaches shouldn't equate to micromanagement but rather focus on establishing nuanced baselines and consistent security standards across the portfolio.

John Santana [07:32]: "Centralized entails micromanagement but in reality can be a lot more nuanced and a lot more subtle of a baseline."

Current Focus and Future Outlook

As the episode wraps up, John Santana shares his current priorities and aspirations for the future.

Scott Becker [10:34]: "What are you most focused on and excited about this year?"

John highlights the success and expansion of Clearwater's portfolio monitoring program, launched in 2022. The Change Healthcare breach acted as a catalyst, accelerating the demand for robust cybersecurity measures within the private equity space. The growth in client base has allowed Clearwater to amass a significant data set, unveiling interesting trends related to incident response capabilities, data protection, and overall security governance.

John Santana [10:34]: "I'm just really excited to continue to work through these program cycles, continue to identify more trends, and ultimately get our clients to a more secure, resilient and compliant state."

He also mentions the publication of a trend report, which aggregates data across various companies to identify top risk areas, reinforcing the importance of continuous assessment and adaptation in cybersecurity strategies.

Conclusion

Scott Becker concludes the insightful conversation by commending John Santana and Clearwater Security for their leadership in the cybersecurity realm within private equity and healthcare.

Scott Becker [13:12]: "What an amazing job Clearwater Security has done... thank you so much for your leadership."

John Santana reciprocates the gratitude, emphasizing the collaborative efforts required to enhance cybersecurity resilience across healthcare investments.

Key Takeaways:

• Healthcare's Unique Cybersecurity Landscape: Diverse entities within healthcare portfolios require tailored cybersecurity strategies due to varied regulatory requirements.

• Comprehensive Due Diligence: Cybersecurity assessments should be thorough and integral to the investment process, not treated as ancillary.

• Governance and Continuous Monitoring: Post-investment, establishing robust governance structures and ongoing monitoring is essential for maintaining cybersecurity resilience.

• Collaborative Approaches: Whether centralized or decentralized, fostering collaboration and resource sharing among portfolio companies can enhance cybersecurity effectiveness and efficiency.

• Data-Driven Insights: Leveraging amassed data to identify trends and improve security measures is pivotal for advancing overall portfolio security.

This episode underscores the critical role of specialized cybersecurity strategies in safeguarding healthcare investments within private equity portfolios, highlighting Clearwater Security's pivotal contributions to this field.