Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25 - Becker Private Equity & Business Podcast

Summary5 min read

Becker Private Equity & Business Podcast: Cybersecurity in Healthcare Private Equity Featuring John Santana, Principal Consultant at Clearwater Security
Release Date: May 13, 2025

Introduction to John Santana and Clearwater Security

In this episode of the Becker Private Equity & Business Podcast, host Scott Becker welcomes John Santana, Principal Consultant at Clearwater Security. Celebrating over 7 million downloads and topping Apple’s business news charts, the podcast delves into the intricacies of private equity and business. John Santana brings invaluable expertise in assessing cybersecurity risks within private equity firms' healthcare portfolios.

John Santana [00:55]: "Now I'm on the Joe Rogan of Business podcast."

John provides an overview of Clearwater Security, highlighting its evolution from a HIPAA-focused risk advisory firm to the largest pure-play healthcare cybersecurity and compliance provider. With a dedicated team serving integrated delivery networks, digital health, health IT companies, physician practice management groups, law firms, and private equity firms specializing in healthcare, Clearwater has significantly expanded its services over the past five years.

John Santana [01:03]: "We've really evolved in the last five years, especially into a full-blown security services provider."

Unique Cybersecurity Challenges in Healthcare Private Equity

Scott Becker initiates the discussion by probing into the distinct cybersecurity challenges faced by private equity firms investing in healthcare.

Scott Becker [02:28]: "When you look at private equity firms that invest in healthcare, what kind of unique cybersecurity challenges do they face?"

John Santana explains that the healthcare sector's "highly nuanced regulatory complexities" make cybersecurity particularly challenging. Unlike industries with more uniform regulatory frameworks, healthcare portfolios often consist of diverse entities—ranging from pharmaceutical startups to large Dental Service Organizations (DSOs)—each with unique business models and compliance requirements.

John Santana [02:28]: "Healthcare is truly unique... dealing with FDA requirements, HIPAA compliance... creates those unique healthcare challenges."

This diversity necessitates tailored cybersecurity strategies that address the specific needs and regulatory obligations of each portfolio company.

Cybersecurity Due Diligence Before Closing Healthcare Investments

The conversation shifts to the critical role of cybersecurity due diligence in the investment process.

Scott Becker [03:54]: "How should private equity firms approach cybersecurity due diligence before closing a healthcare investment?"

John emphasizes that cybersecurity should no longer be an afterthought or a mere checklist item within broader IT diligence processes. Given the alarming increase in data breaches—277 million records breached last year alone—a dedicated and comprehensive approach to cybersecurity assessment is imperative.

John Santana [03:54]: "It's not good enough to just have a couple of cybersecurity questions... We need dedicated cybersecurity diligence."

He advocates for a deep dive into cybersecurity controls, evaluating not just technological measures but also the resources and capabilities of the target companies. Developing a nuanced cybersecurity strategy that aligns with the overall IT strategy is crucial "before the deal's even closed."

Post-Investment Governance Structures and Risk Management

Once an investment is secured, maintaining robust cybersecurity governance becomes paramount. Scott Becker asks about effective strategies for ongoing risk management.

Scott Becker [05:24]: "What governance structures or risk management strategies should be implemented to monitor and improve cybersecurity?"

John outlines a multi-faceted approach:

Adoption of a Formal Cybersecurity Framework: If not already in place, establishing a recognized framework is the first step.
Establishing Minimum Standards: Implementing baseline security measures such as:
- Security Awareness and Training: Including phishing simulations to mitigate ransomware and email compromise risks.
- Vulnerability Management and Penetration Testing: Regular assessments to identify and address weaknesses.
- Incident Response Programs: Developing protocols for addressing breaches.
- Business Continuity and Disaster Recovery Plans: Ensuring organizational resilience.

John Santana [05:24]: "Developing what those minimum standards are and looking to enforce that across the board."

Portfolio-Level Monitoring: Utilizing common assessment frameworks (e.g., 405D) to gauge the cybersecurity maturity of each portfolio company and tailoring recommendations accordingly.

Centralized vs. Decentralized Cybersecurity Approaches

The debate between centralized and decentralized cybersecurity management is a focal point of the discussion.

Scott Becker [07:32]: "For private equity funds with diverse healthcare investments, what's the prevailing wisdom on centralized versus decentralized cybersecurity approaches?"

John acknowledges that "no two firms are the same" and that both centralized and decentralized models have their merits. He advocates for collaboration and resource sharing among security leaders across portfolio companies to enhance efficiency and effectiveness.

John Santana [07:32]: "I would encourage collaboration and resource sharing where it makes sense between the Portco security leadership."

Key recommendations include:

Regular Meetings for Security Leaders: Facilitating the exchange of best practices and solutions to common challenges.
Vendor Consolidation and Bulk Pricing: Leveraging collective bargaining power to reduce costs.
Building Internal Security Capabilities: Ensuring that private equity firms, which handle sensitive information, maintain robust internal security measures.

John stresses that centralized approaches shouldn't equate to micromanagement but rather focus on establishing nuanced baselines and consistent security standards across the portfolio.

John Santana [07:32]: "Centralized entails micromanagement but in reality can be a lot more nuanced and a lot more subtle of a baseline."

Current Focus and Future Outlook

As the episode wraps up, John Santana shares his current priorities and aspirations for the future.

Scott Becker [10:34]: "What are you most focused on and excited about this year?"

John highlights the success and expansion of Clearwater's portfolio monitoring program, launched in 2022. The Change Healthcare breach acted as a catalyst, accelerating the demand for robust cybersecurity measures within the private equity space. The growth in client base has allowed Clearwater to amass a significant data set, unveiling interesting trends related to incident response capabilities, data protection, and overall security governance.

John Santana [10:34]: "I'm just really excited to continue to work through these program cycles, continue to identify more trends, and ultimately get our clients to a more secure, resilient and compliant state."

He also mentions the publication of a trend report, which aggregates data across various companies to identify top risk areas, reinforcing the importance of continuous assessment and adaptation in cybersecurity strategies.

Conclusion

Scott Becker concludes the insightful conversation by commending John Santana and Clearwater Security for their leadership in the cybersecurity realm within private equity and healthcare.

Scott Becker [13:12]: "What an amazing job Clearwater Security has done... thank you so much for your leadership."

John Santana reciprocates the gratitude, emphasizing the collaborative efforts required to enhance cybersecurity resilience across healthcare investments.

Key Takeaways:

Healthcare's Unique Cybersecurity Landscape: Diverse entities within healthcare portfolios require tailored cybersecurity strategies due to varied regulatory requirements.
Comprehensive Due Diligence: Cybersecurity assessments should be thorough and integral to the investment process, not treated as ancillary.
Governance and Continuous Monitoring: Post-investment, establishing robust governance structures and ongoing monitoring is essential for maintaining cybersecurity resilience.
Collaborative Approaches: Whether centralized or decentralized, fostering collaboration and resource sharing among portfolio companies can enhance cybersecurity effectiveness and efficiency.
Data-Driven Insights: Leveraging amassed data to identify trends and improve security measures is pivotal for advancing overall portfolio security.

This episode underscores the critical role of specialized cybersecurity strategies in safeguarding healthcare investments within private equity portfolios, highlighting Clearwater Security's pivotal contributions to this field.

Loading summary

Transcript17 lines

[00:00]
Scott Becker
This is Scott Becker with the Becker Private Equity and Business podcast. Thrilled this past week to pass 7 million downloads and to get to a spot, we're ranked for the last couple of weeks at the very top of the Apple business news chart rankings. We're excited today to be joined by John Santana. John is a principal consultant at Clearwater Security and he focuses on private equity firms assessing their cybersecurity risks across their portfolio of healthcare investments. He's also served as lead author on the cyber risk benchmark trend report on healthcare PE that Clearwater recently published. John, can I ask you to take a moment to tell us a bit about yourself and about Clearwater?
[00:46]
John Santana
Yeah, thanks for having me on, Scott, and congratulations on those impressive metrics. You got me all nervous. Now I'm on the Joe Rogan of Business podcast.
[00:55]
Scott Becker
No, no, no, no. You're fantastic and no reason to be nervous and God bless you. Tell us a little about yourself in Clearwater Security.
[01:03]
John Santana
Yeah, so I've been at Clearwater going on four years now. I'm a principal consultant there and I lead our private equity services delivery and our digital health health IT team. And Clearwater is the largest pure play healthcare cybersecurity and compliance firm tailored just to serving the healthcare industry. I mean, we and verticals serving integrated delivery networks, digital health, health IT companies and physician practice management groups. And yeah, we also work directly with law firms and private equity firms specializing in healthcare. You know, our, our genesis, we really started off more in the risk advisory compliance space as HIPAA wizards, if you will. And we've really evolved in the last five years, especially into a full blown security services provider. You know, I've been along for that, that ride and that transformation. And it's been really fantastic watching the firm evolve and growing with it personally. So yeah, it's been a great run, John.
[02:08]
Scott Becker
We've had a chance to watch Clearwater grow over the years. It's impressive what you folks have done. When you look at private equity firms that invest in healthcare, they acquire healthcare organizations, what kind of unique cybersecurity challenges do they face? And how do these risks differ than some of those in other industries?
[02:29]
John Santana
Absolutely. Well, I mean, the short answer is the highly nuanced regulatory complexities, right? I mean, some of these portfolios will have a pharma startup, a contract research organization, a revenue cycle management company, and then a big old DSO with 500, 900 locations. And every single one of these companies has totally unique business cases, totally unique challenges, and totally unique regulatory requirements. So it creates quite the firestorm Very quickly on what does the right sized fix look like for each company. And I'd say healthcare is pretty unique in that regard versus other industries, right? I mean, with a portfolio of retail companies, they're all, you know, they have unique cases, but they're all making the same widgets and they all have to file the same financial reporting, for example. But healthcare is truly unique, right? I mean, with those pharma companies and med device companies, they have to deal with the maelstrom of FDA requirements. And then if you're a provider, you have to make sure you're HIPAA compliant so that those highly nuanced regulatory complexities are what create those unique healthcare challenges.
[03:42]
Scott Becker
Thank you. And take a moment and talk about how should private equity firms approach cybersecurity due diligence before closing a healthcare investment? And are there common pitfalls to avoid too?
[03:54]
John Santana
Yeah, absolutely. So historically what we've seen is that cybersecurity has been just a footnote or, you know, a couple of side questions within more generalized and broad IT operations diligence. And we're really working hard to change that. I mean, in this environment where last year there were 277 million records breached and the year before that over 160 million records breached, it's not good enough to just have a couple of cybersecurity questions at the end of your IT ops. Diligence. Right. We really need dedicated cybersecurity diligence and looking at cybersecurity controls, not just reading from a checklist, but doing a proper deep dive on cybersecurity posture, resources capabilities outside of just technology naming, and really developing a nuanced cybersecurity strategy that's going to complement the IT strategy and build in those cybersecurity components into that investment model, into that equation, you know, before the deal's even closed.
[05:08]
Scott Becker
Thank you. And another question. Once an investment is made, once private equity fund invests in a health care company, what governance structures or risk management strategies should be implement, implemented to monitor and improve cybersecurity? How do you do that going forward?
[05:25]
John Santana
Yeah, absolutely. So starting with the basics, if a formal cybersecurity framework hasn't been adopted, stop what you're doing and do that first. And then really at the firm level looking at adopting a set of minimum standards or a benchmark. And that could be very unique and nuanced based on the blend of the portfolio. But things like security awareness and training, like the phishing simulations, which can help get your workforce up to snuff to, so you don't get hit by a ransomware attack or you know, just a big phishing attack that could lead to email compromise, vulnerability management and penetration testing. Developing an incident response program, business continuity and zest recovery policies procedures have basic blocking and tackling stuff that's applicable to any organization regardless if you're a startup or a multimillion dollar a year provider or health company, et cetera. Right. So developing what those minimum standards are and looking to enforce that across the board and then from there, right. Developing that portfolio level monitoring. So in our case, right. We use a common assessment framework. We're big fans of 405D over here. Assessing each portfolio company to get a handle on the relative maturity of each of each organization and then really going deeper than that and developing tailored recommendations that tailored roadmap to better improve the cybersecurity maturity commensurate with each unique organization.
[07:13]
Scott Becker
Thank you. And take a second for private equity funds that have lots of different investments in the healthcare portfolio Centralized approach to cybersecurity decentralized. What's the common prevailing wisdom and what advice do you have on that and how much people take a centralized approach versus the decentralized approach?
[07:32]
John Santana
Yeah, this is a fun one, right? Every no firm, no two firms are the same as far as how centralized or decentralized they are. I mean a lot of it does come down to personal preference and I've seen personal both work out pretty well. But some things that I would encourage would be collaboration and resource sharing where it makes sense between the Portco security leadership. So we see this all the time where all the CEOs get together and all the CFOs get together. Well do the same thing with the CISOs and the security managers and your security leadership across the portfolio. Chances are they're dealing with at least one or many of the same compliance and technical pain points. Right. Maybe one portfolio company just upgraded all of their Microsoft licensing, another one still needs to do that and they can help do some resource sharing there. Maybe one portfolio company is really emblematic of a specific best practice. Right. Maybe one just has their DLP program, the data protection loss prevention program, just absolutely nailed and they have full enterprise dlp. Well, you know, share those best practices with the rest of the class. Right. So I would encourage a semi regular meeting of those security leaders where they can bounce ideas off one another and share in the glory, sharing the pain and ultimately work together. And you know, there's other efficiencies that can be unlocked there too. Scott. So right there, there's all kinds of potential cost savings that could be realized through vendor consolidation and vendor sharing. I'm not saying it put everybody on the same tenant, but perhaps looking at bulk pricing on certain services or some of those things that I mentioned that everybody needs to do, there's some potential cost saving opportunities there by finding the right vendor. Those are a couple elements. But another direction I take that too is PE firms should absolutely build out their own internal security capabilities to an extent. Right. I mean, they're dealing with a lot of personally identifiable information. Right. They're not necessarily providers, but they are still dealing with a fair amount of sensitive information. So they should be drinking their own Gouldy there, so to speak, if they're going to be mandating requirements for the rest of the portfolio. But centralized sort of entails micromanagement but in reality can be a lot more nuanced and a lot more subtle of a baseline. Again, kind of getting back to those minimum standards or that or establishing that centralized agreed upon security framework and just measuring against that and applying requirements where it makes sense ultimately.
[10:21]
Scott Becker
Thank you very, very much and take a moment. John, just to wrap up, what are you most focused on and excited about this year? As we get to the second half of this year, where are you most focused and excited?
[10:34]
John Santana
Yeah, so you know, when I think about our portfolio monitoring program, I mean we really started making this a dedicated service back in 2022 and you know, had some, had some good, good luck right off the bat with that and some good traction. But really the, you know, the change healthcare breach was sort of a catalyst event in the space industry and a lot of firms that talking to but couldn't quite get traction with now said, oh my gosh, this is crazy, we need to do something about this. So really in the last couple couple years and since change our portfolio and the number of private equity firms we're working with has grown quite a bit. And the exciting thing there is as we continue with these ongoing assessment cycles and this ongoing management, we're building a heck of a data set and the more time that trespasses. Two things. A, it's great watching all the portfolio companies that I'm working with get more mature and actually seeing those results cycle over cycle, that brings me a lot of joy. But two, working with so many different companies now and having that data set and that pool of companies only continue to grow, we're able to see some really interesting trends. And that's really the, the thinking behind that trend report that we put out earlier this year that was really the first of its kind because we were able to aggregate a lot of data across a lot of different companies, a lot of different types of companies, and we're able to really sort of identify some general findings and top areas of risk across the board. So a couple of those were around instant response capabilities, data protection, loss prevention, and just overall just having good security policies and governance. So I won't jump too much into that. I mean, we certainly can, but all of the meat and potatoes there are available in that report. But all that to say I'm just really excited to continue to work through these program cycles, continue to identify more trends, and ultimately get our clients to a more secure, resilient and compliant state.
[12:53]
Scott Becker
Thank you very, very much, John. What a pleasure to visit with you. What an amazing job Clearwater Security has done. Thank you so much for your leadership in the CY cybersecurity space with private equity funds. Again, we're joined today by John Santana. Just fantastic. John, thank you for joining us today on the Becker Private Equity and Business podcast. Thank you very, very much.
[13:13]
John Santana
Thank you for having me.
[13:18]
American Giant Ad
Here in America, work is in trouble. We've offshored our manufacturing, sent away good jobs and lost so much ability to make things. American giant is a company that's pushing back against this tide. They make high quality clothing, sweatshirts, jeans, dresses, jackets and so much more right here in the USA. Visit AmericanGiant.com and get 20% off your first order when you use code STAPLE20 at checkout. That's 20% off your first order at AmericanGiant.com promo code STAPLE20.