Why cybersecurity due diligence should be part of every healthcare acquisition—and how to do it without hitting your operational P&L
Most healthcare executives treat cybersecurity as a cost center. Jeff DeBellis treats it as transaction protection.
As COO of MAX Surgical Specialty Management, DeBellis oversees aggressive M&A growth—adding 11-12 new facilities annually. Each acquisition brings operational upside. It also brings cybersecurity risk.
"Security can be a huge gap and tremendous risk, unbeknownst to the buyer," DeBellis warns. His solution? Embed cybersecurity assessment directly into M&A workflows.
When you acquire a healthcare practice, you inherit more than patient lists and equipment. You inherit their security vulnerabilities, their data breaches, and their compliance failures.
"Whatever happened at the practice before we partnered with it becomes our liability," DeBellis explains. "Unless we document it properly."
Most acquirers discover security problems after closing. By then, it's too late to negotiate protection. DeBellis discovered security problems during due diligence, when he can still protect MAX Surgical's interests.
MAX Surgical's framework is simple: After signing the Letter of Intent, Black Talon Security conducts a comprehensive cybersecurity assessment before closing.
"Black Talon is part of our post-LOI workflow," DeBellis says. "Their security assessments inform the legal disclosures we include in acquisition documents, which limits our liability."
This assessment covers:
The findings become part of the acquisition documentation, creating legal protection for whatever security debt existed before the transaction.
Here's DeBellis's smartest move: "It's transactional-related so it doesn't hit our operational P&L." By structuring security assessments as transaction expenses rather than operational costs, MAX Surgical gets comprehensive due diligence without impacting operating margins. The cost gets allocated to the deal itself, not to ongoing business operations.
This matters for private equity-backed companies where operational efficiency drives valuation. Security due diligence protects the transaction without degrading operational metrics.
DeBellis doesn't stop at assessment. Once MAX Surgical acquires a practice, Black Talon provides immediate security integration.
"We use all of Black Talon's available technology across all our points of access: end-user nodes, connections, servers, and email systems. The full suite, including training."
This comprehensive onboarding includes:
The result? New acquisitions get enterprise-grade security from day one, eliminating the vulnerability window that often follows healthcare transactions.
DeBellis's security framework delivers three critical benefits:
Transaction protection. "It created a layer of protection specific to IT security and bringing new partners on board." MAX Surgical can acquire aggressively without accumulating security debt from legacy practices.
Scalability without security drag. As MAX Surgical has grown, "our financial commitments have scaled. And the security standards expected by our finance relationships have scaled accordingly." The framework scales with growth rather than constraining it.
Operational reliability. "The systems have mitigated a ton of risk. When something gets through, the response rate and call to action to resolve problems is exceptional."
Healthcare acquisitions face unique security challenges. You're acquiring practices that handle Protected Health Information (PHI), face HIPAA compliance requirements, and represent attractive targets for cybercriminals.
A data breach at a newly acquired practice doesn't just create liability. It damages your entire platform's reputation and puts other locations at risk.
DeBellis's framework prevents this by:
Healthcare executives pursuing M&A growth can adapt DeBellis's approach:
Make security assessment mandatory in your LOI workflow. Don't wait until after closing to evaluate cybersecurity. Build the assessment into your standard due diligence process, right after signing the Letter of Intent.
Structure it as a transaction expense, not operational cost. Keep security due diligence off your operational P&L by allocating it to the deal itself. This protects operating margins while delivering comprehensive assessment.
Use findings for legal protection and remediation planning. Document all security gaps in acquisition agreements. This creates liability protection while establishing a clear remediation roadmap for post-closing integration.
DeBellis emphasizes finding the right security partner for M&A work. "If you're going through M&A, involving [a qualified security partner] in post-LOI diligence workflow is essential."
Look for partners who:
"You get tremendous value on both the transactional and maintenance sides," DeBellis notes. "And you can understand at a moment's notice where you stand relative to real threats to your entire infrastructure."
Most healthcare executives view cybersecurity as an operational expense. Jeff DeBellis proves it can be a strategic asset that actually enables growth.
By embedding security assessment into M&A workflows, structuring it as transaction expense, and using findings for legal protection, MAX Surgical transforms cybersecurity from acquisition risk to acquisition protection.
The framework is simple. The results are powerful. And for healthcare platforms pursuing aggressive growth, it's becoming essential.
"Security can be a huge gap and tremendous risk, unbeknownst to the buyer," DeBellis warns. Don't let it be yours.