4-Step Strategy for Onboarding Senior Care Acquisitions

Consolidation through mergers and acquisitions is a fact of life in long-term, post-acute care (LTPAC). A typical scenario is a large, multi-facility operator buying a freestanding facility or small chain of facilities, bringing economies of scale that can make the acquired facilities more profitable. Part of what is acquired is the technology infrastructure. We’re often asked to come in as the technology consultant as part of these transactions. We help the acquirer understand what they’re getting and create a roadmap for shifting the operations from the old umbrella to the new. Allow us to share the benefit of our experience.

1. Start with a Thorough Inventory

Even if the seller has inventory records, inevitably, something gets overlooked. Often, there are items that were never documented. Current services and providers might have been switched and the information was never updated. Put together a very thorough list of categories of items to be considered, from computers to network infrastructure to service providers. Think from a process perspective as well: How is data being backed up? What about remote access? This can lead you to items that might be otherwise missed.

Then, sit down with someone from the seller’s organization who can help you work through the list to gain a fuller picture of the inventory. A good approach is to start from the perspective of the service-point entrance and work through the various segments of the network. What services actually come into the building? Typically, there is, at minimum, Internet, phone and television from one or more service providers that goes to a network room. From there, how do the services propagate out to the rest of the environment? What is the network layout? Finally, arrive at the end nodes and take into consideration the OS, systems accessed and the software and licenses involved.

2. Don’t Overlook Anything: Do an Onsite Analysis

Even with a detailed inventory, items get overlooked. Going onsite will fill in the gaps — and undoubtedly, there will be gaps to find. Sometimes, you may find items that individual departments installed without the knowledge of the IT department, or network closets that were nearly forgotten. Many facilities were not originally built with IT requirements in mind, so network infrastructure can be behind unmarked doors or in other unexpected locations. Once, we found a forgotten and critical medical alert server hidden behind a potted plant. Another time, there was an entire wing with several dozen wireless access points, but the points were hidden in the drop ceiling and were not included with the inventory.

Ask for administrator credentials to log in to the systems. Check network speeds and talk with IT and end-users to understand what the environment is like.

3. Clarify What’s Going to Get Transferred

When it comes to transferring IT assets, sellers have different policies. To limit their exposure to compliance issues raised post-sale, some will pull all end-user systems and servers offsite before the new owner takes over. Others transfer the computing hardware, but wipe the systems clean. Still others are willing to leave everything as-is, and simply turn the keys over. Even if the computing assets will remain in place, it is likely that the acquirer will be switching to new EHR and other clinical systems, as well as business systems, to put the organizational efficiencies into place that they expect to realize. The pre-existing hardware and systems might not be up to the task. Bottom line? No two onboarding scenarios are alike, so make sure both sides are clear on expectations.

4. Develop a Transfer Plan

Given the above, some difficult operational and financial decisions might need to be made. The decision to retain the pre-existing equipment or replace it has to be balanced against the financial realities of the upfront costs, alongside the operational downsides of systems that can’t meet performance standards.
Above all, LTPAC, senior care and skilled nursing facilities deliver care 24/7. There is no option to shut things down for a weekend to make the switch, as might be possible in some other industries. Making older equipment work could be false economy, because it typically involves workarounds or finding fixes for systems that are past support. That means the transition takes longer and front-line care workers need to contend with more downtime or even resort to paper charting. All of this needs to be accounted for to arrive at a transfer plan that makes operational and financial sense, adheres to regulations, and preserves continuity of care.

At FIT Solutions, we’ve done dozens of onboarding projects and have complete systems and procedures in place for streamlining IT transfers in merger and acquisition scenarios. We account for the business realities and care-delivery issues, as well as the IT aspects. And since every scenario is different, we never stop learning, refining and improving our methodology. If you’re considering an acquisition, let us pave the path for you. Give us a call at 888-339-5694.

Ransomware Wakeup Call: 4 Tips to Protect Yourself

It’s a sad fact that criminals often prey on the most vulnerable. This was proven true in the ransomware attacks that impacted LTPAC facilities during November. Not only were the facility operators victimized, but sudden lack of access to medical records profoundly impacted their ability to care for patients and residents.

This incident was first reported by journalist and investigative reporter Brian Krebs. More than 100 facilities were impacted, and the ransomware cut off access to critical systems, including access to patient records, client billing, phone systems, internet service and email. The scope of the attack was audacious. The threat to peoples’ lives was deplorable. But most galling to us, as IT service providers, is that the incident was so preventable. More on that below.

Why Healthcare is Such a Tempting Target

In this case, the perpetrators were identified as a Russian gang, an adversary well-known among security experts. What’s clear here is that criminals don’t care that their actions could actually endanger peoples’ lives. They go after healthcare because lives are at stake, and they know that many healthcare organizations don’t have extra dollars around to invest in security.

Smaller and mid-size organizations are often the targets of choice. Health systems serving smaller communities, community hospitals, group medical practices, specialty centers, rehabilitation providers and dental practices have all been ransomware targets. Some have even had to close their doors after an attack.

A Few Ounces of Prevention Can Go a Long Way

Here are some of the ransomware prevention measures that we recommend and put in place for our clients. These are standard security practices, and aren’t necessarily more expensive than what you’re doing right now.

  1. Enact an anti-ransomware group policy on computers. Use a Windows Group Policy Object that prevents unknown executable files from running in temporary folders or in the AppData folder. Almost every single ransomware variant we have seen runs from one of these locations.
  2. Segregate cloud resources. Use a provider that can deliver a private hybrid cloud — not a public cloud where your data and applications are pooled with those of other companies. That protects your company in case another becomes infected with ransomware. You don’t want their problem becoming your problem—and everybody else’s.
  3. Separate backups from network shares. The ultimate protection against ransomware is maintaining regular and up-to-date backups so you can restore from them if an attack encrypts your data and makes it unreadable. But don’t store your backups on your network, accessible through a mapped drive, or the attack could compromise your backups, too.
  4. Bolster your endpoint protection. We’re presuming you already have antivirus in place. Because ransomware is a targeted attack, the criminals take care to alter their executable files, so signature-based antivirus isn’t very effective. Consider switching to an endpoint protection product that employs a “defense in depth” strategy rather than just relying on signatures.

At FIT Solutions, we supply IT services to many senior care organizations including assisted living and LTPAC facilities. We urge you to implement the tips above; you can do them yourself. Of course, if you’d like help, you can always call us at (888) 339-5694. We’d be happy to partner with you to protect your organization from ransomware.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!