Pre-Acquisition Due Diligence

Mergers and acquisitions are complicated endeavors. As consolidation accelerates in healthcare the need for efficient and effective practice acquisition is critical. At Keystone, we understand the challenges and concerns associated with successful practice acquisition and we have created a solution to help you address these challenges. 

With Keystone’s Pre-Acquisition Due Diligence service your organization will:  improve knowledge transfer, reduce the number of unknown variables that could impact project success, further mitigate the inherent risks associated with M&A activities, and leave the acquired practice feeling confident in your organization’s ability to lead them through a successful transition.  


Stability and reliability of IT systems – Does the environment consist of and run on enterprise class equipment? Are there connectivity and uptime problems occurring? Are users often or intermittently kicked off the network or particular servers and applications? 

Performance and usability of IT systems – Are there any problems associated with system performance? Are system limitations causing user experience and productivity problems? Is server and/or network equipment at capacity on specifications and resources? 

Data protection – What backup solution is in place? Does that solution backup all critical data and systems? Do local and remote backups exist? What is the current Recovery Point Objective (RPO) and Recovery Time Objective (RTO)?

Security and compliance – What is the current risk level of the practice? Is there a recent, properly completed Security Risk Assessment (SRA) on file? Are there policies and procedures missing or just generally not being followed and enforced? Are physicians and staff regularly trained and updated on HIPAA? What technology solutions are being used to protect the practice’s infrastructure and the patients’ data?  

Tech debt in the acquired environment – Are there servers and network equipment that are over 5 years old? Are there any systems within the generally accepted 3-5 year useful life range? How old are the workstations and other end user devices? 

Keystone has developed a solution to address these concerns through a Pre-Acquisition Due Diligence assessment to fully review the environment of a practice being considered for acquisition. During this assessment, Keystone will execute on the following:

  1. Conduct a Backup of all ePHI
  2. Conduct a Network Assessment
  3. Conduct a Server Assessment
  4. Evaluate the integrity of legacy patient data
  5. Review of Third-Party IT Vendors
  6. Conduct HIPAA Security Risk Assessment (SRA)
Pre-Acquisition Due Diligence Scope

Backups – In consideration of Disaster Recovery and Business Continuity procedures and safeguards, Keystone will conduct a review of current backup policies and procedures. Keystone will document a list of necessary corrective actions to be performed to mitigate any risk discovered. In addition to the review, Keystone will execute a full system backup upon your request.  Due to this being conducted as a pre-acquisition task, Keystone can, upon request, hold backups in escrow. Keystone, as a third party, will not grant access to this data to the acquiring entity until after the acquisition is complete. Should the acquisition fall through, Keystone will destroy the backup copy according to NIST standards.

Network Assessment – Keystone will conduct a network assessment to inventory, analyze, and document the current infrastructure configuration. Keystone will examine the following elements:

  1. Physical Equipment
    • Inventory of devices and identify what is in and out of warranty/support
    • Firmware versions and what devices are and are not up-to-date
    • Environment conditions such as power sources and HVAC
    • Interface utilization, up/down state, errors, and port configuration settings
  2. Layer 2 (Switching)
    • Assess the quality of VLANs (such that large VLANS are not spanning out of industry standards)
    • Assess the quantity of VLANs (such that they are properly aligned and categorized)
  3. Layer 3 (Routing)
    • Identify routing domains and complexity
    • Assess routing protocols in use and which devices are running them
    • Assess subnets and IP addressing with no scopes that are nearly full

Server Assessment – Keystone will conduct a server assessment to inventory, analyze, and document the current server hardware, software, and respective workloads for all hardware and software. Keystone will examine the following elements:

  1. Review Inventory
    • Document physical servers’ makes and models
    • Document physical and virtual servers’ configurations (i.e.: host names, operating systems, and resource allocations)
    • Assess resources and their proper allocation assignments (i.e.: CPUs, RAM, and hard disk drives)
  2. Review Performance
    • Assess CPU, RAM, and hard disk drive utilization and performance
    • Measure CPU, memory, disk, IO utilization, and peak time
    • Document problems associated with any discovered mis-utilizations

EHR data integrity evaluation – Keystone will be conducting data validation on the practice’s EHR database. This process checks to see if the EHR is operating on clean, correct, and useful data. We will review database rules, tables, references, process schedules, and security. Several tests will be conducted, including:

  1. Data consistency check
  2. Data duplicate check
  3. Data type validation
  4. Range and constraint validation
  5. Code and cross-reference validation
  6. Structured validation

Third Party Vendor Review – Keystone will review third party vendor contracts, roles, responsibilities, and contract termination/notification. We will review established vendors and document missing Business Associate Agreements (BAAs). Specific data will be documented and validated such as the Internet Service Provider’s (ISP’s) circuit, hosting provider’s Service Level Agreements (SLAs) with respect to resolving outages, and any scope of services of contracted managed service providers.

HIPAA Security Risk Assessment (SRA) – Keystone will conduct an SRA that consists of the software-based forensics and reporting tools that we will run on your system and a policy review consisting of the following elements:

  1. Define SRA scope.  The scope of the analysis must take into account all ePHI, regardless of the source or location or the way it is created, received, maintained or transmitted.  No matter where or how it exists, it must be included in the analysis and documented as such.  Since the practice will ultimately join BJC Medical Group, pre-existing security policies will not be reviewed.
  2. Document the location where PHI is stored, received, maintained or transmitted.
  3. Identify and document reasonably anticipated threats to PHI.
  4. Assess and document security measures currently in place.
  5. Document threat and vulnerability combinations with associated likelihood that may impact confidentiality, availability and integrity of ePHI.
  6. Document potential impacts associated with the exploit of the defined vulnerabilities.
  7. Assign risk levels or ratings for threat and vulnerability combinations.
  8. Document a list of corrective actions to be performed to mitigate each risk.

By employing this Pre-Acquisition Due Diligence strategy all potential technology-related risks to the practice and to the acquiring entity will be mitigated, critical information will be collected to ensure a successful server and data migration to the cloud, and the acquiring entity will gain a competitive advantage in its ability to transition acquired practices in a more seamless and professional manner.