3rd Party Risk Management , Cloud Security , Electronic Healthcare Records

Oracle Deal to Buy Cerner: Privacy, Security Considerations

Security Experts Offer Initial Assessment of Planned Acquisition's Pros, Cons
Oracle Deal to Buy Cerner: Privacy, Security Considerations

Oracle announced on Monday that it plans to acquire healthcare technology vendor Cerner Corp. in an all-cash deal valued at $28.3 billion, which is expected to close by the end of 2022. But what are the potential health data privacy and security implications?

See Also: A Single Solution For Today's MFA and SSO Challenges

The purchase of Kansas City, Missouri-based Cerner, a major provider of electronic health records and other digital information systems used within hospitals and healthcare delivery networks, would be Oracle's largest acquisition to date.

“With this acquisition, Oracle’s corporate mission expands to assume the responsibility to provide our overworked medical professionals with a new generation of easier-to-use digital tools that enable access to information via a hands-free voice interface to secure cloud applications," Larry Ellison, Oracle chairman and CTO, says in a statement.

"This new generation of medical information systems promises to lower the administrative workload burdening our medical professionals, improve patient privacy and outcomes, and lower overall healthcare costs.”

David Feinberg, president and CEO of Cerner, says in the statement that joining Oracle as a dedicated industry business unit provides Cerner "an unprecedented opportunity to accelerate our work modernizing electronic health records, improving the caregiver experience, and enabling more connected, high-quality and efficient patient care."

Cautious Optimism

As first glance, some experts say that they don't expect any immediate operational changes for Cerner customers in terms of HIPAA business associate relationships. "Cerner may continue to operate as a wholly owned subsidiary of Oracle, so there may not be an immediate effect on contracts," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

If anything, Oracle will bring increased interoperability and scaling, and likely added redundancy for Cerner customers, says technology attorney Steven Teppler, partner and cybersecurity/privacy chair at law firm Sterlington PLLC. "This may turn out to be a positive development," he says.

"Oracle is no stranger to cybersecurity, and while no cloud provider is totally free from cyberattack and compromise, we hear fewer cybersecurity incidents arising out of misconfigured Oracle cloud instances than some of its competitors in the space," he says.

The question that remains is whether Oracle buys Cerner for the business or for the data Cerner collects, and to what extent, if any Oracle itself intends to do - i.e., monetize - with the massive amount of data it will now inherit, he says. "Even if this information is pseudonymized or totally anonymized, risks remain."

Other experts offer similarly positive - but cautious - assessments.

"Oracle is a very large, very sophisticated, institution with both history and experience doing extremely sensitive work for the government and the private sector with deep expertise around cybersecurity and privacy, so no, no concerns out of the gate, just high expectations," says Mac McMillan, CEO of privacy and security consultancy CynergisTek.

"With the sensitivity of the EHR and its critical role in patient care and safety, I’m sure Oracle will move deliberately and carefully when addressing changes or enhancements," he says.

"Oracle has the potential of transforming what we know as an EHR today, but the big question will be; Will it make sense or work well with healthcare’s workflows and the realities of human interaction of care?"

AI Focus

Since the 1990s, Oracle has made several attempts to acquire Cerner, says Scott Stuewe, CEO of DirectTrust, who previously spent 24 years at Cerner, most recently as director of national interoperability strategy. DirectTrust is best known for creating and maintaining the Direct protocol and trust framework for secure email in healthcare.

Oracle’s acquisitions have historically been focused on two broad sets of synergistic interests - companies that build infrastructure and development tools (such as Sun Microsystems) and companies with client server technology stacks using Oracle products, he says. "Cerner mostly falls in the latter category along with prior substantial application developer acquisitions like PeopleSoft, Siebel and NetSuite."

Oracle’s recent intense focus on AI and its public announcement of the Cerner deal suggest that the innovations the acquisition would enable first would be in the area of AI-assisted workflows, Stuewe says. "This is credible based upon the new combined portfolio and could have positive impacts for Cerner clients in terms of usability and the power of technology to impact the quadruple aim."

In terms of privacy and security, Oracle seems one of the least concerning of the potential companies that might have acquired Cerner, Stuewe says.

"Cerner’s data business has little in common with the majority of companies in the Oracle portfolio by comparison to the rest of the big tech sector," he says. "Cerner is a DirectTrust accredited member and has always exemplified a strong commitment to the privacy and security of data. I imagine this is unlikely to change."

Other Deals

Oracle's acquisition of Cerner is among other recent deals this year by mainstream technology vendors attempting to expand their presence in vertical industries, including the healthcare sector.

For instance, in April, Microsoft Corp. announced it was acquiring cloud-based speech technology and artificial intelligence vendor Nuance Communications in an all-cash transaction valued at $19.7 billion (see: Microsoft to Buy Nuance Communications for $19.7 Billion).

Nuance is probably best known in the healthcare sector for its cloud-based medical transcription services and speech recognition.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.