John Santana
Appearances
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
And we've really evolved in the last five years, especially into a full blown man security services provider business. I've been along for that ride and that transformation, and it's been really fantastic watching the firm evolve and growing with it personally. So, yeah, it's been a great run.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Absolutely. Well, I mean, the short answer is the highly nuanced regulatory complexities, right? I mean, some of these portfolios will have a pharma startup, a contract research organization, a revenue cycle management company, and then a big old DSO with 500, 900 locations. And every Totally unique business cases, totally unique challenges, and totally unique regulatory requirements.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
So it creates quite the firestorm very quickly on what does the right sized fix look like for each company. And I'd say healthcare is pretty unique and in that regard versus other industries, right? I mean, with a portfolio of retail companies, they have unique cases, but they're all making the same widgets and they all have to file the same financial reporting, for example.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
But healthcare is truly unique, right? I mean, with those Pharma companies and med device companies, they have to deal with the maelstrom of FDA requirements. And then if you're a provider, you have to make sure you're HIPAA compliant. So those highly nuanced regulatory complexities are what create those unique health care challenges.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Yeah, absolutely. Historically, what we've seen is that cybersecurity has been just a footnote or a couple of side questions within more generalized and broad IT operations diligence. We're really working hard to change that.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
I mean, in this environment where last year there were 277 million records breached and the year before that over 160 million records breached, it's not good enough to just have a couple of cybersecurity questions at the end of your IT ops diligence, right? We really need dedicated cybersecurity diligence and looking at cybersecurity controls, not just reading from a checklist
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
But doing a proper deep dive on cybersecurity posture, resources, capabilities, right outside of just technology naming and really developing a nuanced cybersecurity strategy that's going to complement the IT strategy and build in those cybersecurity components into that investment model, into that equation, you know, before the deal's even closed.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Yeah, absolutely. So starting with the basics, if a formal cybersecurity framework hasn't been adopted, stop what you're doing and do that first. And then really at the firm level, looking at adopting a set of minimum standards or a benchmark. And that could be very unique and nuanced based on the blend of the portfolio. But things like security awareness and training, right?
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Like the phishing simulations, which can help get your workforce up to snuff to So you don't get hit by a ransomware attack or, you know, just a big phishing attack that could lead to email compromise.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Vulnerability management and penetration testing, developing an incident response, incident response program, business continuity, disaster recovery policies, procedures, basic blocking and tackling stuff. That's applicable to any organization, regardless if you're a startup or a multimillion dollar company. a year provider or social health company, et cetera, right?
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
So developing what those minimum standards are and looking to enforce that across the board. And then from there, right, developing that portfolio level monitoring. So in our case, right, we use a common assessment framework. We're big fans of 405D over here.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
assessing each portfolio company to get a handle on the relative maturity of each organization, and then really going deeper than that and developing tailored recommendations, that tailored roadmap to better improve the cybersecurity maturity commensurate with each unique organization.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Yeah, this is a fun one, right? No two firms are the same as far as how centralized or decentralized they are. I mean, a lot of it does come down to personal preference. And I've seen Both work out pretty well, but some things that I would encourage would be collaboration and resource sharing, where it makes sense, between the Portco security leadership.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Yeah. Thanks for having me on, Scott. And congratulations on those impressive metrics. You got me all nervous now. I'm on the Joe Rogan of business podcasts.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
So we see this all the time where all the CEOs get together and all the CFOs get together. Well, do the same thing with the CISOs and the security managers and your security leadership across the portfolio. Chances are they're dealing with at least one or many of the same compliance and technical pain points, right? Maybe one portfolio company just upgraded all of their Microsoft licensing.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Another one still needs to do that, and they can help do some resource sharing there. Maybe one portfolio company is really emblematic of a specific best practice, right? Maybe one just has their DLP program, the Data Protection Loss Prevention Program, just absolutely nailed, and they have full enterprise DLP. Well, share those best practices with the rest of the class, right?
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
So I would encourage a semi-regular meeting of those security leaders where they can bounce ideas off one another and share in the glory, share in the pain, and ultimately win. work together. And there's other efficiencies that can be unlocked there too, Scott. So there's all kinds of potential cost savings that could be realized through vendor consolidation and vendor sharing.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
I'm not saying put everybody on the same tenant, but perhaps looking at that bulk pricing on certain services or, you know, some of those things that I mentioned that everybody needs to do, right? There's some potential cost saving opportunities there by finding the right vendor.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
So, you know, those are a couple elements, but another direction I take that to is, you know, PE firms should absolutely build out their own internal security capabilities to an extent, right? I mean, they're dealing with, a lot of personally identifiable information, right? They're not necessarily providers, but they are still dealing with a fair amount of sensitive information.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
So they should be drinking their own Kool-Aid there, so to speak, if they're going to be mandating requirements for the portfolio. But centralized sort of entails micromanagement, but in reality can be a lot more nuanced and a lot more complex Subtle of a baseline.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Again, kind of getting back to those minimum standards or establishing that centralized and agreed upon security framework and just measuring against that and applying the requirements where it makes sense ultimately.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Yeah, so I've been at Clearwater going on four years now. I'm a principal consultant there, and I lead our private equity services delivery in our digital health, health IT team. And Clearwater is the largest pure play healthcare cybersecurity compliance firm tailored just to serving the healthcare industry.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Yeah, so when I think about our portfolio monitoring program, I mean, we really... started making this a dedicated service back in 2022 and had some good luck right off the bat with that and some good traction. But really the change healthcare breach was sort of a catalyst event in the space and industry.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
And a lot of firms that we were talking to, but couldn't quite get traction with now said, oh my gosh, this is crazy. We need to do something about this. So really in the last couple, a couple of years and since change. Our portfolio and the number of private equity firms we're working with has grown quite a bit.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
And the exciting thing there is as we continue with these ongoing assessment cycles and this ongoing management, we're building a heck of a data set. And the more time that trespasses, A, two things. A, it's great watching all the portfolio companies that I'm working with get more mature and actually seeing those results cycle over cycle. That brings me a lot of joy.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
But two, working with so many different companies now and having that data set and that pool of companies only continuing to grow, we're able to see some really interesting trends. And that's really the the thinking behind that, that trend report that we put out earlier this year, that was really the first of its kind.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
Cause we were able to aggregate a lot of data across a lot of different companies, a lot of different types of companies. And we're able to really sort of identify some like general findings and top areas of risk across the board. So yeah,
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
A couple of those were around incident response capabilities, data protection, loss prevention, and just overall just having good security policies and governance. So I won't jump too much into that. I mean, we certainly can, but all of the meat and potatoes there are available in that report.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
But all that to say, I'm just really excited to continue to work through these program cycles, continue to identify more trends, and ultimately get results. get our clients to a more secure, resilient, and compliant state.
Becker Private Equity & Business Podcast
Cybersecurity in Healthcare Private Equity: Insights from Clearwater’s John Santana 5-13-25
I mean, we have targeted teams and verticals serving integrated delivery networks, digital health, health IT companies, and physician practice management groups. And yeah, we also work directly with law firms and private equity firms specializing in health care. You know, our genesis, we really started off more in the risk advisory compliance space as HIPAA wizards, if you will.