|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We recognize the critical importance in developing, implementing and maintaining robust cybersecurity measures and processes that are designed to safeguard our information systems and to assess, identify and manage material risks from cybersecurity threats.
The fundamental controls of our cybersecurity program are based around the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). We engage qualified third-party consultants and advisors to conduct risk and vulnerability assessments to evaluate our systems and to advise us on cybersecurity risk management processes. We maintain a robust vulnerability-management program to evaluate our systems on a monthly basis, and we prioritize remediation efforts based on risk level and criticality of the system or data. We conduct comprehensive penetration testing with external consultants on our enterprise environment and our own products on at least an annual basis.
Cybersecurity risk management is an integral part of our technology modernization program. It is integrated into our business, as well as the broader software and digital environment. Our technology modernization program will move many of our core applications to industry-specific healthcare cloud solutions that offer robust HIPAA compliant, data security capabilities and tools. Our modernization plans revolve around simplifying our technology estate to reduce technical debt, automate security functions, and enable applications to take full advantage of best-practice, cloud security capabilities.
Our cybersecurity risk management process includes assessment of third-party service providers, suppliers and other business partners’ ability to maintain compliance with our cybersecurity requirements, including review of Service Organization Control Type 2 (“SOC 2”) reports and security controls. Our onboarding process for any third-party service provider includes execution of a business associate agreement that defines the service provider’s responsibility to notify us in the event of any known or suspected cyber incident.
We maintain a thorough business continuity and resilience program designed to ensure our operations will withstand significant disruption and minimize impact on our patients and employees in the face of a significant challenge. Using standards developed by Disaster Recovery Institute International (DRII), we regularly conduct a business impact analysis to determine risk level, assess impact severity and prioritize business processes based on company needs.
As part of our monitoring process, we perform tabletop exercises at least annually to test our current plans. These cross-functional exercises involve employees from multiple departments and are designed to gain perspective, collect feedback and validate plan effectiveness. The information obtained from the business impact analysis, exercises and testing is utilized to update contingency plans for each department.
While we have experienced cybersecurity incidents and expect to continue to be subject to such incidents, to date, we have not experienced any cybersecurity incidents that have materially affected our business strategy, results of operations or financial condition. However, we are subject to ongoing risks from
cybersecurity threats that could materially affect us, including our business strategy, results of operations, or financial condition, as further described in Part I, Item 1A, "Risk Factors" of this Annual Report on Form 10-K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity risk management is an integral part of our technology modernization program. It is integrated into our business, as well as the broader software and digital environment. Our technology modernization program will move many of our core applications to industry-specific healthcare cloud solutions that offer robust HIPAA compliant, data security capabilities and tools. Our modernization plans revolve around simplifying our technology estate to reduce technical debt, automate security functions, and enable applications to take full advantage of best-practice, cloud security capabilities.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
The Audit Committee of the Board of Directors oversees our cybersecurity and risk management programs, and receives updates from our Information Security and Compliance teams regarding the effectiveness of these programs on a quarterly basis. These reports include descriptions of security incidents and observed trends in threat activity, new programs and tooling designed to address developing areas of risk, and performance reporting of third-party testing, including security awareness training and cybersecurity assessments. The full Board of Directors has general oversight of the Company’s risk management programs, which include cybersecurity risks, and the Audit Committee provides regular reports to the full Board of Directors related to cybersecurity matters and related risk oversight.
The Company’s Director of Information Security reports to our Chief Information Officer. Our Director of Information Security is responsible for our cybersecurity program, develops and publishes security policies and procedures, and reports to the Audit Committee on the effectiveness of our security program. Our Director of Information Security has 25 years of technology leadership experience, including 19 years directly overseeing cybersecurity programs in the healthcare device manufacturing industry, and holds the Certified Information Systems Security Professional (CISSP) certification. Our Director of Information Security is responsible for the Company’s Information Security Awareness Program, which includes security training for new hires and ongoing education for all staff, including annual refresher training and periodic bulletins regarding security risks. Security awareness email testing is performed on a monthly basis, with employee performance reported to management for inclusion in performance evaluations. Our Director of Information Security also performs risk assessments of third-party partners, including reviews of SOC 2 reports.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Audit Committee of the Board of Directors oversees our cybersecurity and risk management programs, and receives updates from our Information Security and Compliance teams regarding the effectiveness of these programs on a quarterly basis. These reports include descriptions of security incidents and observed trends in threat activity, new programs and tooling designed to address developing areas of risk, and performance reporting of third-party testing, including security awareness training and cybersecurity assessments. The full Board of Directors has general oversight of the Company’s risk management programs, which include cybersecurity risks, and the Audit Committee provides regular reports to the full Board of Directors related to cybersecurity matters and related risk oversight.
|Cybersecurity Risk Role of Management [Text Block]
|
The Company’s Director of Information Security reports to our Chief Information Officer. Our Director of Information Security is responsible for our cybersecurity program, develops and publishes security policies and procedures, and reports to the Audit Committee on the effectiveness of our security program. Our Director of Information Security has 25 years of technology leadership experience, including 19 years directly overseeing cybersecurity programs in the healthcare device manufacturing industry, and holds the Certified Information Systems Security Professional (CISSP) certification. Our Director of Information Security is responsible for the Company’s Information Security Awareness Program, which includes security training for new hires and ongoing education for all staff, including annual refresher training and periodic bulletins regarding security risks. Security awareness email testing is performed on a monthly basis, with employee performance reported to management for inclusion in performance evaluations. Our Director of Information Security also performs risk assessments of third-party partners, including reviews of SOC 2 reports.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Company’s Director of Information Security reports to our Chief Information Officer
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Director of Information Security has 25 years of technology leadership experience, including 19 years directly overseeing cybersecurity programs in the healthcare device manufacturing industry, and holds the Certified Information Systems Security Professional (CISSP) certification
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Company’s Director of Information Security reports to our Chief Information Officer. Our Director of Information Security is responsible for our cybersecurity program, develops and publishes security policies and procedures, and reports to the Audit Committee on the effectiveness of our security program. Our Director of Information Security has 25 years of technology leadership experience, including 19 years directly overseeing cybersecurity programs in the healthcare device manufacturing industry, and holds the Certified Information Systems Security Professional (CISSP) certification.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef