|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|The Global Information Security Program Office is responsible for overseeing information security and privacy assurance.As part of the FME25 Program, we established the first unified Global Cybersecurity Operations Center. Our goal is to continuously respond to changes in the global security landscape through consistent monitoring and analysis practices.
During 2024, we successfully delivered the key initiatives outlined in our security roadmap, including improving our risk management and global cybersecurity operations. We increased our cybersecurity effectiveness by implementing strategic initiatives focused on cybersecurity governance, risk and compliance, cyber operations, third-party risk and data security programs. For example, we have implemented a new IT risk and compliance platform, allowing us to consolidate all risk management and internal audit monitoring and remediation. Additionally, we have completed our roll-out of a unified endpoint detection and response system, providing a single security view of our network.
In managing and measuring performance as part of our global cybersecurity program, we have adopted the standards set out in the globally recognized NIST Cyber Security Framework. These standards guide our activities in identifying, protecting, detecting, responding to and recovering from cybersecurity incidents.
In 2024, we continued to update and implement new policies and controls based on the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework.Additionally, we engage third party experts to assess the effectiveness of our framework implementation and program. We also perform third-party cybersecurity risk assessments for service providers and others outside the organization. For instance, when a third-party vendor is involved in processing personal data, we assess their administrative, physical and technical to evaluate their compliance with our company policies and applicable regulatory requirements.
Employee awareness and training are essential to our ability as a company to thwart cyber-attacks. In 2024, we continued to raise employees’ risk awareness with mandatory, regular online training for all employees and complimentary awareness campaigns. We conducted a month-long global campaign to promote cybersecurity awareness among our employees. The event’s primary objective was to apprise our staff members of the measures and protocols in place for the safety of our company, patients and employees in the digital realm. The event also aimed to educate our employees on best practices and steps to mitigate the risks of cyber threats, including techniques and clues to recognize various forms of “phishing” and efforts to deploy viruses and malware in our systems.Our organization increasingly leverages artificial intelligence (AI) and other emerging technologies to improve our patient outcomes and enhance our productivity. It is essential that we maintain the highest level of cybersecurity to safeguard our confidential information, patient health information, personally identifiable information and intellectual property. Recent developments involving AI chat applications have exposed potential risks and vulnerabilities in handling sensitive information. In light of these risks, we have issued guidelines for the appropriate use of AI-powered capabilities to all employees.
In 2023, we engaged external cybersecurity experts to evaluate the effectiveness of our cybersecurity program on a global scale. Based on this analysis, we have made adjustments to our multi-year security roadmap. This roadmap prioritizes our program goals and investments by risk, ensuring that we focus our efforts on the most critical areas of our cybersecurity program.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity program is designed to protect our information, and that of our patients, our business partners and our employees, from unauthorized access, manipulation and data misuse. Cybersecurity is an integral aspect of our enterprise digital program. Our goal is to continuously enhance our global cybersecurity capabilities to safeguard sensitive information and facilitate strategic initiatives. cybersecurity is part of our overall risk management systemOur Global Internal Audit Department audits a selected number of our technology applications worldwide each year (see Item 4. “Information on the Company — B. Business Overview — Risk management” for further information on this system).We aim to continue to prevent, detect and react to security incidents with layered controls and training programs. In 2024, our privacy, cybersecurity and legal teams collaborated to streamline cyber and privacy incident response procedures. Internal audits are in place to evaluate the effectiveness of our internal controls, identify vulnerabilities in our IT security processes and maintain compliance with our regulatory requirements.We also review and assess internal initiatives that involve the processing of personal data.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
Cyber-attacks or other privacy and data security incidents could disrupt our business and expose us to significant losses, liability and reputational damage.
We and our third-party service providers routinely process, store and transmit large amounts of data in our operations, including sensitive personal information as well as proprietary or confidential information relating to our business or third parties. We may be subject to breaches of the information technology security systems we use both internally and externally with third-party service providers.
Cyber-attacks may penetrate our and our third-party service providers’ security controls and result in the misappropriation or compromise of personal information or proprietary or confidential information, including such information which is stored or transmitted on the systems used by certain of our or their products, to create system disruptions, cause shutdowns (including disruptions to our production plants), or deploy viruses, worms, ransomware, denial-of-service attacks and other malicious software programs that attack our systems. We and our third-party service providers handle the personal information of our patients and beneficiaries, Patient Personal Data (PPD), throughout the U.S. and other parts of the world. We or our third-party service providers may experience a breach under the U.S. Health Insurance Portability and Accountability Act Privacy and Security Rules, the EU’s General Data Protection Regulation and or other similar laws (Data Protection Laws), including the following events:
Our IT systems have been attacked in the past, resulting in certain patient data being illegally published. For information regarding our cybersecurity risk management and governance, see Item 16K. “Cybersecurity.” For information regarding litigation relating to cybersecurity incidents we experienced in 2023, see note 25 of the notes to the consolidated financial statements included in this report.
When appropriate, we have filed complaints against the unknown attackers with the relevant authorities and we contacted the patients who were affected by the illegal data publication as well as other relevant regulatory agencies and stakeholders. While there has not been any material impact to our financial condition and results of operations as a result of these attacks, future cyber-attacks against our IT systems may result in a loss of financial data or interruptions of our operations that could have a material adverse impact on our business, financial condition and results of operations in the future. The Ukraine War has increased the risk of cyber-attacks against our systems and data.
As we increase the amount of personal information or financial data that we store and share digitally, our exposure to these privacy and data breaches and cyber-attack risks increases (particularly as medical records are a high-value target), including the risk of undetected attacks, damage, loss or unauthorized disclosure or access, and the cost of attempting to protect against these risks also increases. Pursuant to recent legislation, Medicare coverage for telehealth services was extended to March 31, 2025. Commencing April 1, 2025, Medicare coverage for telehealth services will be available principally in rural areas. While the availability of telehealth services is convenient and improves access to medical care, increased reliance on, and utilization of, telemedicine for delivery of health care services could also increase the risk of privacy violations and our vulnerability to data breaches and cyber-attacks. There are no assurances that our security technologies, processes and procedures that we or our outside service providers have implemented to protect personal information and proprietary or confidential information and to build security into the design of our products will be effective. Any failure to keep our information technology systems, financial data and our patients’ and customers’ sensitive information secure from attack, damage, loss or unauthorized disclosure or access, whether as a result of our action or inaction or that of our third-party business associates or vendors that utilize and store such personal information on our behalf, could materially adversely affect our reputation and ability to continue normal operations. Additionally, such failure could expose us to mandatory public disclosure requirements, litigation and governmental enforcement proceedings, material fines, penalties and/or remediation costs, and compensatory, special, punitive and statutory damages, consent orders and other adverse actions, any of which could have a material adverse impact on our business, financial condition and results of operations.
For additional information regarding risks from cybersecurity threats, see Item 3. “Key information — D. Risk Factors — Risks relating to legal and regulatory matters — Cyber-attacks or other privacy and data security incidents could disrupt our business and expose us to significant losses, liability and reputational damage.” For information regarding a formal request for information from the Hessian Data Protection Authority received by the Company in 2022, as well as lawsuits filed against FME AG related to previously reported cybersecurity incidents, see note 25 of the notes to the consolidated financial statements included in this report.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|risks are monitored and semi-annually reported to the Management Board within our risk management system
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In addition, we have established an AI Oversight Committee which was commissioned by the Management Board.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Routine program updates are provided to our Management Board and we provide a program review for our Supervisory Board on an annual basis.
|Cybersecurity Risk Role of Management [Text Block]
|If necessary, the CISO has direct access to the Management Board.Our Management Board and other executive-level teams are regularly updated on our IT and cybersecurity programs, while our Supervisory Board receives an annual review of the performance of the information security program.We also communicate our top risks and management plans to the Management Board and Supervisory Board
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|We aim to continuously improve our global cybersecurity capabilities to secure sensitive information and support strategic initiatives. We employ a Global Chief Information Security Officer (CISO), who reports to the Global Chief Information Officer (CIO) who in turn reports to the CFO. The CIO and CISO are accountable and responsible for overseeing information security and managing the Global Information Security Program to reduce cybersecurity risk.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our Management Board and other executive-level teams are regularly updated on our IT and cybersecurity programs, while our Supervisory Board receives an annual review of the performance of the information security program. In addition, the Global Information Security Program and Privacy Assurance Office partners with our legal department to jointly manage privacy assurance and records management.
Managing and measuring performance is an integral part of our global cybersecurity program oversight. As noted above, we have adopted the standards of the NIST Cyber Security Framework. This framework is risk-driven and helps us to identify, protect, detect, respond to and recover from cybersecurity incidents.
As part of our cybersecurity roadmap, we set annual maturity targets based on the NIST Cyber Security Framework. We use these metrics to measure our effectiveness in improving risk management and global cybersecurity processes. In 2024, we continued to enhance the effectiveness of our cybersecurity program with a focus on areas such as cybersecurity governance, risk management and cyber operations.The cybersecurity team manages the risk program for IT and Cybersecurity. Our IT and cybersecurity risk reporting follows enterprise risk management methods required by the corporate risk team. This reporting ensures that key IT and cybersecurity risks and management plans are visible to our enterprise risk management committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef