|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have structured our cybersecurity program around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and processes to assess, identify and manage cybersecurity risks. Key components of our strategy include annual and ongoing security awareness
training for employees, advanced detection and monitoring systems, and robust incident response and containment. We actively monitor and investigate both internally discovered and externally reported issues that may compromise our information systems, permitting quick and decisive action when necessary. We also have engaged third-party service providers and have implemented cybersecurity risk management protocols for such parties. For example, all vendors are required to complete our Ongoing Monitoring Assessment Questionnaire, which helps monitor each vendor’s continuing compliance, and we subject our technology vendors to a separate vetting and approval process formally assessing each vendor from a cybersecurity perspective.The Chief Information Security Officer leads a dedicated team of internal IT employees, along with multiple long-term third-party security vendors. Our board of directors, and the Care, Compliance, & Cybersecurity Committee of the board, supports our Chief Information Officer and Chief Information Security Officer by leveraging members’ experience with information technology and management, including information technology strategy and risks associated with cybersecurity matters, as part of its oversight function.
Our policies and procedures concerning cybersecurity matters apply to all employees. These policies and procedures address encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information, and the use of the internet, social media, email and wireless devices.We have experienced threats to our data and systems, including malware and computer virus attacks from time to time. To our knowledge, these threats have not materially affected us, our business, financial position, results of operations or cash flows to date.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have structured our cybersecurity program around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and processes to assess, identify and manage cybersecurity risks. Key components of our strategy include annual and ongoing security awarenesstraining for employees, advanced detection and monitoring systems, and robust incident response and containment. We actively monitor and investigate both internally discovered and externally reported issues that may compromise our information systems, permitting quick and decisive action when necessary.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our board of directors has ultimate oversight responsibility but has delegated to the board’s Care, Compliance, & Cybersecurity Committee focused and pertinent oversight duties, which have been integrated into our overall enterprise risk management program, as described below.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors has ultimate oversight responsibility but has delegated to the board’s Care, Compliance, & Cybersecurity Committee focused and pertinent oversight duties, which have been integrated into our overall enterprise risk management program, as described below.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Chief Information Officer provides quarterly reports on our cybersecurity program to the Care, Compliance, & Cybersecurity Committee. These reports include details and metrics on, among other things, our routine vulnerability assessments, internal and external threat intelligence, company-wide phishing exercises and training, device encryption, device patching, routine resilience efforts including quarterly disaster recovery exercises, tabletop incident response and business continuity exercises. The chairperson of the Care, Compliance, & Cybersecurity Committee briefs the full board of directors on such quarterly reports.
The Chief Information Officer and our Chief Information Security Officer also serve on management’s Enterprise Risk Committee, along with our executive management team, the Chief Compliance Officer, and internal audit personnel. The Enterprise Risk Committee meets regularly during the year to assess various significant risks—including cybersecurity risks—and receives cybersecurity updates in connection with those assessments and the development and implementation of any risk mitigation plans. Our President and Chief Executive Officer presents the report of the Enterprise Risk Committee quarterly to the full board of directors.
|Cybersecurity Risk Role of Management [Text Block]
|Our Chief Information Officer provides quarterly reports on our cybersecurity program to the Care, Compliance, & Cybersecurity Committee. These reports include details and metrics on, among other things, our routine vulnerability assessments, internal and external threat intelligence, company-wide phishing exercises and training, device encryption, device patching, routine resilience efforts including quarterly disaster recovery exercises, tabletop incident response and business continuity exercises. The chairperson of the Care, Compliance, & Cybersecurity Committee briefs the full board of directors on such quarterly reports.
The Chief Information Officer and our Chief Information Security Officer also serve on management’s Enterprise Risk Committee, along with our executive management team, the Chief Compliance Officer, and internal audit personnel. The Enterprise Risk Committee meets regularly during the year to assess various significant risks—including cybersecurity risks—and receives cybersecurity updates in connection with those assessments and the development and implementation of any risk mitigation plans. Our President and Chief Executive Officer presents the report of the Enterprise Risk Committee quarterly to the full board of directors.
We also maintain an inter-departmental privacy and security committee which oversees programs and initiatives to protect and secure patient information as well as our data and information systems. This committee reports to our executive management team and has responsibility for our IT-security incident response plan and various training and awareness programs that promote patient privacy and system security practices by employees.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Chief Information Officer provides quarterly reports on our cybersecurity program to the Care, Compliance, & Cybersecurity Committee.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Chief Information Security Officer, who reports to our Chief Information Officer, brings to bear more than two decades of experience implementing NIST cybersecurity frameworks, including most recently five years as chief information security officer for a Fortune 200 company. He also holds multiple certifications including the globally recognized Certificate Information Systems Security Professional designation since 2006.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Chief Information Officer provides quarterly reports on our cybersecurity program to the Care, Compliance, & Cybersecurity Committee. These reports include details and metrics on, among other things, our routine vulnerability assessments, internal and external threat intelligence, company-wide phishing exercises and training, device encryption, device patching, routine resilience efforts including quarterly disaster recovery exercises, tabletop incident response and business continuity exercises. The chairperson of the Care, Compliance, & Cybersecurity Committee briefs the full board of directors on such quarterly reports.
The Chief Information Officer and our Chief Information Security Officer also serve on management’s Enterprise Risk Committee, along with our executive management team, the Chief Compliance Officer, and internal audit personnel. The Enterprise Risk Committee meets regularly during the year to assess various significant risks—including cybersecurity risks—and receives cybersecurity updates in connection with those assessments and the development and implementation of any risk mitigation plans. Our President and Chief Executive Officer presents the report of the Enterprise Risk Committee quarterly to the full board of directors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef