|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. Cybersecurity
Cybersecurity risk management and strategy
Protecting our data, which includes information related to our patients, members, and customers, is a primary area of our focus. Given the critical nature of this information, we have developed and implemented a robust cybersecurity risk management program to assess, identify, and manage risks associated with cybersecurity threats as identified in Item 106(a) of Regulation S-K. Cybersecurity is an important and integrated part of our risk management program that identifies, monitors and mitigates business, operational and legal risks.
This program has a multi-tier risk management structure that includes regular reviews of laws, policies, vulnerabilities, and resource levels to address risks facing our organization. Such risks include operational, intellectual property theft, fraud, risks that have potential unfavorable impacts on our employees and/or patients, and violation of data privacy or security laws.
To address cybersecurity risks facing our organization, we have adopted a “continuous risk assessment” process. We engage a third party to conduct a bi-annual National Institute of Technology-Cyber Security Framework assessment to determine the effectiveness of our program and related controls. The results of that assessment are shared with management, which drives prioritization and investment in resources to address those risks. Likewise, annual penetration tests occur to review the efficacy of our technical controls, results which are reviewed by management and resolved in a timely manner. Other factors that feed into our risk management practices are also operational events and incidents, which can lead to controls being reviewed and enhanced.
We also have a mature incident response process in place in the event a cybersecurity incident occurs. This process defines roles, responsibilities and action plans designed to contain and eradicate the issue and then restore systems in the event of a major disruption. Regularly, we conduct tabletop exercises to simulate responses to an incident and implement any insight gained from those exercises to improve our recovery practices. As part of these processes, we regularly engage with assessors, consultants, auditors, and other third parties to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance.
We have a commercial cybersecurity insurance policy that provides for coverage for losses sustained from cybersecurity incidents, subject to certain deductibles and limitations. However, costs and damages associated with cybersecurity incidents could exceed our commercial insurance coverage which could have a material adverse effect on our business, financial position and results of operations.
Third parties who provide services and solutions to our organization are also a source of cyber risk. Through a third-party risk management program, we review risks associated with these third parties through contractual reviews, vendor risk assessments, and continual risk reviews by monitoring the cybersecurity risk exposure these third parties pose and implementing remediation where necessary.
Based on the information available as of the date of this Form 10-K, during our fiscal year 2024 and through the date of this filing, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents (as such terms are defined in Item 106(a) of Regulation S-K), that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For more information on risks to us from cybersecurity threats, see “Risks Related to Information Technology - A cyber security incident could cause a violation of HIPAA, breach of patient or other persons privacy, or other negative impacts.” under “Item 1A. Risk Factors.”
Governance of Cybersecurity
Cybersecurity is an integral part of our risk management program and is an area of focus for our Board of Directors and management. The Audit Committee of our Board of Directors is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates, as warranted, including quarterly updates from our Chief Information Security Officer (“CISO”) regarding matters of cybersecurity, such as key risks facing the healthcare industry and our company, core topics, review of incidents, as well as progress against key information security initiatives. Senior executive leadership also engage in ad-hoc discussions with management on cybersecurity topics. In addition, our Board of Directors are provided with an annual report regarding cybersecurity information and related topics.
Our cybersecurity risk management and strategy processes are overseen by our CISO along with leaders from our Information Security, Compliance, Legal and Internal Auditing teams. Such individuals have an average of over 20 years of prior work experience in various roles involving information technology, including security, auditing, compliance, systems and programming. These individuals monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity is an important and integrated part of our risk management program that identifies, monitors and mitigates business, operational and legal risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity is an integral part of our risk management program and is an area of focus for our Board of Directors and management. The Audit Committee of our Board of Directors is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates, as warranted, including quarterly updates from our Chief Information Security Officer (“CISO”) regarding matters of cybersecurity, such as key risks facing the healthcare industry and our company, core topics, review of incidents, as well as progress against key information security initiatives. Senior executive leadership also engage in ad-hoc discussions with management on cybersecurity topics. In addition, our Board of Directors are provided with an annual report regarding cybersecurity information and related topics.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Board of Directors is responsible for the oversight of risks from cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Members of the Audit Committee receive updates, as warranted, including quarterly updates from our Chief Information Security Officer (“CISO”) regarding matters of cybersecurity, such as key risks facing the healthcare industry and our company, core topics, review of incidents, as well as progress against key information security initiatives. Senior executive leadership also engage in ad-hoc discussions with management on cybersecurity topics.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk management and strategy processes are overseen by our CISO along with leaders from our Information Security, Compliance, Legal and Internal Auditing teams. Such individuals have an average of over 20 years of prior work experience in various roles involving information technology, including security, auditing, compliance, systems and programming. These individuals monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Members of the Audit Committee receive updates, as warranted, including quarterly updates from our Chief Information Security Officer (“CISO”) regarding matters of cybersecurity, such as key risks facing the healthcare industry and our company, core topics, review of incidents, as well as progress against key information security initiatives.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|our CISO along with leaders from our Information Security, Compliance, Legal and Internal Auditing teams. Such individuals have an average of over 20 years of prior work experience in various roles involving information technology, including security, auditing, compliance, systems and programming.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|These individuals monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef