|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The proper function, availability, and security of our and third-party information systems are critical to our business. We have attempted to structure our cybersecurity program and its incident response policies and procedures, including an incident response plan (the “IRP”), around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, which provides best practices to identify, protect from, respond to, and recover from cyber attacks. The cybersecurity program, led by our chief security officer (“CSO”), consists of dedicated internal IT security employees, including the staff of a security operations center, and long-term third-party security service providers. Our IT security staff, led by our CSO, is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. In furtherance of our cybersecurity program, members of our internal security staff participate in industry and governmental cybersecurity cooperative groups, including the Health Information Sharing and Analysis Center (“H-ISAC”) and the FBI’s InfraGard.
Our CSO, who assumed his current role in 2022, has over 11 years of cybersecurity experience with us and over 28 total years of cybersecurity and IT experience across various industries, including telecom, engineering, and finance. He also holds several cybersecurity certifications: GIAC Certified Incident Handler, GIAC Certified Penetration Tester, and Certified Healthcare Information Security Leader. Our CSO reports directly to our chief information officer (“CIO”). Our CIO, who assumed his current role in 2011, has 35 total years of cybersecurity and IT experience. Prior to assuming the role of CIO, he served in senior IT and security roles for us beginning in 2001. As a highly decorated United States Air Force officer, he served as a CIO, regional CIO, and chief technology officer responsible for the USAF health system’s IT worldwide operations. He also served as a senior staff advisor to various levels of the United States Department of Defense’s military health system on strategic matters related to IT policy, procedures, procurement, solutions, and is a subject matter expert on cybersecurity. He has numerous professional certifications and affiliations, including a CERT Certificate in Cybersecurity Oversight from National Association of Corporate Directors’ Cyber-Risk Oversight Program; Certified Information Systems Security Professional; lifetime member, fellow, and previous board member of the College of Health Information Management Executives.
We maintain an inter-departmental privacy and security committee that oversees our programs and initiatives that seek to protect and secure patient information as well as our data and information systems. This committee is responsible for, among other things, administering our incident response policies and procedures and various training and awareness programs that promote good system security practices by employees. This committee consists of our CSO, CIO, deputy CIO, chief privacy officer, and director of information security and compliance as well as in house attorneys responsible for cybersecurity and securities matters. It currently meets monthly and as warranted by privacy and security events.
The IRP sets forth the strategy to prepare for cybersecurity threats and incidents and the processes and procedures to detect, analyze, contain, and recover after any actual or suspected cybersecurity incidents. The IRP also sets forth the internal reporting process for cybersecurity incidents. In the event of the detection of an actual or suspected cybersecurity incident, the IRP provides that our IT security staff score the incident based on established criteria and manage the incident pursuant to the standard operating procedures. Depending on the assessed criticality of the incident and the systems affected, the staff will report an incident to a security triage team, consisting of the security operations incident response lead and several members of the privacy and security committee. Working with our third-party security vendors as needed, the triage team investigates the incident, manages the response, and reports threats and incidents deemed significant to securities counsel. Securities counsel then works with the executive team to assess materiality for the Company. A member of the executive team would inform our board of directors as warranted.
In general terms, under our cybersecurity program, we undertake measures to protect the safety and security of our information systems and the data maintained within those systems. We have implemented administrative, technical and physical controls on our systems and devices in an attempt to prevent unauthorized access and to promote business resilience in the event of that access. Core elements of our program include the real-time monitoring of both our network and external cybersecurity activity by our internal security operations center and our third-party service providers and the procedures for backing up and recovering our systems. We periodically test the adequacy of our security, business continuity, and disaster recovery measures, including an annual tabletop exercise involving representatives from all key functional departments with the Company, our outside cybersecurity legal counsel, and our primary forensic services firm. Given the extensive practical experience of implementing our IRP and business continuity plan during the Change Healthcare incident, discussed further below, we did not conduct a separate mock tabletop exercise in 2024. Our legal and technical advisors direct the exercise and provide feedback on our performance, which is shared with management and our board of directors. We provide our employees annual training and regular reminders on measures they can take to prevent breaches and other cyber threats, including phishing schemes. We participate in the vulnerability scanning service offered by the Cybersecurity and Infrastructure Security Agency
on our internet facing systems and engage external security consultants to perform an annual penetration test of our network. Our systems that process electronic protected health information are risk assessed on a quarterly basis against NIST security controls. Additionally, we maintain insurance coverage for cybersecurity incidents.
Third-party Engagement in Connection with our Cybersecurity Program
We maintain ongoing engagements with our cybersecurity legal counsel and forensic services firms, each of which has visibility into current events through its client base. We engage throughout the year with not only our security vendors but also H-ISAC, the FBI’s InfraGard, and other communities dedicated to sharing information regarding developing cybersecurity threats.
Third-party IT Vendor Risk Management
Our IT security staff also maintains a third-party IT vendor risk management process. The staff identifies the third parties with whom we contract or otherwise have a relationship involving our network or digital assets that represent an elevated risk based on a detailed rating process. The IT vendor risk management process involves input from various departments, including the affected internal business constituencies, legal, and compliance.
Using a platform endorsed by the H-ISAC, the IT security staff performs risk assessments of third parties that appear to represent the greatest risk to our systems and data. Annually, the privacy and security committee reviews and approves our listing of tier one vendors subject to the assessment. The IT security staff then works with the internal points of contact responsible for the applications, software or systems and the vendors to gather the information necessary to assess the associated risks using common cybersecurity standards and frameworks. Any significant risks identified are shared with the vendors and the compensating controls for those risks are documented in collaboration with the vendors. The internal points of contact and other constituencies then review the results of the assessment process in order to assess the associated value of the product or service against the risk.
To date, we are not aware of having experienced a material compromise of our systems or networks from a cybersecurity incident. However, we routinely identify attempts to gain unauthorized access to our systems. Additionally, some of our vendors and business partners have experienced compromises of their information systems, including systems that we
use. On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group that acted as an intermediary for processing of our payment claims for all payors, notified us of a cybersecurity incident affecting some of its systems. In response to the incident, both we and Change Healthcare severed those business service connections between our systems and Change Healthcare’s. We promptly conducted forensics on our systems based on the shared information regarding this Change Healthcare incident and did not identify any compromise or unauthorized access of our systems or networks. However, the incident did affect our ability to submit any claims for payment for a period of time until we implemented alternative modes for submissions. We have not identified any compromise or unauthorized access of our systems or networks, and the temporary disruption to our submission of claims did not materially affect our business strategy, results of operation or financial condition.
Given the increasing cybersecurity threats in the healthcare industry, there can be no assurance we will not experience business interruptions; data loss, ransom, misappropriation or corruption, theft, or misuse of proprietary data, patient or other personally identifiable information; or litigation, investigation, or regulatory action related to any of those, any of which could have a material adverse effect on our patient care, ability to admit patients and to bill and collect for services provided on a timely basis, financial position, and results of operations and could harm our business reputation.We expend significant capital to protect against cybersecurity threats, including denial of service attacks, email phishing schemes, hacking, advanced persistent threats, malware, and ransomware. Substantial additional expenditures may be required to respond to and remediate any problems caused by cybersecurity incidents, including the unauthorized access to or theft of patient data and protected health information stored in our information systems, the inoperability of our electronic clinical and business systems, and the infiltration or disruption of the information systems of our business vendors and partners. In the case of a material cybersecurity incident, the associated expenses and losses and lost revenue may exceed our current insurance coverage for such events. Some adverse consequences may not be insurable, such as reputational harm and third-party business interruption.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Assessing, identifying, and managing cybersecurity related risks are integrated into our overall enterprise risk management (the “ERM”) process. Cybersecurity risks are included in the risk universe that the ERM function evaluates to assess the most significant risks to the Company as a whole. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. Management presents quarterly the ERM risk assessment, including key risk indicators, to our board of directors.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our board of directors has actively sought out experience and expertise among its members to further its oversight of cybersecurity risk. We believe that Messrs. Carmichael and Reidy and Ms. Herman have extensive knowledge and experience to support cybersecurity oversight. Mr. Carmichael previously served as chief information officer at multiple companies, and Mr. Reidy directly supervised and oversaw the information security programs at two companies. Ms. Herman has completed the National Association of Corporate Directors’ Cyber-Risk Oversight Program, which is designed to enhance cybersecurity literacy and strengthen cyber-risk oversight practices, and holds a CERT Certificate in Cybersecurity Oversight.The Compliance and Quality of Care Committee of our board of directors has primary responsibility for oversight of our cybersecurity risk management program. Our CIO provides quarterly reports on our cybersecurity program to that committee and at least annually to our full board. The reports to the committee and the full board include details and metrics on, among other things, our routine vulnerability assessments, internal and external threat intelligence, quarterly NIST framework assessments, quarterly Company-wide phishing exercises and training, device encryption, routine resilience efforts including quarterly disaster recovery exercises, third-party vendor risk management, annual tabletop incident response exercise, annual business continuity exercise, cyber penetration tests, and 23 NIST cyber hygiene controls. Similarly, our chief compliance officer provides quarterly reports to the Compliance and Quality of Care Committee on patient privacy compliance efforts and related matters. The Compliance and Quality of Care Committee and the full board review, and the committee approves, the annual cybersecurity plan that sets out the primary initiatives and internal audits of the IT security function for the upcoming year. Historically, one or more board members have observed and participated in our tabletop incident response exercises.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Compliance and Quality of Care Committee of our board of directors has primary responsibility for oversight of our cybersecurity risk management program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our CIO provides quarterly reports on our cybersecurity program to that committee and at least annually to our full board.
|Cybersecurity Risk Role of Management [Text Block]
|The cybersecurity program, led by our chief security officer (“CSO”), consists of dedicated internal IT security employees, including the staff of a security operations center, and long-term third-party security service providers. Our IT security staff, led by our CSO, is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. In furtherance of our cybersecurity program, members of our internal security staff participate in industry and governmental cybersecurity cooperative groups, including the Health Information Sharing and Analysis Center (“H-ISAC”) and the FBI’s InfraGard.
Our CSO, who assumed his current role in 2022, has over 11 years of cybersecurity experience with us and over 28 total years of cybersecurity and IT experience across various industries, including telecom, engineering, and finance. He also holds several cybersecurity certifications: GIAC Certified Incident Handler, GIAC Certified Penetration Tester, and Certified Healthcare Information Security Leader. Our CSO reports directly to our chief information officer (“CIO”). Our CIO, who assumed his current role in 2011, has 35 total years of cybersecurity and IT experience. Prior to assuming the role of CIO, he served in senior IT and security roles for us beginning in 2001. As a highly decorated United States Air Force officer, he served as a CIO, regional CIO, and chief technology officer responsible for the USAF health system’s IT worldwide operations. He also served as a senior staff advisor to various levels of the United States Department of Defense’s military health system on strategic matters related to IT policy, procedures, procurement, solutions, and is a subject matter expert on cybersecurity. He has numerous professional certifications and affiliations, including a CERT Certificate in Cybersecurity Oversight from National Association of Corporate Directors’ Cyber-Risk Oversight Program; Certified Information Systems Security Professional; lifetime member, fellow, and previous board member of the College of Health Information Management Executives.
We maintain an inter-departmental privacy and security committee that oversees our programs and initiatives that seek to protect and secure patient information as well as our data and information systems. This committee is responsible for, among other things, administering our incident response policies and procedures and various training and awareness programs that promote good system security practices by employees. This committee consists of our CSO, CIO, deputy CIO, chief privacy officer, and director of information security and compliance as well as in house attorneys responsible for cybersecurity and securities matters. It currently meets monthly and as warranted by privacy and security events.
The IRP sets forth the strategy to prepare for cybersecurity threats and incidents and the processes and procedures to detect, analyze, contain, and recover after any actual or suspected cybersecurity incidents. The IRP also sets forth the internal reporting process for cybersecurity incidents. In the event of the detection of an actual or suspected cybersecurity incident, the IRP provides that our IT security staff score the incident based on established criteria and manage the incident pursuant to the standard operating procedures. Depending on the assessed criticality of the incident and the systems affected, the staff will report an incident to a security triage team, consisting of the security operations incident response lead and several members of the privacy and security committee. Working with our third-party security vendors as needed, the triage team investigates the incident, manages the response, and reports threats and incidents deemed significant to securities counsel. Securities counsel then works with the executive team to assess materiality for the Company. A member of the executive team would inform our board of directors as warranted.
In general terms, under our cybersecurity program, we undertake measures to protect the safety and security of our information systems and the data maintained within those systems. We have implemented administrative, technical and physical controls on our systems and devices in an attempt to prevent unauthorized access and to promote business resilience in the event of that access. Core elements of our program include the real-time monitoring of both our network and external cybersecurity activity by our internal security operations center and our third-party service providers and the procedures for backing up and recovering our systems. We periodically test the adequacy of our security, business continuity, and disaster recovery measures, including an annual tabletop exercise involving representatives from all key functional departments with the Company, our outside cybersecurity legal counsel, and our primary forensic services firm. Given the extensive practical experience of implementing our IRP and business continuity plan during the Change Healthcare incident, discussed further below, we did not conduct a separate mock tabletop exercise in 2024. Our legal and technical advisors direct the exercise and provide feedback on our performance, which is shared with management and our board of directors. We provide our employees annual training and regular reminders on measures they can take to prevent breaches and other cyber threats, including phishing schemes. We participate in the vulnerability scanning service offered by the Cybersecurity and Infrastructure Security Agencyon our internet facing systems and engage external security consultants to perform an annual penetration test of our network. Our systems that process electronic protected health information are risk assessed on a quarterly basis against NIST security controls. Additionally, we maintain insurance coverage for cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The cybersecurity program, led by our chief security officer (“CSO”), consists of dedicated internal IT security employees, including the staff of a security operations center, and long-term third-party security service providers. Our IT security staff, led by our CSO, is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our CSO, who assumed his current role in 2022, has over 11 years of cybersecurity experience with us and over 28 total years of cybersecurity and IT experience across various industries, including telecom, engineering, and finance. He also holds several cybersecurity certifications: GIAC Certified Incident Handler, GIAC Certified Penetration Tester, and Certified Healthcare Information Security Leader. Our CSO reports directly to our chief information officer (“CIO”). Our CIO, who assumed his current role in 2011, has 35 total years of cybersecurity and IT experience. Prior to assuming the role of CIO, he served in senior IT and security roles for us beginning in 2001. As a highly decorated United States Air Force officer, he served as a CIO, regional CIO, and chief technology officer responsible for the USAF health system’s IT worldwide operations. He also served as a senior staff advisor to various levels of the United States Department of Defense’s military health system on strategic matters related to IT policy, procedures, procurement, solutions, and is a subject matter expert on cybersecurity. He has numerous professional certifications and affiliations, including a CERT Certificate in Cybersecurity Oversight from National Association of Corporate Directors’ Cyber-Risk Oversight Program; Certified Information Systems Security Professional; lifetime member, fellow, and previous board member of the College of Health Information Management Executives.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The cybersecurity program, led by our chief security officer (“CSO”), consists of dedicated internal IT security employees, including the staff of a security operations center, and long-term third-party security service providers. Our IT security staff, led by our CSO, is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. In furtherance of our cybersecurity program, members of our internal security staff participate in industry and governmental cybersecurity cooperative groups, including the Health Information Sharing and Analysis Center (“H-ISAC”) and the FBI’s InfraGard.
Our CSO, who assumed his current role in 2022, has over 11 years of cybersecurity experience with us and over 28 total years of cybersecurity and IT experience across various industries, including telecom, engineering, and finance. He also holds several cybersecurity certifications: GIAC Certified Incident Handler, GIAC Certified Penetration Tester, and Certified Healthcare Information Security Leader. Our CSO reports directly to our chief information officer (“CIO”). Our CIO, who assumed his current role in 2011, has 35 total years of cybersecurity and IT experience. Prior to assuming the role of CIO, he served in senior IT and security roles for us beginning in 2001. As a highly decorated United States Air Force officer, he served as a CIO, regional CIO, and chief technology officer responsible for the USAF health system’s IT worldwide operations. He also served as a senior staff advisor to various levels of the United States Department of Defense’s military health system on strategic matters related to IT policy, procedures, procurement, solutions, and is a subject matter expert on cybersecurity. He has numerous professional certifications and affiliations, including a CERT Certificate in Cybersecurity Oversight from National Association of Corporate Directors’ Cyber-Risk Oversight Program; Certified Information Systems Security Professional; lifetime member, fellow, and previous board member of the College of Health Information Management Executives.
We maintain an inter-departmental privacy and security committee that oversees our programs and initiatives that seek to protect and secure patient information as well as our data and information systems. This committee is responsible for, among other things, administering our incident response policies and procedures and various training and awareness programs that promote good system security practices by employees. This committee consists of our CSO, CIO, deputy CIO, chief privacy officer, and director of information security and compliance as well as in house attorneys responsible for cybersecurity and securities matters. It currently meets monthly and as warranted by privacy and security events.
The IRP sets forth the strategy to prepare for cybersecurity threats and incidents and the processes and procedures to detect, analyze, contain, and recover after any actual or suspected cybersecurity incidents. The IRP also sets forth the internal reporting process for cybersecurity incidents. In the event of the detection of an actual or suspected cybersecurity incident, the IRP provides that our IT security staff score the incident based on established criteria and manage the incident pursuant to the standard operating procedures. Depending on the assessed criticality of the incident and the systems affected, the staff will report an incident to a security triage team, consisting of the security operations incident response lead and several members of the privacy and security committee. Working with our third-party security vendors as needed, the triage team investigates the incident, manages the response, and reports threats and incidents deemed significant to securities counsel. Securities counsel then works with the executive team to assess materiality for the Company. A member of the executive team would inform our board of directors as warranted.
In general terms, under our cybersecurity program, we undertake measures to protect the safety and security of our information systems and the data maintained within those systems. We have implemented administrative, technical and physical controls on our systems and devices in an attempt to prevent unauthorized access and to promote business resilience in the event of that access. Core elements of our program include the real-time monitoring of both our network and external cybersecurity activity by our internal security operations center and our third-party service providers and the procedures for backing up and recovering our systems. We periodically test the adequacy of our security, business continuity, and disaster recovery measures, including an annual tabletop exercise involving representatives from all key functional departments with the Company, our outside cybersecurity legal counsel, and our primary forensic services firm. Given the extensive practical experience of implementing our IRP and business continuity plan during the Change Healthcare incident, discussed further below, we did not conduct a separate mock tabletop exercise in 2024. Our legal and technical advisors direct the exercise and provide feedback on our performance, which is shared with management and our board of directors. We provide our employees annual training and regular reminders on measures they can take to prevent breaches and other cyber threats, including phishing schemes. We participate in the vulnerability scanning service offered by the Cybersecurity and Infrastructure Security Agencyon our internet facing systems and engage external security consultants to perform an annual penetration test of our network. Our systems that process electronic protected health information are risk assessed on a quarterly basis against NIST security controls. Additionally, we maintain insurance coverage for cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef