ITEM 1C. CYBERSECURITY

 

At QHSLab, Inc., we prioritize the security and privacy of all data, with a special emphasis on the personal health, financial, and insurance information entrusted to us by our medical practice clients and their patient electronic personal health information (ePHI). Recognizing the unique vulnerabilities of the digital medicine sector, we have developed an internal cybersecurity risk management framework that incorporates industry-leading practices and technologies to safeguard against cyber threats.

 

Our Approach to Cybersecurity Risk Management

 

Our cybersecurity framework is built around a comprehensive strategy that includes ongoing risk assessment, threat detection, swift incident response, and continuous improvement of our cybersecurity defenses. Key elements of our program include:

 

	●	Framework Adoption: Utilization of the CIS Critical Security Controls (CIS Controls) Cybersecurity Framework as a benchmark for evaluating the effectiveness of our cybersecurity measures.
	●	Cybersecurity Assessments: Regular assessments of our cybersecurity through both internal evaluations and planned periodical third-party audits, ensuring adherence to the highest standards of security.
	●	Training and Awareness: Mandatory cybersecurity training for all employees upon onboarding and through annual refreshers, fostering a culture of security awareness across the organization.
	●	Incident Response and Preparedness: A well-defined incident response plan that enables us to quickly identify, contain, and mitigate the impact of cybersecurity incidents.
	●	Third-Party Risk Management: Evaluation of third-party vendors’ security practices to ensure they meet our strict standards, especially when they have access to sensitive data.
	●	Investment in Security Infrastructure: Investment in cybersecurity technologies and infrastructure to stay ahead of emerging threats.

 

 

During the year ended December 31, 2023, the Company has not identified risks from cybersecurity threats, including as a result of prior cybersecurity incidents, that have materially affected or are reasonably anticipated to materially affect the Company, including its business strategy, results of operations, or financial condition. Nevertheless, the Company recognizes cybersecurity threats are ongoing and evolving. For more information on the Company’s cybersecurity risks, refer to Item 1A, “Risk Factors”.

 

Governance and Oversight

 

Cybersecurity governance at QHSLab, Inc. is a board-level priority, with our Board of Directors playing an active role in overseeing our cybersecurity strategy and risk management.

 

Insurance and Risk Mitigation

 

We maintain cybersecurity insurance to mitigate the financial impact of potential incidents. However, we recognize that insurance is only one component of a multifaceted risk management strategy.

 

Incident Response and Risk Management at QHSLab, Inc.

 

Central to our enterprise risk management efforts, QHSLab, Inc. has developed a comprehensive incident response plan to swiftly and effectively address cybersecurity incidents. This plan is a cornerstone of our commitment to maintaining the highest levels of data security and patient privacy.

 

Incident Assessment and Response Procedures

 

Upon identification of a potential cybersecurity incident, management initiates a structured initial assessment, guided by predefined criteria to gauge the incident’s severity and potential impact. This evaluation is critical for determining the scope of the incident and crafting an appropriate response.

 

The process includes:

 

	●	Immediate Assessment: Conducted by the incident response team to determine the incident’s nature, scope, and potential impact on QHSLab, Inc.’s operations and sensitive patient data.
	●	Elevation Protocol: Incidents with significant potential impact are promptly escalated to senior IT security team members for further review. This ensures that high-level expertise is applied to complex or severe cybersecurity events.
	●	Material Impact Analysis: Management assesses the potential for substantial harm to the organization, considering factors such as data integrity, patient privacy, and operational continuity.
	●	Public Disclosure Considerations: In alignment with regulatory requirements and our commitment to transparency, management evaluates the necessity and timing for public disclosure, balancing patient privacy, legal obligations, and public interest.

 

Commitment to Continuous Improvement

 

Recognizing the dynamic nature of cyber threats, particularly in the digital medicine sector, our incident response plan is subject to ongoing review and refinement. We will regularly update our procedures to incorporate any lessons learned from past incidents and emerging best practices in cybersecurity.