PACIFIC HEALTH CARE ORGANIZATION INC - (PFHO)
10-K Filing Date: April 16, 2024
Risk Management and Strategy
We recognize the importance of maintaining the trust and confidence of our customers, business partners, and employees, and cybersecurity represents an important component of our overall approach to enterprise risk management. Our approach to cybersecurity risk management is aligned with our risk profile and business, and includes efforts towards meeting the standards for an organization of our size and type in conjunction with the National Institute of Standards and Technology. We also utilize a third-party IT vendor to manage the technological security and efficacy of our systems, including a Virtual Chief Information Officer, a Virtual Chief Information Security Officer, and other IT specialists who manage our IT and cybersecurity needs.
Our cybersecurity risk management is designed to employ technology and security practices across our operations and business functions, including vulnerability assessments, detecting and responding to cyber security incidents, cybersecurity crisis preparedness and incident response resources, vulnerability scans and IT security risk assessments, and progressive investments in cybersecurity infrastructure and technology designed to reduce cybersecurity risks. Notable aspects of our cybersecurity risk management include:
● | efforts towards adoption of the National Institute of Standards and Technology (NIST), Cybersecurity Framework; |
● | periodic IT risk assessments conducted by an external cybersecurity consultant; |
● | enterprise-wide security and privacy measures; |
● | IT security, cybercrime, privacy, and HIPAA security training provided to employees and independent contractors; |
● | periodic social engineering and phishing testing for employees; |
● | encrypted and air-gapped data backups; |
● | periodic dark web monitoring and vulnerability scans; and |
● | periodic review of disaster preparedness, incident response, and business continuity plans. |
We intend to continue to leverage the support of third-party information technology and security providers, including to perform risk assessments designed to identify, assess, and manage cybersecurity risks. We assess on an ad hoc basis the data protection practices of certain of our third-party vendors who handle our data, which assessments include the assessment of vendor data protection policies, disclosure of changes to data protection policies or practices, maintenance of cyber liability insurance, and provision of certifications, assessments, or other documentation as deemed relevant.
As of the date of this annual report, we maintain cyber liability insurance that provides cyber incident response coverage. However, costs, damages, and remediation associated with cybersecurity incidents may not be adequately insured under our insurance policy and may be subject to applicable deductibles, to the extent that they are covered. See also “We could lose cyber liability insurance coverage and be subject to uninsured liabilities” in Item 1A, Risk Factors, of this annual report for additional discussion of risks related to our cyber liability insurance.
As previously disclosed, in fiscal 2023, Fortra, LLC, the third-party vendor that provides the GoAnywhere managed file transfer as a service system (MFTaaS), experienced a data security incident that affected many of Fortra’s customers, including us. We use GoAnywhere as a means by which our customers electronically share certain data regarding their employees and other third parties with us. Our understanding is that this activity was the result of the threat actor’s exploit of a zero-day vulnerability in Fortra’s systems. Based on the information we have obtained from Fortra and our own diligence, we understand that this activity only affected Fortra’s systems, and did not involve unauthorized access to our information systems. However, the threat actor in this incident accessed certain of our customers’ employees’ and other third parties’ data and such data included protected health information, as defined by the Health Insurance Portability and Accountability Act, and personally identifiable information. We have engaged outside experts to assist in investigating and responding to this incident and have provided the required notifications to the data owners, and where appropriate, to the individuals affected by the incident and to various State Attorneys General.
As of the date of this annual report, this incident has not had a materially adverse impact on our results of operations. Though our response has not included material changes to our cyber risk management, strategy, or governance, we have taken or plan to take additional cybersecurity measures to continue to advance our cybersecurity policies, practices, and technology. We have incurred expenses, and may incur in the future expenses and losses, related to this incident. See also the risks included below the heading “Cybersecurity, Information Technology and Outsourced Services Related Risks” in Item 1A, Risk Factors, of this annual report for additional discussion of risks related to cybersecurity.
Governance
Our entire board of directors is responsible for the strategic leadership and direction of our cybersecurity program and has oversight over cybersecurity risks. Our management may provide periodic presentations to the board on our cybersecurity program, including updates on cybersecurity risks, strategy and incident management, as applicable. Our cybersecurity risk management is also administrated at a management level through a multi-disciplinary Technology Business Review Committee comprised of members of our operational and organizational management, as well as our outsourced Virtual Chief Information Officer. The Technology Business Review Committee is tasked with identifying and monitoring what we believe to be the key technology risks currently facing the Company, including cybersecurity risks. The committee meets on at least a quarterly basis and on an as-needed basis to address risks, regulatory requirements, potential threats, vulnerabilities, available mitigation strategies and technologies, operational imperatives and changes, and progress updates on relevant projects related to our IT and cybersecurity.
In addition, we undergo an annual IT risk assessment reviewed by a third-party IT vendor, with significant or actionable findings reported to the Technology Business Review Committee. The annual IT risk assessment identifies our risk status on various IT security metrics and prioritizes remediation, external vulnerability scan results, patching reports, dark web status, and personnel IT security training reports. This annual third-party review helps further monitor and inform our Technology Business Review Committee’s work and our cybersecurity risk management and strategy.