TruBridge, Inc. - (TBRG)
10-K Filing Date: March 15, 2024
ITEM 1C.CYBERSECURITY
Our business operations, including the provision of the products and services described above, involve the compilation and transmission of confidential information, including patient health information. We also collect and store other sensitive data such as credit card, insurance, and other information. We have included security features in our systems that are intended to protect the privacy and integrity of this information, but our systems may be vulnerable to security breaches, viruses, programming errors and other similar disruptive problems.
The Board of Directors is responsible for exercising oversight of management’s identification of, and planning for, the material risks facing the Company, and we believe our risk management policies and procedures are adequate to ensure that relevant information about cybersecurity risks and incidents is appropriately reported and disclosed. In October 2017, the Board authorized the formation of a Cybersecurity Committee, which is now known as the Governance, Risk & Compliance (“GRC”) Committee. Our cybersecurity risk management process, which are discussed in greater detail below, are led by the GRC Committee. The GRC Committee is currently comprised of the Chief Technology and Innovation Officer, Chief Financial Officer, General Manager of TruBridge, General Manager of EHR, General Manager of Patient Engagement, Corporate Security Officer, and General Counsel and Corporate Compliance Officer. The GRC Committee generally meets weekly, and has a formal meeting quarterly, to discuss the primary security and compliance-related risks currently facing the Company, including cybersecurity risks. The General Counsel and Corporate Compliance Officer then provides updates to the Board at each regular quarterly meeting. Annually, the full Board participates in cybersecurity training and discusses the internal incident management process with the GRC Committee.
In October 2020, the Board created the Innovation and Technology Committee to aid the Board in its duties to assess and oversee the management of risks in the areas of information technology, information and data security, cybersecurity, disaster recovery, data privacy and business continuity. This committee oversees the GRC Committee’s activities relating to information technology and cybersecurity matters, and seeks to enhance communication and coordination of efforts between the Board and management in these areas. The members of the Innovation and Technology Committee monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of and participation in the cybersecurity risk management process described below, including the operation of our incident response plan.
Additionally, we have a Security Operations Center ("SOC") to oversee several initiatives designed to improve our cybersecurity protection, readiness and response. The Company partnered with a third party to provide Security as a Service ("SECaaS") to assist our internal SOC in reducing the likelihood and impact of a cybersecurity attack. The SOC oversees penetration testing, vulnerability scanning, intrusion prevention, endpoint and insider threat detection, log management and other cybersecurity-related projects. The Company also consulted with third parties to achieve ISO 27001 certification related to information security management, which was achieved starting in 2020 and maintained every year since.
Our SOC team members have over 35 years of combined work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, and developing and overseeing programs and policies related to various areas, including incident response, eDiscovery, forensic investigations, log analysis, malware analysis, risk management, physical security, and enterprise security operations, as well as several relevant degrees and certifications, including Masters degrees in Cybersecurity and Information Assurance, Bachelors degrees in Information Technology, BS Information Systems and Cybersecurity, Certified Information Systems Security Professional, Certified Ethical Hacker, Computer Hacking Forensic Investigator, A+, Network+, Security+, MS Sentinel, a Degree in forensic science and others being worked on. Prior work experience, knowledge, skills, or background for the SOC team include: law enforcement, DoD contractor work in cybersecurity, heavy involvement in numerous large scale intrusion investigations, published author of an Intrusion Analysis book, presentations at numerous conferences focused on cybersecurity, hundreds of forensic analysis cases, prior employment by other companies as cybersecurity/SOC analysts, and continuous on the job training
We have a cybersecurity-specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our process to industry standards and best practices standards set by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization (“ISO”), as well as by engaging experts to attempt to infiltrate our
information systems, as such term is defined in Item 106(a) of Regulation S-K. Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from information and cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, and to provide for the availability of critical data and systems and to maintain regulatory compliance. These controls include the following activities:
a.closely monitor emerging data protection laws and implement changes to our processes designed to comply;
b.conduct annual customer data handling and use requirements training for all our employees;
c.conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data;
d.conduct regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
e.through policy, practice and contract (as applicable), require employees, as well as third-parties who provide services on our behalf, to protect customer information and data;
f.run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
g.leverage the NIST and ISO incident handling frameworks to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and
h.maintain multiple layers of controls, including embedding security into our technology investments.
We perform periodic internal and third-party assessments to test our cybersecurity controls and regularly evaluate our policies and procedures surrounding our handling and control of personal data and the systems we have in place to help protect us from cybersecurity or personal data breaches, and we perform periodic internal and third-party assessments to test our controls and to help us identify areas for continued focus, improvement, and/or compliance. An example of the assessment we use is the ISO 27001 assessment that was implemented started in 2020. Our team is continually evaluating our technology vendors and tools to ensure that we are managing evolving threats to the best of our ability.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. Finally, all users employed by or contracted to the Company are required to complete annual cybersecurity education and training, which includes identifying suspicious emails, internet threats, telecommunication threats and ransomware.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Breaches of security and viruses in our systems could result in client claims against us and harm to our reputation causing us to incur expenses and/or lose clients” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K,which disclosure is incorporated by reference herein. Although we maintain cybersecurity insurance to reduce potential financial losses that may stem from cybersecurity incidents, the costs related to cybersecurity threats or disruptions may not be full insured.