Enhabit, Inc. - (EHAB)
10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity.
We recognize the critical importance of maintaining the integrity, availability and security of our information systems. We take a holistic, multi-layered approach to addressing cybersecurity risks, supported by management, the Care, Compliance, and Cybersecurity Committee of our board of directors, and the full board of directors. Our board of directors has ultimate oversight of cybersecurity risk but has delegated to the Care, Compliance, and Cybersecurity Committee focused and pertinent oversight responsibilities as part of our enterprise risk management program.
We have structured our cybersecurity program around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and processes to assess, identify and manage cybersecurity risks. Key components of our strategy include annual and ongoing security awareness
32
training for employees, advanced detection and monitoring systems, and robust incident response and containment. We actively monitor and investigate both internally discovered and externally reported issues that may compromise our information systems, permitting quick and decisive action when necessary. We also recognize the importance of securing third-party service providers and have implemented cybersecurity risk management protocols for such parties. For example, all vendors are required to complete our Ongoing Monitoring Assessment Questionnaire, and technology vendors are approved by our Architecture Review Committee.
The Company’s Chief Information Officer, who reports to our President and Chief Executive Officer, leverages more than a decade of experience in discharging his responsibility for developing and implementing our cybersecurity program. The Chief Information Officer leads a dedicated team of internal IT employees, along with multiple long-term third-party security vendors. Our board of directors, and the Care, Compliance, and Cybersecurity Committee of the board, supports our Chief Information Officer by bringing to bear members’ experience with information technology and management, including information technology strategy and risks associated with cybersecurity matters, as part of its oversight function.
The Chief Information Officer also serves on management’s Enterprise Risk Committee, along with our executive leadership team, the Chief Compliance Officer, and internal audit personnel. The Enterprise Risk Committee meets regularly during the year to assess various significant risks—including cybersecurity risks—and receives cybersecurity updates from the Chief Information Officer in connection with those assessments and with regard to the development and implementation of any risk mitigation plans. Our President and Chief Executive Officer presents the report of the Enterprise Risk Committee quarterly to the full board of directors.
Our Chief Information Officer provides quarterly reports on our cybersecurity program to the Care, Compliance, and Cybersecurity Committee and at least annually to our full board of directors. These reports include details and metrics on, among other things, our routine vulnerability assessments, internal and external threat intelligence, company-wide phishing exercises and training, device encryption, device patching, routine resilience efforts including quarterly disaster recovery exercises, tabletop incident response and business continuity exercises. The chairperson of the Care, Compliance, and Cybersecurity Committee briefs the full board of directors on such quarterly reports.
Our policies and procedures concerning cybersecurity matters apply to all employees. These policies and procedures address encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information, and the use of the internet, social media, email and wireless devices.
We also maintain an inter-departmental privacy and security committee which oversees programs and initiatives seeking to protect and secure patient information as well as our data and information systems. This committee is responsible for our IT-security incident response plan and various training and awareness programs that promote patient privacy and system security practices by employees.
We have experienced threats to our data and systems, including malware and computer virus attacks from time to time. To our knowledge, these threats have not materially affected us, our business, financial position, results of operations or cash flows to date. Although no assurances can be given, we do not believe that such threats are reasonably likely to materially affect us in the future. For more information about the cybersecurity risks we face, see Item 1A, “Risk Factors—Other Operational and Financial Risks.”