OptimizeRx Corp - (OPRX)
10-K Filing Date: April 15, 2024
Risk Management and Strategy
Our information security and risk management program is designed to identify, assess, and manage material risks from cybersecurity threats to our applications, computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, personal information, or PHI (collectively, “Information Systems”).
Our information security program’s basis is a comprehensive set of policies and procedures covering various information security domains (collectively, “Information Security Policies”), including, but not limited to:
● | Access control, |
● | Endpoint protection, |
● | Third-party oversight, |
● | Education, training, and awareness, |
● | Network security, |
● | Risk management, |
● | Incident response, |
● | Business continuity and disaster recovery, |
● | Data protection and privacy, and |
● | Other security domains. |
Our risk management process is based on a standard methodology, and risks are identified based on:
● | Annual risk assessments, |
● | Information on past incidents, |
● | Internal audits, |
● | Security penetration tests, and |
● | Other security assessments. |
All risks are documented in a central Risk Register and tracked for mitigation and other treatment decisions.
Our information security program is audited annually against a well-known security framework, by an accredited third party. We currently carry a HITRUST certification, which is a security assessment that targets the healthcare industry and HIPAA compliance. We are currently working towards a SOC 2 audit and assessment, which has more general applicability and covers the trust services criteria of security, confidentiality, privacy, accessibility, and processing integrity.
17
In 2023, we stored and processed certain PHI on behalf of customers. From a cybersecurity perspective, this data was stored on secure AWS managed servers in the contiguous United States and encrypted at rest and in transit. End users did not have permission to access PHI unless the end user’s account had the proper end user role permissions (ie HCPs or hub service providers). These end user roles were assigned according to the customer’s needs to see the information. At all times, such information was segregated so that one customer could not access records containing PHI that were associated with another customer. In late 2023, we discontinued PHI processing; however, certain PHI remains stored on the secure AWS managed servers to the extent information needs to be accessed by a customer.
Our external audits and assessments identify and evaluate material risks from cybersecurity threats against our overall business objectives on a periodic basis and form the basis of internal reports, which can be shared with the management team, the Audit Committee of the Board of Directors, and the Board of Directors to evaluate our overall enterprise risk.
Our incident response program consists of an Incident Response Plan document and a cross-functional Incident Response Team, which are defined in our Information Security Policies. All workforce members are trained on incident reporting procedures, and there is a single point of contact for reporting all incidents. Incident response training is conducted annually, followed by a tabletop exercise. Our Incident Response Plan instructs personnel on how to notify our Incident Response Team in case of an incident. The VP of Information Security is the point person for incident responses and coordinates mitigation and remediation of cybersecurity incidents. We log all incidents and response plans for purposes of internal documentation. We report critical incidents to the management team, the Audit Committee, and the Board of Directors.
The Company’s VP of Information Security is responsible for implementing Information Security Policies on a day-to-day basis along with the Security Team (as defined in the Information Security Policies), which includes the VP of Information Security, the Chief Product Officer, the VP of Data Engineering and Platform Services, and the VP of Technology (Information Technology).
We use third-party service providers to perform a variety of functions throughout our business, including, but not limited to infrastructure support and maintenance, CRM, contract management, data hosting, and miscellaneous finance and accounting projects. We assess our vendors with respect to cybersecurity risk according to the services provided, the sensitivity of the Information Systems at issue, and the provider’s identity. In appropriate cases, we will seek enhanced contractual obligations or guarantees related to cybersecurity on the service provider. Vendor risk assessments are performed before each vendor is engaged, and annual reviews are conducted to ensure vendors continue to meet security requirements.
We also maintain technical errors and omissions insurance which includes a cyber incident endorsement of up to $20 million with a premium of $60,700. This endorsement provides coverage for Network Security and Privacy, Privacy Regulation Proceeding, Privacy Event Expense Reimbursement, Extortion Demand Reimbursement, Data Restoration, Network Restoration, Business Interruption and System Failure. This coverage reimburses the most common costs for information security incidents, including attorney’s fees, consumer notification costs, and regulatory fines.
The Company has no material incidents to report through the date of this filing.
For more information on risks from cybersecurity threats that may materially affect the Company, see Item 1A. “Risk Factors”.
18
Governance
The Board of Directors’ oversight function includes cybersecurity risk management. The Board of Directors has tasked the Audit Committee with overseeing the Company’s cybersecurity risk management processes and with determining which threats are likely to impact the Company’s strategy, business operations, and financial condition.
Our cybersecurity risk assessment and management processes are implemented and maintained by our VP of Information Security and the Security Team. For strategic decisions regarding cybersecurity, the VP of Information Security consults with the Chief Product Officer, the Chief Financial Officer, the General Counsel and Chief Compliance Officer, and the VP of Compliance.
The VP of Information Security is responsible for hiring appropriate personnel, performing vendor risk assessments, and communicating information security priorities to relevant personnel, so that we can build cybersecurity risk considerations into our business practices. The VP of Information Security also plans related budgets, designs cybersecurity processes, and reviews security assessments and related reports.
The Board of Directors has three members with skills and experience in information security and cybersecurity through their experience as current and former executives of digital technology companies.