RadNet, Inc. - (RDNT)

10-K Filing Date: February 29, 2024
Item 1C.Cybersecurity
 
Risk Management and Strategy

As a healthcare provider, cybersecurity, data protection, safeguarding patient information and the integrity of our information systems is of the utmost priority. We have developed and maintain a Cybersecurity and Data Protection Program which aligns with industry-standard frameworks and applicable regulatory requirements, integrates with our overall risk management process, and aims to ensure cybersecurity concerns are a requisite element for decision-making at all levels of our business.

RadNet’s Cybersecurity and Data Protection Program assesses, identifies and manages threats to our information systems and evaluates cybersecurity risks associated with our vendors and third-party partners. We are focused on detecting, preventing and responding to cyber threats, maintaining the privacy and protection of sensitive information, and maintaining the durability and resiliency of our information and data processing systems.

Our approach to designing, operating and measuring the effectiveness of our program leverages experienced internal resources, industry-recognized cybersecurity consultants, assessors, healthcare and industry-specific cybersecurity working groups and threat-intelligence platforms, federal law enforcement and CISA partnerships. We use these resources and partnerships, along with our internal expertise, to develop specialized insights pertinent to our business’s cyber-risk, and tailor our cybersecurity strategy to best safeguard our systems and data.

We staff an internal cybersecurity team and maintain a third-party managed security operations center which in-concert provide 24x7x365 real-time detection and response. These teams are always connected and routinely respond to

26


perceived threats within minutes. Time to detect and respond metrics are continuously evaluated for opportunities to enhance our program.

Cyber-awareness training and testing is a key component of RadNet’s Cybersecurity and Data Protection Program. Every employee is required to complete cyber-related training (including third-parties who access our systems) and successfully complete testing throughout the year in addition to monthly phishing tests. Furthermore, we require all system users to complete annual Patient Privacy and Patient Data Breach training and testing to meet RadNet compliance standards.

We benchmark and evaluate our Cybersecurity and Data Protection Program and data protection maturity against the NIST Cybersecurity Framework and the HIPAA Security Rule. Consistent with these frameworks, our program includes recurring third-party assessments and a vendor risk management program. Our vendor risk management program conducts security assessments to determine a risk profile of potential vendors and third-party partners and integrates ongoing monitoring and periodic re-assessments to ensure compliance with RadNet’s security standards. RadNet’s Vendor Risk Management Team works closely with RadNet Legal, Compliance and Operations teams to address data safety, compliance and legal requirements for each of our vendor/partner engagements.

We continuously evaluate the practical effectiveness of our cyber-defenses both internally and externally using a combination of technology-based assessments and recurring third-party audits. Our Critical Incident Response Team periodically conducts cyber-focused tabletop exercises using scenarios drawn from observations of risk indicators and from threat intelligence reports of real-world incidents affecting our industry. Outcomes and insights from tabletop exercises are used to enhance RadNet’s Incident Response Plan which is architected following NIST guidelines and reviewed annually and updated periodically as needed.

Our program's overall maturity and operational readiness are regularly evaluated internally by RadNet IT Governance and Compliance teams and by independent expert auditors using the NIST's Cybersecurity Framework. Our program, and the results of the evaluation and testing efforts, are regularly reviewed by our senior management and members of our Board of Directors.

Cybersecurity threats, including previous cybersecurity incidents, have not materially affected our business strategy, results of operations, or financial condition. However, cybersecurity threats have the potential to interrupt our operations or cause significant financial hardship. Our risks associated with cybersecurity threats are set forth under “Risk Factors” in Part I, Item 1A in this report.

Governance

RadNet is committed to appropriate cybersecurity governance and oversight. Our Cybersecurity and Data Protection Program is the principal responsibility of our Chief Information Officer and Chief Information Security Officer, each of whom have over 20 years of experience in information systems, including cybersecurity training and experience. Additionally, RadNet’s CIO and CISO work closely with our executive management, legal and compliance leaders, and meet regularly to discuss cybersecurity matters and risks.

Our Board of Directors oversees management's processes for identifying and mitigating risks, including cybersecurity and information security risks. Our Audit Committee of our Board of Directors regularly reviews our technology and cybersecurity program and effectiveness, and internal audits of our program. Our Audit Committee also receives regular cybersecurity updates and education on a broad range of topics, including:

current cybersecurity landscape and emerging threats;
status of ongoing cybersecurity initiatives and strategies;
incident report and learnings from any cybersecurity events; and
compliance with regulatory requirements and industry standards.

© 2024 Material-Incidents. All rights reserved.