Astrana Health, Inc. - (ASTH)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Astrana, like the rest of the healthcare industry, continues to innovate and rely on digital technology, further increasing the importance of cybersecurity to the business. The world is seeing an increase in cyberattacks by nation-states, hacktivists, organized cybercriminal groups, and insider threat actors, all of which may, among other avenues of attack, be using artificial intelligence (“AI”) and distributed hosted environments across different geographies to attack their victims. These threat actors may be individuals or part of a cyber organized crime group that leverages large-scale Cybercrime-as-a-Service (“CaaS”) subscriptions to quickly scale the impact of attacks and avoid disruption to their operations.
The Company’s digital systems are distributed across various architectures, including on-premises, hosted, Software-as-a-Service (“SaaS”), and other architectures operated by third-party service providers. If these architectures and third-party environments fail to operate as contracted, Astrana’s systems could stop functioning for some time, placing Astrana’s strategy, data, clients, and users at risk.
As noted in Item 1 and Item 1A of Part I of this report, a breach of Astrana’s network, hosted service providers, or vendor systems may expose Astrana to a risk of loss or misuse of information, litigation, and potential liability. Therefore, the Company has a team of experienced professionals with expertise in cybersecurity leadership, risk management, incident response, and security operations overseeing Astrana’s program. This team is responsible for developing and implementing our cybersecurity strategy, identifying and mitigating risks, and responding to incidents. Astrana utilizes external resources from reputable cybersecurity firms to supplement certain Chief Information Security Officer (“CISO”) functions, including risk assessments, strategy, and security, while integrating these activities with Astrana’s risk management processes. Astrana assesses third-party cybersecurity controls through cybersecurity questionnaires and includes security and privacy addendums to our contracts, where applicable.
To address cybersecurity, privacy, and overall business risk adequately, Astrana employs a consistent risk management process that assigns risks to functional owners. Risks can be strategic (e.g., loss of market share, technology shifts), reputational (e.g., loss of trust, revenue decline), regulatory (e.g., regulatory fines, business restrictions), or operational (e.g., operational downtime, productivity loss) in nature.
The cybersecurity team collaborates with leaders in management to assess materiality, align on a remediation roadmap, and comply with disclosure requirements. On an ongoing basis, the board of directors and the audit committee oversee Astrana’s cybersecurity risks and remediation strategies to prevent and mitigate cyberattacks.
As of the date of this report, the Company is not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.
47