Encompass Health Corp - (EHC)
10-K Filing Date: February 28, 2024
Item 1C.Cybersecurity
Process for Assessing, Identifying and Managing Material Cybersecurity Risks
The proper function, availability, and security of our and third-party information systems are critical to our business. We have attempted to structure our cybersecurity program and its incident response policies and procedures, including an incident response plan (the “IRP”), around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, which provides best practices to identify, protect from, respond to, and recover from cyber attacks. The cybersecurity program, led by our chief security officer (“CSO”), consists of dedicated internal IT security employees, including the staff of a security operations center, and long-term third-party security service providers. Our IT security staff, led by our CSO, is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. In furtherance of our cybersecurity program, members of our internal security staff participate in industry and governmental cybersecurity cooperative groups, including the Health Information Sharing and Analysis Center (“H-ISAC”) and the FBI’s InfraGard.
Our CSO, who assumed his current role in 2022, has over 10 years of cybersecurity experience with us and over 27 total years of cybersecurity and IT experience across various industries, including telecom, engineering, and finance. He also holds several cybersecurity certifications: GIAC Certified Incident Handler, GIAC Certified Penetration Tester, and Certified Healthcare Information Security Leader. Our CSO reports directly to our chief information officer (“CIO”). Our CIO, who assumed his current role in 2011, has 34 total years of cybersecurity and IT experience. Prior to assuming the role of CIO, he served in senior IT and security roles for us beginning in 2001. As a highly decorated United States Air Force officer, he served as a CIO, regional CIO, and chief technology officer responsible for the USAF health system’s IT worldwide operations. He also served as a senior staff advisor to various levels of the United States Department of Defense’s military health system on strategic matters related to IT policy, procedures, procurement, solutions, and is a subject matter expert on cybersecurity. He has numerous professional certifications and affiliations, including a CERT Certificate in Cybersecurity Oversight from National Association of Corporate Directors’ Cyber-Risk Oversight Program; Certified Information Systems Security Professional; lifetime member, fellow, and previous board member of the College of Health Information Management Executives.
We maintain an inter-departmental privacy and security committee that oversees our programs and initiatives that seek to protect and secure patient information as well as our data and information systems. This committee is responsible for, among other things, administering our incident response policies and procedures and various training and awareness programs that promote good system security practices by employees. This committee consists of our CSO, CIO, deputy CIO, chief privacy officer, and director of information security and compliance as well as in house attorneys responsible for cybersecurity and securities matters. It currently meets monthly and as warranted by privacy and security events.
The IRP sets forth the strategy to prepare for cybersecurity threats and incidents and the processes and procedures to detect, analyze, contain, and recover after any actual or suspected cybersecurity incidents. The IRP also sets forth the internal reporting process for cybersecurity incidents. In the event of the detection of an actual or suspected cybersecurity incident, the IRP provides that our IT security staff score the incident based on established criteria and manage the incident pursuant to the standard operating procedures. Depending on the assessed criticality of the incident and the systems affected, the staff will report an incident to a security triage team, consisting of the security operations incident response lead and several members of the privacy and security committee. Working with our third-party security vendors as needed, the triage team investigates the incident, manages the response, and reports threats and incidents deemed significant to securities counsel. Securities counsel then works with the executive team to assess materiality for the Company. A member of the executive team would inform our board of directors as warranted.
In general terms, under our cybersecurity program, we undertake measures to protect the safety and security of our information systems and the data maintained within those systems. We have implemented administrative, technical and physical controls on our systems and devices in an attempt to prevent unauthorized access and to promote business resilience in the event of that access. Core elements of our program include the real-time monitoring of both our network and external cybersecurity activity by our internal security operations center and our third-party service providers and the procedures for backing up and recovering our systems. We periodically test the adequacy of our security, business continuity, and disaster recovery measures, including an annual tabletop exercise involving representatives from all key functional departments with the Company, our outside cybersecurity legal counsel, and our primary forensic services firm. Our legal and technical advisors direct the exercise and provide feedback on our performance, which is shared with management and our board of directors. We provide our employees annual training and regular reminders on measures they can take to prevent breaches and other cyber threats, including phishing schemes. We participate in the vulnerability scanning service offered by the Cybersecurity and Infrastructure Security Agency on our internet facing systems and engage external security consultants to perform an annual
43
penetration test of our network. Our systems that process electronic protected health information are risk assessed on a quarterly basis against NIST security controls. Additionally, we maintain insurance coverage for cybersecurity incidents.
Third-party Engagement in Connection with our Cybersecurity Program
We maintain engagements with our cybersecurity legal counsel and forensic services firms, each of which has visibility into current events through its client base. We engage throughout the year with not only our security vendors but also H-ISAC, the FBI’s InfraGard, and other communities dedicated to sharing information regarding developing cybersecurity threats.
Third-party IT Vendor Risk Management
Our IT security staff also maintains a third-party IT vendor risk management process. The staff identifies the third parties with whom we contract or otherwise have a relationship involving our network or digital assets that represent an elevated risk based on a detailed rating process. The IT vendor risk management process involves input from various departments, including the affected internal business constituencies, legal, and compliance.
Using a platform endorsed by the H-ISAC, the IT security staff performs risk assessments of third parties that appear to represent the greatest risk to our systems and data. Annually, the privacy and security committee reviews and approves our listing of tier one vendors subject to the assessment. The IT security staff then works with the internal points of contact responsible for the applications, software or systems and the vendors to gather the information necessary to assess the associated risks using common cybersecurity standards and frameworks. Any significant risks identified are shared with the vendors and the compensating controls for those risks are documented in collaboration with the vendors. The internal points of contact and other constituencies then review the results of the assessment process in order to assess the associated value of the product or service against the risk.
Integration into the Overall Risk Management System
Assessing, identifying, and managing cybersecurity related risks are integrated into our overall enterprise risk management (the “ERM”) process. Cybersecurity risks are included in the risk universe that the ERM function evaluates to assess the most significant risks to the Company as a whole. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. Management presents quarterly the ERM risk assessment, including key risk indicators, to our board of directors.
Board Oversight of the Cybersecurity Program and Patient Privacy Matters
Our board of directors has actively sought out experience and expertise among its members to further its oversight of cybersecurity risk. We believe that Messrs. Carmichael and Reidy and Ms. Herman have extensive knowledge and experience in cybersecurity oversight. Mr. Carmichael previously served as chief information officer at multiple companies, and Mr. Reidy directly supervised and oversaw the information security programs at two companies. Ms. Herman has completed the National Association of Corporate Directors’ Cyber-Risk Oversight Program, which is designed to enhance cybersecurity literacy and strengthen cyber-risk oversight practices, and holds a CERT Certificate in Cybersecurity Oversight.
The Compliance and Quality of Care Committee of our board of directors has primary responsibility for oversight of our cybersecurity risk management program. Our CIO provides quarterly reports on our cybersecurity program to that committee and at least annually to our full board. The reports to the committee and the full board include details and metrics on, among other things, our routine vulnerability assessments, internal and external threat intelligence, quarterly NIST framework assessments, quarterly Company-wide phishing exercises and training, device encryption, routine resilience efforts including quarterly disaster recovery exercises, third-party vendor risk management, annual tabletop incident response exercise, annual business continuity exercise, cyber penetration tests, and 23 NIST cyber hygiene controls. Similarly, our chief compliance officer provides quarterly reports to the Compliance and Quality of Care Committee on patient privacy compliance efforts and related matters. The Compliance and Quality of Care Committee and the full board review, and the committee approves, the annual cybersecurity plan that sets out the primary initiatives and internal audits of the IT security function for the upcoming year. Historically, one or more board members have observed and participated in our annual tabletop incident response exercise.
Effects of Cybersecurity Risks on the Company
To date, we are not aware of having experienced a material compromise of our systems or networks from a cybersecurity incident. However, we routinely identify attempts to gain unauthorized access to our systems. Additionally, some of our vendors and business partners have experienced compromises of their information systems, including systems that we
44
use. On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group that acts as an intermediary for processing of our payment claims for all payors, notified us of a cybersecurity incident affecting some of its systems. In response to the incident, both we and Change Healthcare severed those business service connections between our systems and Change Healthcare’s. We promptly conducted forensics on our systems based on the shared information regarding this Change Healthcare incident. As of February 28, 2024, we have not identified any compromise or unauthorized access of our systems or networks. The Change Healthcare incident has not affected our operations, except the submission of payment claims. At this time, we have not determined that this disruption to our submission of claims is likely to materially affect our business strategy, results of operation or financial condition.
Given the increasing cybersecurity threats in the healthcare industry, there can be no assurance we will not experience business interruptions; data loss, ransom, misappropriation or corruption, theft, or misuse of proprietary data, patient or other personally identifiable information; or litigation, investigation, or regulatory action related to any of those, any of which could have a material adverse effect on our patient care, ability to admit patients and to bill and collect for services provided on a timely basis, financial position, and results of operations and could harm our business reputation.
We expend significant capital to protect against cybersecurity threats, including denial of service attacks, email phishing schemes, hacking, advanced persistent threats, malware, and ransomware. Substantial additional expenditures may be required to respond to and remediate any problems caused by cybersecurity incidents, including the unauthorized access to or theft of patient data and protected health information stored in our information systems, the inoperability of our electronic clinical and business systems, and the infiltration or disruption of the information systems of our business partners. In the case of a material cybersecurity incident, the associated expenses and losses and lost revenue may exceed our current insurance coverage for such events. Some adverse consequences may not be insurable, such as reputational harm and third-party business interruption. For further discussion of the risks associated with cyber threats, see Item 1A, Risk Factors, “Other Operational Risks.”