Health Catalyst, Inc. - (HCAT)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We believe cybersecurity is critical to advancing our company's mission to be the catalyst for massive, measurable, data-informed healthcare improvement. We face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly organized groups and challenges specific to the healthcare industry. Our clients and suppliers face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance, and results of operations.
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery, and notification, including notifying functional areas (e.g., legal and compliance), as well as senior leadership and the board of directors, as appropriate.
Our cybersecurity program incorporates industry-standard frameworks (including third-party certification), policies, and practices designed to protect the privacy and security of our sensitive information. Our third-party certifications for certain Solutions include a HITRUST Common Security Framework certification (which includes standards from frameworks such as HIPAA, ISO, EU, GDPR, NIST, and PCI to provide risk-based certification for companies in the healthcare supply chain) and a Statement on Standards for Attestation Engagements 18 (SSAE 18) System and Organization Control (SOC) 2 report that evaluates our security program.
Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management process. Cybersecurity related risks are included in the risk universe that the enterprise risk management function evaluates to assess top risks to the enterprise on an annual basis. To the extent the enterprise risk management process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The enterprise risk management’s annual risk assessment is presented to the board of directors.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes:
risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment;
an information security team principally responsible for managing (i) our cybersecurity risk assessment processes, (ii) our security controls, and (iii) our response to cybersecurity incidents;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
cybersecurity awareness training of our employees, incident response personnel, and senior management;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
a third-party risk management process for service providers, suppliers, and vendors that have access to our critical systems and information.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Despite the implementation of our cybersecurity program, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See “Risk Factors—Risks Related to Data and Intellectual Property” for additional information about the risks to our business associated with a breach or compromise to our information technology systems.

56

Cybersecurity Governance
Our board of directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our cybersecurity program is led by our Chief Information Security Officer and includes a team of cybersecurity and security compliance professionals. The cybersecurity program is further strengthened through support of our General Counsel and Chief Compliance and Data Privacy Officer. Our legal and cybersecurity teams work closely together to support and bolster our cybersecurity program. Our cybersecurity team reports to our Audit Committee quarterly on information security and cybersecurity matters, or as needed. Our Audit Committee has oversight responsibility for our data security practices and we believe the committee has the requisite skills and visibility into the design and operation of our data security practices to fulfill this responsibility effectively. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity, as appropriate. The full Board also receives briefings from management on our cyber risk management program. From time to time, Board members receive presentations on cybersecurity topics from our Chief Information Security Officer (CISO), internal cybersecurity team or external experts as part of the Board’s continuing education on topics that impact public companies.
Our management team, including our Chief Information Security Officer and Chief Compliance and Data Privacy Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team’s experience includes more than 75 years of combined IT experience, 35 of which are focused specifically on Information Security. The broader Information Security team’s accredited industry certifications include Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certificate of Cloud Security Knowledge (CCSK), Certified Cloud Security Professional (CCSP), and Blue Team Level II. The company’s current CISO has more than two decades of IT leadership experience and holds several relevant IT and healthcare specific certifications including CISSP, CISM, CCSK and CCSP, and has a Bachelor of Science in Computer Information Systems and a Master of Science in Medical Informatics.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment.