AMEDISYS INC - (AMED)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Amedisys recognizes the importance of assessing, identifying and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational disruption, intellectual property theft, fraud, extortion, harm to employees or patients, violation of privacy or security laws and other litigation and legal risk. Amedisys has implemented various cybersecurity processes, technologies and controls to enhance our efforts to assess, identify and manage such material risks.
Amedisys deploys a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments and penetration testing, to inform our leadership team of cybersecurity-based risks. In addition, we schedule tabletop exercises with management and other employees to test our cyber incident response plans. Amedisys has also received HITRUST certification for our internally developed applications which allows us to baseline our program to industry standards and best practices.
Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from cybersecurity incidents (as such term is defined in Item 106(a) of Regulation S-K) and to provide for the availability of critical data and systems to maintain regulatory compliance. These controls include the following activities:
•Closely monitoring emerging data protection laws and implementing needed changes to our processes in order to comply.
•Conducting annual cybersecurity management and incident training for all employees of the organization.
•Requiring employees and third parties who provide services on our behalf to treat customer information and data with care.
35
•Leveraging the HITRUST incident handling framework to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident.
•Carrying information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident.
Additionally, Amedisys performs periodic internal and third-party assessments to test our cybersecurity controls and regularly evaluates our policies and procedures surrounding our handling and control of personal data and the systems we have in place to help protect us from cybersecurity threats or personal data breaches.
Amedisys has established a cybersecurity risk management process that includes internal reporting of significant cybersecurity risk to our Enterprise Risk Management Committee (“ERMC”) on a quarterly basis. In addition, our incident response plan includes processes to triage, assess severity, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. These processes are assessed annually during our penetration testing.
Our risk management processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or those who have access to our customer and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. Amedisys performs diligence on third parties that have access to our systems, data or facilities that house such systems or data and monitors cybersecurity threat risks identified through such diligence.
We face a number of cybersecurity risks in connection with our business (see Part I, Item 1A. “Risk Factors – Risks Related to our Operations – Our business depends on our information systems. A cyber-attack, security breach or our inability to effectively integrate, manage and keep our information systems secure and operational could disrupt our operations.”). Although such risks have not materially impacted our business strategy, results of operations or financial condition to date, we have experienced threats to and breaches of our data and systems, including malware and computer virus attacks.
The Audit Committee of the Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. On an annual basis, management provides the Audit Committee with an overview of our cybersecurity threat risk management and strategy covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk mitigation related goals, our incident response plan and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. The Audit Committee also receives materials, including a cybersecurity briefing, indicating current and emerging cybersecurity threat risks and describing the Company’s ability to mitigate those risks.
The members of management who are responsible for assessing and managing cyber risk are the Chief Information Security Officer and the Chief Information Officer of the Company who, combined, have over 30 years of experience in managing cybersecurity. The ERMC has ultimate responsibility for the risk management of cyber risk and is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents in addition to the cyber incident response and reporting processes.