Outset Medical, Inc. - (OM)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity

At Outset, we strive to protect the confidentiality, integrity and availability of the personal data entrusted to us. We continue to invest in our cybersecurity program in an effort to enhance our ability to prevent, detect, contain, and mitigate cybersecurity threats.

Risk Oversight

Oversight of our information security program, including oversight of risks related to cybersecurity threats and the assessment and management of such risks, is accomplished through a governance structure which includes our Board, Audit Committee, and executive management.

BOARD AND COMMITTEE OVERSIGHT

BOARD: One of the key functions of our Board is informed oversight of our risk management process. Our Board focuses on the overall risks affecting us and delegates responsibility for oversight of certain specific risks to its standing committees. For significant risks related to cybersecurity, the Board has delegated oversight responsibility to the Audit Committee.

Our full Board and Audit Committee are kept informed about significant risks related to cybersecurity, including enterprise-level risks from cybersecurity threats. The Board receives written updates, generally on a quarterly basis, regarding the status of our information security program. In addition, the Audit Committee receives in-person updates on our information

60


 

 

security programs on at least an annual basis. These updates generally cover topics such as our cybersecurity strategy, the threat landscape, key cybersecurity risk areas facing the organization, any key findings of audits and testing, the status of key initiatives, as well as a review of any major incidents.

AUDIT COMMITTEE: Our Audit Committee is responsible for overseeing our major financial, legal, and regulatory risk exposures, which span a variety of areas, including cybersecurity.

MANAGEMENT

Executive management plays a significant role in assessing and managing material risks from cybersecurity threats. Our Chief Technology Officer manages our information security program.

Executive leadership

Our Chief Technology Officer and the information security team periodically present information about the Company’s information security program, including program goals and actions, progress against key initiatives and key risks, to our executive leadership team. As described above, significant risks related to cybersecurity are escalated to the Audit Committee and/or the full Board as appropriate.

Cross-functional management engagement

We have established a committee comprised of leaders from key functions across the Company including, but not limited to, information security, IT, engineering, legal, regulatory, medical affairs, finance, research and development, operations, supply chain, marketing and people operations. This committee generally meets quarterly and is responsible for promoting a culture of awareness and accountability related to, among other things, information security. The committee also provides cross-functional input to facilitate the development, articulation, implementation and operation of information security risk management programs.

Governance of information security risks

We have also established a risk governance committee, which generally meets on a monthly basis. This committee, which is sponsored by the Chief Technology Officer, is comprised of Company associates from information security, information technology (IT), engineering, and other functions, who have experience in managing cybersecurity risks, who review the cybersecurity threat landscape, and who evaluate key emerging data security risks. The committee reviews certain cybersecurity-related risks facing the company; discusses open policy exceptions and key risk indicators; and manages cybersecurity risks presented by the information security team and proposed mitigation actions. Members of this committee review the key risks identified as an outcome of our cybersecurity risk management strategy described below.

Risk Management and Strategy

Our cybersecurity risk management program is designed to identify, assess, and manage reasonably foreseeable material risks facing Outset from cybersecurity threats. We identify cybersecurity risks in various ways, including but not limited to the ongoing monitoring of our systems using various technologies and processes, monitoring of emerging threats, third-party penetration testing of our device and systems, vulnerability scanning and assessments, and cross-functional risk discussions. We have also received Systems and Organizations Controls 2 (SOC 2) certification for Tablo cloud. We have developed processes to help us track, prioritize, and manage identified cybersecurity risks. For example, risks are defined, categorized, and assigned a risk rating based on potential impact and likelihood, which informs acceptance, mitigation or remediation actions which should be undertaken. The Risk Governance Committee reviews key identified risks and discusses related mitigation actions in response to such risks.

We have operationalized key processes to help us identify, assess, manage, and mitigate reasonably foreseeable risks from potential cybersecurity threats. For example:

USE OF THIRD PARTIES: We engage third-party cybersecurity consulting firms to assist us with various aspects of our cybersecurity risk management program. For example, we currently consult with third party firms to assist with our annual penetration testing for the Tablo device, Tablo cloud and IT infrastructure. In addition, In addition, we used a third-party audit firm accredited by the American Institute of Certified Public Accountants (AICPA) to support us in the

61


 

SOC 2 certification process for Tablo cloud. We also used a third-party firm to assist us with the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-3 certification we are pursuing.
VENDOR ASSESSMENT: We leverage a third-party risk assessment tool to help us identify cybersecurity related risks associated with our use of certain third-party service providers.
INCIDENT PREPAREDNESS AND RESPONSE: We maintain a Cybersecurity Incident Response Plan (IRP) which establishes a framework designed to enable us to respond to cybersecurity incidents in a consistent, timely and effective manner. Our IRP outlines procedures for identifying, reporting, investigating, assessing, and responding to cybersecurity incidents, including incident response team formation, roles and responsibilities by department, and communication and escalation protocols. Depending on the severity of the cybersecurity incident, our IRP contemplates escalation to our executive leadership team and the Audit Committee and/or the full Board, as well as periodic briefings on developments related to the incident response. We periodically review and update our IRP and have conducted training of key team members regarding the IRP. In addition, we recently conducted a tabletop exercise to simulate a response to a cybersecurity incident.
SECURITY STANDARDS: Our IT and Tablo cloud security architecture are designed to comply with the HIPAA Security Rule. In addition, our Tablo cloud security architecture leverages recognized frameworks designed to protect customer data. For example, we have received SOC 2 certification for Tablo cloud, we are in the process of pursuing NIST FIPS 140-3 certification, and we are working to align our processes, protocols and software with the FDA’s recent cybersecurity guidance finalized in September 2023. We periodically examine our security controls and take steps to review, prioritize and address key compliance gaps where identified, using a risk-based approach.
TECHNICAL SAFEGUARDS: We perform information security maturity assessments and penetration testing for the Tablo device and Tablo cloud (including in connection with new product features and services), as well as for our IT infrastructure. We conduct vulnerability scans across key assets, core infrastructure, and endpoints to identify potential vulnerabilities and potential cybersecurity events. We assess and prioritize the remediation of vulnerabilities and other cybersecurity risks identified through these activities, using a risk-based approach.
INSURANCE: We maintain information security risk insurance coverage to mitigate potential losses in the event of a business disruption.
TRAINING: All Outset employees are assigned HIPAA and information security training as part of the new employee onboarding process and refresher training is assigned annually. Our IT team also conducts continuous automated phishing campaigns, which can trigger additional training for employees on how to recognize social engineering attempts (e.g., phishing, smishing, etc.). We track employee performance on phishing exercises to help us monitor the awareness of our employees and inform future training priorities. For employees whose jobs require access to sensitive data, including PHI, additional security training may be required.

Risks from Cybersecurity Threats

Our business relies on secure and continuous processing of information and the availability of our IT networks and IT resources, as well as critical IT vendors that support our technology and data processing operations. Security breaches, computer malware and computer hacking attacks have become more prevalent across industries and may occur on our systems or those of our third-party service providers. Attacks upon IT systems are increasing in their frequency, levels of persistence, sophistication, and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. We may face increased risks from cybersecurity threats due to our reliance on internet technology and the increased frequency of employees working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities.

We regularly monitor, defend against, and respond to cyber and other security threats to our networks and other information security incidents. Despite our information security efforts, our facilities, systems, servers, platforms and data, as well as those of our third-party cloud and other service providers and Tablo’s two-way wireless communication system, may be vulnerable to privacy and information security incidents and may be breached due to the actions of outside parties, employee error or misconduct, malfeasance, or a combination of these and, as a result, an unauthorized party may obtain access to our data or the personal information maintained by us or on our behalf. These include data breaches, viruses or other malicious code, exploitation of known or unknown vulnerabilities, coordinated attacks, data loss, phishing attacks, ransomware, denial of service attacks, insider threats or other security or IT incidents caused by threat actors, technological vulnerabilities, or human error. Additionally, outside parties may attempt to fraudulently induce employees to disclose sensitive information to gain access to the data and personal information we maintain. As of the date of this Annual Report, we are not aware of any material adverse impact to our business or operations from cybersecurity threats or incidents. We do, however, recognize that the cybersecurity landscape evolves rapidly and that we are not immune to such incidents. If we, or any of our third-party service providers, fail to comply with laws requiring the protection of sensitive personal information, or fail to safeguard and defend personal information or other critical data assets or IT systems, or if our incident response,

62


 

containment or mitigation measures are inadequate in the face of a particular data security incident, we may face significant business interruptions, incur reputational damage, and be subject to regulatory enforcement and fines as well as private civil actions. We may be required to expend significant resources in the response, containment, mitigation of cybersecurity incidents as well as in defense against claims that our information security was unreasonable or otherwise violated applicable laws or contractual obligations. In addition, to the extent that our cloud and other service providers experience security breaches that result in the unauthorized or improper use of confidential information, employee information or personal information, we may not be indemnified for any losses resulting from such breaches. If we are unable to prevent or mitigate the impact of such security breaches or other cyber events that impact our operations, our ability to attract and retain new customers, patients, and other partners could be harmed, as they may be reluctant to entrust us with their data, and we could be exposed to litigation and governmental investigations, which could lead to a potential disruption to our business or other adverse consequences.

In addition, manufacturing operations at our Mexico-based facility may also suffer disruptions from cybersecurity attacks, which could negatively impact our ability to produce Tablo consoles and cartridges, restrict or delay our ability to deliver products to our customers and meet our customers’ demand on a timely basis, and result in customer dissatisfaction, all of which would adversely impact our results of operations. Moreover, we use Amazon Web Services to support Tablo’s cloud connectivity and any disruption of service as a result of cybersecurity attacks could interrupt or delay our ability to receive and deliver certain treatment and reporting information from and to providers and patients. The continuing and uninterrupted performance of Tablo is critical to our success and any repeated or prolonged system failures may damage our reputation, reduce the attractiveness of Tablo to providers and patients, and result in decreased demand for Tablo, thereby adversely affecting our business, financial condition and results of operations.

For more information on the risks we face from cybersecurity threats and the potential impacts on our company, see the section above entitled “Risk Factors” under Part I, Item 1A, including the risk factor entitled “We may face additional costs, loss of revenue, significant liabilities, harm to our brand, decreased use of our platform and business disruption if there are any security or data privacy breaches or other unauthorized or improper access.”