COMMUNITY HEALTH SYSTEMS INC - (CYH)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity

Risk Management

We place the utmost importance on information security and privacy, including protecting the personal medical, financial and insurance information of our patients and employees, and have a cybersecurity risk management program designed to assess, identify and manage material risks from cybersecurity threats. Our cybersecurity risk management program is designed to employ industry best practices across our operations and business functions, including through monitoring and assessing our threat environment; vulnerability assessments; detecting and responding to cyber attacks, cybersecurity incidents, and data breaches; cybersecurity crisis preparedness and incident response plans; and investments in cybersecurity infrastructure and technology intended to reduce cybersecurity risk. Key aspects of our cybersecurity risk management program include the following:

adoption of the National Institute of Standards and Technology, or NIST, Cybersecurity Framework to assess the maturity of our cybersecurity programs;
periodic comprehensive Cybersecurity Program Assessments conducted by an external cybersecurity consultant;
enterprise-wide security and privacy policies that are reviewed and updated annually;
information security and privacy trainings included in mandatory onboarding and annual compliance training for all personnel;
regular testing, both by internal and external resources, of information security defenses;
incident response procedures;
Third Party Cyber Risk Program to assess cybersecurity and information security risk associated with third parties that perform contracted services using information on our network; and
a Security Operations Center that is designed to continuously monitor information on our network, investigate potential cyber threats and report on information security incidents.

We engage consulting firms and other third parties in connection with our cybersecurity risk management processes. For example, third parties are engaged from time to time to conduct evaluations of our security controls, including penetration testing and independent audits, and to advise the Board of Directors, the Audit and Compliance Committee of the Board of Directors and/or our management team regarding cybersecurity matters.

We have processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers. As part of these processes, we conduct cybersecurity due diligence where deemed advisable with respect to third-party service providers that will be accessing our information technology systems, including access to view or store sensitive data, prior to their engagement. Moreover, we have processes designed to oversee and identify material cybersecurity risks associated with the information systems of third-party service providers. In addition, third-party service providers that have access to our information technology systems, including access to view or store sensitive data, are contractually obligated to report cybersecurity incidents to us so that we can assess the impact of any such incident on our business.

The current cyber threat environment presents increased risk for all companies, particularly companies in our industry, as the volume and intensity of cybersecurity attacks on hospitals and health systems has continued to increase. We are regularly the target of cybersecurity attacks and other threats that could have a security impact, and we have experienced security incidents from time to time. In particular, on February 13, 2023, we disclosed a security breach in which a third-party vendor that provides a secure file transfer software platform utilized by our subsidiaries experienced a security breach whereby personal information of certain patients of our healthcare facilities were exposed to the attacker.

We do not believe that risks we have identified to date from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, despite our security measures, there is no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that materially affects us. For additional information regarding the risks to us associated with cybersecurity incidents, see “A cyber-attack or security breach could result in the compromise of our facilities, confidential data or critical data systems and give rise to potential harm to patients, remediation and

44


 

other expenses, expose us to liability under HIPAA, privacy and data protection laws and regulations, consumer protection laws, common law or other theories, subject us to litigation and federal and state governmental inquiries and actions, damage our reputation, adversely impact our financial results and otherwise be disruptive to our business.” included in Part I, Item 1A of this Form 10-K.

We maintain a cybersecurity insurance policy that provides coverage in connection with cybersecurity incidents. However, costs and damages associated with cybersecurity incidents may not be fully insured under our insurance policy, and (to the extent otherwise covered) are subject to applicable deductibles.

Governance

Our cybersecurity risk management processes are integrated into our overall risk management system. Our Board of Directors is responsible for the overall supervision of our risk management activities. The Board's oversight of the material risks faced by us occurs at both the full board level and at the committee level. In addition, the Audit and Compliance Committee has primary oversight responsibility regarding our information security, data security, data privacy, and other cybersecurity programs, procedures and risks. Further, the Audit and Compliance Committee and our Board of Directors receive updates at least quarterly from management, including our Chief Information Security Officer, or the CISO, covering our programs for managing cybersecurity risks, including data privacy and data protection risks. Additionally, the Audit and Compliance Committee and the Board of Directors actively participate in discussions with management and among themselves regarding cybersecurity risks.

Risk management is administered at a management level through a multi-disciplinary Enterprise Risk Committee comprised of members of management, including our CISO. The Enterprise Risk Committee identifies and monitors what we believe to be the key risks currently facing the organization, including cybersecurity risks. A comprehensive presentation regarding our enterprise risk management process and our key risks is presented to the full Board of Directors on an annual basis.

In addition, we have established a Cyber Risk Executive Steering Committee, a multi-disciplinary management-level team chaired by our CISO which is responsible for assessing and overseeing our information security and cybersecurity risk management policies, practices and priorities and for assessing and monitoring key cybersecurity risks with respect to reporting such risks within the organization.

At a management level, our cybersecurity risk management efforts are led by our CISO. Our current CISO was appointed as our Vice President and Chief Information Security Officer in 2021. Our current CISO has expertise in cybersecurity risk management through his more than 25 years of experience in cybersecurity, technology and data privacy roles, including his service with the Company since 2021 and his service as chief information security officer at another large organization prior to being employed by us. In addition, other individuals on our IT security team have cybersecurity experience or certifications relevant to their respective role.

A key component of our enterprise risk management program is our incident response plan, which provides for controls and procedures in connection with cybersecurity incidents. Under this plan, we have established a cybersecurity incident command, a multi-disciplinary management-level team led by the CISO. The plan provides that the incident response team will conduct an initial assessment in the event of a cybersecurity incident meeting certain criteria elevated for the review of senior members of the IT security team. In such event, the plan provides that the incident response team will assess whether a cybersecurity incident has the potential to materially impact the organization and whether public disclosure is required or advisable in connection therewith, and further provides that, if appropriate, any such cybersecurity incident may be further elevated for the review of senior management, the Audit and Compliance Committee and/or the Board of Directors.