TENET HEALTHCARE CORP - (THC)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
RISK MANAGEMENT AND STRATEGY
We identify and assess areas of risk for our company on an ongoing basis, and we have developed, and regularly refine, comprehensive practices to manage and mitigate existing and potential risks to our business. Our board of directors oversees enterprise risk management as an integral and continuous part of its oversight role. Integrated into our overall enterprise risk management framework are processes dedicated to the identification, assessment and management of material risks from cybersecurity threats. Our approach to cybersecurity risk management is both proactive and defensive, and includes the following elements:
a team dedicated solely to cybersecurity and managed by our chief information security officer (“CISO”), who reports directly to our chief information officer (“CIO”);
an information technology request review process that includes cybersecurity assessments of third-party products and systems proposed to connect to our information systems environment or access our data; and
a cybersecurity incident response plan.
Cybersecurity Team and Strategy—Our cybersecurity team, which includes both our employees and those of our managed services provider, is comprised of subgroups focused on distinct functional areas of responsibility. The team maintains a Security Operations Center, staffed 24 hours a day, that delivers day-to-day execution support for our cybersecurity risk management program.
We leverage a multi-layered strategy that is designed to assess, identify, manage and mitigate risks to our systems and data from cybersecurity threats. Proactively, we have implemented numerous threat‑management tools and processes. In addition, we have disaster recovery and business continuity plans that are tested and updated periodically. We strive to stay abreast of cybersecurity threats through integrated threat intelligence feeds, industry and federal threat notices, and participation in healthcare industry intelligence sharing. We also conduct table-top exercises, which serve to simulate cybersecurity incidents to practice response and identify gaps, on a regular basis. Our internal audit team performs random sampling audits of security practices at our facilities, and we routinely perform security risk assessments.
We also require all employees to participate in cybersecurity awareness training annually, and we circulate cybersecurity awareness alerts, safety tips and newsletters to employees across the enterprise regularly. In addition, we routinely run phishing campaigns and perform other tests to increase awareness of cybersecurity threats.
Third-Party Review Processes—Our business requires interaction of our systems and the sharing of data with third parties, including our service providers and vendors, as well as other healthcare providers and their vendors, that present risks to our systems and data from third-party systems and practices. Incidents and cybersecurity attacks at third parties can impact our operations and our obligations to patients, payers and others. We manage this risk through an information technology review and approval process that considers the anticipated use and implementation of proposed technologies, and includes cybersecurity team assessments of third-party products and systems proposed to connect to our information systems environment or access our data. A subgroup of our cybersecurity team is dedicated to risk-assessment analyses of vendor security practices and protections. In certain circumstances, we enter into information security agreements with service providers to secure their commitment to maintain certain security protections.
Cybersecurity Incident Response Plan—In addition to protecting our assets proactively, our cybersecurity team is tasked with detecting and defending against cybersecurity threats to our systems and data. We maintain a response plan that outlines actions to be taken with respect to cyber incidents and includes procedures, notification processes, and protocols for escalation to senior management and our board of directors. The cybersecurity incident response team is composed of a smaller, core group of our cybersecurity team, as well as a larger, extended group that includes personnel from our operations, legal, compliance, privacy, risk management, communications, incident command center, security, human resources, finance, audit and government relations teams. We also engage third parties, such as forensics consultants, external legal counsel and law enforcement, as needed and as appropriate based on the circumstances. Incidents are escalated to senior management as appropriate based on the nature of the incident.
29

Table of Contents
EXISTING AND POTENTIAL RISKS
As discussed in the Risk Factors section above, our operations could be significantly and negatively impacted by cybersecurity threats and other disruptions affecting our information technology, related information systems and sensitive information. We rely on our information technology to process, transmit and store clinical, financial and operational data that includes PHI, PII and proprietary and confidential business data. We utilize EHRs and other information technology in connection with all of our operations, including our billing and other financial systems, supply chain and labor management tools. As described above, our information systems, in turn, interface with and rely on third‑party systems that we do not control, including medical devices and other processes supporting the interoperability of healthcare infrastructures.
In April 2022, we experienced a cybersecurity incident that temporarily disrupted a subset of our hospital operations and involved the exfiltration of certain confidential company and patient information. We incurred significant costs to remediate the issues, sustained lost revenues from the associated business interruption and incurred other related expenses. Following this incident, we implemented certain changes to our information systems and processes meant to provide additional protections to our environment, including enhancements to our Security Operations Center, system backups, training practices, detection tools and capabilities, and implementation of new tools and processes, among others. However, we continue to face a heightened risk of cybersecurity threats targeting healthcare providers, including ransomware attacks, which may materially impact our operations. Threat actors continue to proliferate, adapt and devote significant effort to attacking the information systems and electronically transmitted and stored data of healthcare providers and related entities.
GOVERNANCE
Board Oversight—Our board of directors has identified the oversight of cybersecurity risks to be one of its priorities, and it receives regular reports from management, including the CIO and the CISO, on various cybersecurity matters, including the security of the company’s information systems, anticipated sources of future material cyber risks and how management is addressing any significant potential vulnerability. The board’s audit committee reviews the company’s cybersecurity program at least annually and receives regular updates on cybersecurity threats and other matters. Cecil D. Haney, a member of the audit committee, brings to the board valuable insights into cybersecurity, systems planning, and crisis and risk management.
In addition to regular updates to the audit committee, we have protocols by which certain cybersecurity incidents are escalated within the company and, where appropriate, reported in a timely manner to the board and the audit committee.
Management Oversight—Our CISO, who reports directly to our CIO, oversees and manages our cybersecurity strategy and related programs. As the head of our cybersecurity team, both internal and outsourced, our CISO is primarily responsible for assessing and managing risks from cybersecurity threats. The processes by which he is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents is described above. He reports information about such risks to the CIO and other members of senior management, who, in turn, report them to our board and audit committee, as appropriate. Our CISO joined the company in August 2022 with over 20 years of risk management, national security and cybersecurity experience garnered at both public and private companies, as well as governmental agencies.