DAVITA INC. - (DVA)
10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Information security risks have significantly increased in recent years in part because of the proliferation of new technologies, the increasing use of the Internet and telecommunications technologies to conduct our operations, and the increased sophistication and activities of organized crime, hackers, terrorists and other external parties, including, among others, foreign state agents. Our business and operations rely on the secure and continuous processing, transmission and storage of confidential, proprietary and other information in our computer systems and networks, including sensitive personal information, such as PHI, social security numbers, and/or credit card information of our patients, teammates, physicians, business partners and others. Our business and operations also rely on certain critical IT vendors that support such processing, transmission and storage (which have become more relevant and important given the information security issues and risks that are intensified through our increased use of remote work arrangements).
53
To manage risks to our Company, including information and security risks, our Board oversees our enterprise-wide approach to risk management with a fundamental belief that the key components of risk management are:
•Identifying potential risks that we face;
•Assessing the likelihood and potential impact of the risks;
•Adopting strategies and controls designed to manage the risks;
•Reporting on a regular basis regarding the assessment and management of the risks; and
•Monitoring these potential risks on a regular basis.
Our Enterprise Risk Management (ERM) team leads this risk management process, and evaluates risks to the enterprise on short, intermediate and long-term bases. Our ERM team reports to our ERM Committee, a group comprised of members of senior management who meet on a regular basis to oversee the performance of these risk management functions. We assess risks using a probability-magnitude lens, with shorter and intermediate term risks generally given greater weight. We prioritize mitigating activities on shorter and intermediate term risks, but also use risk analyses and oversight to proactively incorporate mitigating activities into our long-term strategy. The ERM process reflects a Company-wide effort designed to identify, assess, manage, report and monitor enterprise risks and risk areas. This effort includes the Company's Enterprise Risk Services (Internal Audit), Sarbanes-Oxley (SOX), Compliance Audit, legal and IT Security teams, among others. The identification and evaluation of cybersecurity threats and risks is integrated into this ERM process.
The ERM process is incorporated into our disclosure controls and procedures. Representatives of each of our ERM, Legal, Internal Audit and Compliance Audit teams sit on the Company’s management Disclosure Committee, which is responsible for, among other things, the design and establishment of disclosure controls and procedures to help ensure the timeliness, accuracy and completeness of corporate disclosure. Our IT Security and Privacy teams, who are responsible for assessing cybersecurity threats and risks, in turn maintain policies and procedures designed to ensure appropriate escalation of cybersecurity incidents to meet external disclosure requirements. Our Chief Information Officer (CIO) and Chief Information Security Officer (CISO) regularly meet and coordinate with our Chief Privacy Officer (CPO). Each of the CIO, CISO and CPO also advise members of the Disclosure Committee, including our Chief Legal and Public Affairs Officer (CLO), on disclosure matters on an as-needed basis.
With respect to assessing privacy, data and cybersecurity risks, the Company adopts a hybrid approach that primarily aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, including the guidance set forth in the NIST HIPAA Security Rule Cybersecurity Guide, while also evaluating against certain elements of the ISO 27001 and 27005 standards that management believes provide additional levels of guidance or structure. We regularly evaluate the Company’s cybersecurity and privacy processes and procedures, both through regular audits by our Internal Audit and IT security teams, as well as regular retention of outside advisors under direction of our IT security team. Among other things, the IT security team oversees an external third party review at least every two years that evaluates the readiness of the entire Company against the NIST Cybersecurity Framework and provides an assessment that measures Capability Maturity Model Integration levels. Additionally, our CISO engages in regular consultations, typically monthly, with third-party cybersecurity advisors. Among other things, these sessions provide the Company with a broader review of the external cybersecurity environment, helping us to stay current on emerging or developing security approaches and risks. Among other initiatives, our CISO and the Company’s IT security team have actively participated in industry conferences and maintain memberships to resources such as the Health Information Sharing and Analysis Center (Health-ISAC), a trusted community of critical infrastructure owners and operators within the Health Care and Public Health sector which, among other things, allows the Company to monitor email updates and alerts coordinated with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In order to maintain awareness of privacy, data and cybersecurity risks, the Company incorporates these topics into its annual compliance training materials that are mandatory for all teammates and new hires, and among other things cover HIPAA privacy and security requirements.
We maintain policies and have established processes involving our cybersecurity, privacy and legal teams that assess potential cybersecurity risks associated with our retention and use of third-party service providers. These policies and procedures are generally aligned with the NIST Cybersecurity Framework. Prior to retaining or renewing a third-party vendor, the Company policy requires a risk assessment of such potential new vendor or new engagement through a collaborative process among the Company’s IT security, privacy, insurance and legal teams, among others. Potential vendor engagements also are reviewed to assess a range of other considerations and contractual terms and conditions, including, among other things, a potential vendor’s liability insurance limits, scope and coverage of cyber insurance and privacy data protections. Our IT SOX team also conducts annual SOX reviews for those vendors that are considered in scope for SOX controls. All finalized vendor engagements are considered by Internal Audit as part of our ordinary course risk assessment and audit planning.
54
Cybersecurity Risks and the Impact on our Company
Due to the continuously evolving series of laws and regulations related to cybersecurity, data protection and privacy that are applicable to our business, as well as the associated risks from cybersecurity threats, we have expended significant resources in order to protect our information systems and data. We regularly review, monitor and implement multiple layers of security measures through technology, processes and our people. We utilize security technologies designed to protect and maintain the integrity of our information systems and data, and our defenses are monitored and routinely tested internally and by external parties. Despite these efforts, our facilities and systems and those of our third-party service providers may be vulnerable to privacy and security incidents; security attacks and breaches; acts of vandalism or theft; computer viruses and other malicious code; coordinated attacks by a variety of actors, including, among others, activist entities or state sponsored cyberattacks; emerging cybersecurity risks; cyber risk related to connected devices; misplaced or lost data; programming and/or human errors; or other similar events that could impact the security, reliability and availability of our systems. Internal or external parties have attempted to, and will continue to attempt to, circumvent our security systems, and we have in the past, and expect that we will in the future, defend against, experience, and respond to attacks on our network including, without limitation, reconnaissance probes, denial of service attempts, malicious software attacks including ransomware or other attacks intended to render our internal operating systems or data unavailable, and phishing attacks or business email compromise. While we have experienced cybersecurity incidents in the past, to date none have had a material impact on our business, results of operations, financial condition and cash flows.
Cybersecurity requires ongoing investment and diligence against evolving threats and in the context of new or developing technologies. For further information regarding the risks we face from cybersecurity threats and how our business strategy, results of operations, and financial condition could be materially affected by such risks, see Item I.A. Risk Factors under the heading, “Privacy and information security laws are complex…”.
Governance
Board Oversight
As part of their oversight responsibilities, the Audit Committee and the Compliance and Quality Committee monitor privacy, data and cyber security as specific risk areas. Both Mr. Schechter, a member of the Audit Committee and the Compliance and Quality Committee, and Ms. Schoppert, a member of the Audit Committee and the Compliance and Quality Committee, hold a CERT Certificate in Cybersecurity Oversight. The Audit Committee engages in regular discussions with management on privacy, data, and cybersecurity risk exposures, receiving quarterly reports from the ERM team and the CIO. The CPO and/or CLO periodically reports to the Audit Committee about the Company’s privacy program, and Internal Audit reports to the Audit Committee quarterly, providing the Audit Committee with results from any privacy, data, or cybersecurity audits.
Among other things, the Company’s privacy team actively develops and implements policies designed to comply with the requirements of privacy laws in the countries where the Company operates. Working with Internal Audit and the CIO, the privacy team assesses the nature and potential severity of privacy risks within DaVita and guides the organization in taking steps to help mitigate such risks. The CPO or CLO provides periodic updates to the Audit Committee on the status of the privacy program. The Audit Committee also oversees the Company's negotiation of any cybersecurity insurance. Currently, the Company maintains a cybersecurity risk insurance policy providing coverage for certain cybersecurity breaches among other specified risks.
Management
As referenced above, our IT Security team, in consultation with our Privacy Office, is primarily responsible for frontline assessments and management of day-to-day risks from cybersecurity threats, including the monitoring and detection of cybersecurity incidents and the execution of DaVita’s cybersecurity and privacy incident response plans, as needed. Pursuant to the plan, the teams are responsible for assessing and classifying cybersecurity incidents and coordinating the response to such incidents, including managing both internal and external reporting obligations and remediation efforts. Our key personnel responsible for privacy and cybersecurity expertise include our CIO, CISO and CPO. Their qualifications include expertise in international privacy laws, compliance, global IT strategy, and security responsibilities, helping to ensure a comprehensive approach to risk management. Our CISO holds a Certified Chief Information Security Officer certification from EC-Council and a Certified Information Security Manager certification from ISACA. Our CPO is a Certified Information Privacy Professional and a Certified Compliance and Ethics Professional, and has more than two decades of experience in creating and implementing privacy and data protection programs that enable multinational organizations to respect and protect personal data and execute mission critical business strategies.
55
Our IT Security team also operates a 24x7 security operations center through a managed service provider. This dedicated center, alongside active monitoring of the dark web for DaVita-related data, and our use of both internal and external tools, is designed to ensure proactive detection, prevention and remediation of cybersecurity incidents. We inform and develop this integrated approach through our ongoing internal and external evaluations and risk assessments of our IT security program as described above.