ENSIGN GROUP, INC - (ENSG)
10-K Filing Date: February 01, 2024
Item 1C. CYBERSECURITY
We utilize information technology that enables our operational leaders to access and share with their peers, both clinical and financial performance data in real time. Armed with relevant and current information, our operation leaders and their management teams can share best practices and the latest information, adjust to challenges and opportunities on a timely basis, improve quality of care, mitigate risk and improve both clinical outcomes and financial performance. We have also invested in specialized healthcare technology systems to assist our nursing and support staff. We have installed software and touch-screen interface systems in each operation to enable our clinical staff to monitor and deliver patient care and record patient information more efficiently. We believe these systems have improved the quality of our medical and billing records, while improving the productivity of our staff. Such uses of information systems give rise to cybersecurity risks, including system disruption, security breach, ransomware, theft, espionage and inadvertent release of information.
RISK MANAGEMENT AND STRATEGY
Risk Management
We assess and identify security risk to the organization by:
•conducting assessments of risk including likelihood and magnitude from unauthorized access, use, disclosure, disruption, modification or destruction of information systems and the related information processes, stored, or transmitted.
•performing risk assessments and producing security assessment reports that document the results of the assessment for use and review by information technology (IT) senior leadership, including the Service Center's Chief Information Officer.
•ensuring security controls are assessed for effectiveness, are implemented correctly, operating as intended and producing the desired outcome; and
•continuously scanning for vulnerabilities and remedying all vulnerabilities in accordance with the associated risk.
Monitoring
We have established a continuous monitoring strategy and program, which includes:
•a set of defined security metrics to be monitored.
•performance of security control assessments on an ongoing basis.
•addressing results of analysis and reporting security status to the executive team.
•monitoring information systems to detect attacks and indicators of potential attacks.
•identification of unauthorized use of the information system resources; and
•deployment of monitoring devices strategically within the information system environment.
63
Data Protection
We have implemented an Information Security Management System (ISMS) Program to secure sensitive data protected by us. This program includes:
•Establishing policies governing data security.
•Monitoring data access throughout the organization’s independent subsidiaries.
•Providing continuous security training and awareness.
•Establishing controls over devices on the network which are actively tracked, monitored and evaluated for new, missing, or updated software needed to strengthen security on the device, patch known vulnerabilities, or stabilize software or operating system issues.
•Protecting sensitive data through encryption techniques.
•Designing and implementing systems to include backup and recoverability principles, such as periodic data backups and safeguards in the case of a disaster.
Incident Management Plan
Our cybersecurity incident management plan comprises the following six-step process:
•The Service Center's Chief Information Officer and Director of Information Security lead its Information Security Office (ISO) team in the development, documentation, review and testing of security procedures and incident management procedures. Beyond initial creation, procedures are continually re-assessed, updated and tested on an ongoing basis.
•The Service Center's Chief Information Officer and Director of Information Security work with the Executive Team on the identification, assessment, verification and classification of incidents to determine affected stakeholders and appropriate parties for contact.
•The Service Center's Chief Information Officer and Director of Information Security are responsible for launching the Incident Response Team (IRT) if necessary and for notification to the Executive Team, who in turn will contact the Board of Directors and the Audit Committee to validate that the response is being addressed appropriately.
•The IRT, in consultation with outside experts if needed, is responsible for the following:
•Initial containment by making tactical changes to the computing environment to mitigate active threats based on currently known information.
•Analysis to establish the root cause of incidents, identification and evidence collection from all affected machines and log sources, threat intelligence and other information sources. Once all appropriate information has been collected, we perform a careful analysis using forensically-sound tools and methods to prevent any contamination of evidence.
•Incident containment by further analyzing additional information and further identifying any additional compromised machines or resources not previously identified.
•Incident eradication by re-assessing the root cause of incidents where solutions are then implemented to solve underlying problems and prevent re-occurrence.
•Recovery and restoring normal business functionality, which includes the reversal of any damage caused by the incident and responding as necessary.
•Review after closure of each incident and conducting a lessons learned analysis to improve prevention and help to make incident response processes more efficient and effective. Also, the IRT evaluates competency and any additional training requirements needed. A final incident report will then be provided to key stakeholders and IRT members, which includes, but is not limited to the summary of the incident and its impact, a timeline of events, a detailed description of the incident, an evaluation of the organizational response and an assessment of the damages.
We have not experienced a material cybersecurity breach in the past five years and, as a result, there have been no charges related to a breach in the past five years. Moreover, no risks from cybersecurity threats have materially affected our business strategy, results of operations, or financial condition. While we have implemented processes and procedures that we believe are tailored to address and mitigate the cybersecurity threats that our Company faces, there can be no assurances that such an incident will not occur despite our efforts, as more fully described in Item 1A. Risk Factors.
64
GOVERNANCE
Our Audit Committee receives quarterly reports on our information security and cyber fraud prevention programs from the Service Center's Chief Information Officer and Director of Information Security, who each have over 24 years of experience in IT, including various leadership roles at other large corporations. One of the three members of our Audit Committee is a cybersecurity expert.
The ISO has been established by the Service Center's Chief Information Officer, with dedicated cyber security staff focusing on security monitoring, vulnerability management, incident response, risk assessments, employee training, security engineering and management of cyber security policies, standards and regulatory compliance. Like many organizations, we align to a Cyber Security Framework and take a risk-based approach during control assessment and implementation. We align to the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4, a globally recognized cyber security framework of Policies, Standards and Controls that comprises of five categories of defense – Identify, Protect, Detect, Respond and Recover. We are committed to the protection of our data, systems, network and continually invest in enhancements to mitigate or reduce the impact from a cyber security threat. We conduct periodic tests to maintain readiness and resiliency while regularly reviewing policies in the interest of protecting data security. External companies or agencies may be called upon to provide consulting, guidance, assistance, or some other form of support in response to a cybersecurity incident. The regular training of employees, at least annually, on the ever-present threat of cybersecurity helps maintain data security.