Encompass Health Corp 10-K Cybersecurity GRC - 2024-02-28

Page last updated on July 16, 2024

Encompass Health Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 17:05:02 EST.

Filings

10-K filed on 2024-02-28

Encompass Health Corp filed a 10-K at 2024-02-28 17:05:02 EST
Accession Number: 0000785161-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C, Cybersecurity . We expend significant capital to protect against the threat of security breaches, including cyber attacks, email phishing schemes, malware and ransomware. Substantial additional expenditures may be required to respond to and remediate any problems caused by breaches, including the unauthorized access to or theft of patient data and protected health information stored in our information systems and the introduction of computer malware or ransomware to our systems. We also provide our employees annual training and regular reminders on important measures they can take to prevent breaches and other cyber threats, including phishing schemes. We routinely identify attempts to gain unauthorized access to our systems. However, given the rapidly evolving nature and proliferation of cyber threats, there can be no assurance our training and network security measures or other controls will detect, prevent or remediate security or data breaches in a timely manner or otherwise prevent unauthorized access to, damage to, or interruption of our systems and operations. For example, it has been widely reported that many well-organized international interests, in certain cases with the backing of sovereign governments, are targeting the theft of patient information and the disruption of healthcare services through the use of advanced persistent threats and ransomware attacks. In recent years, a number of hospitals and hospital systems have reported being victims of ransomware attacks in which they lost access to their systems, including clinical systems, during the course of the attacks. Large, national healthcare systems have reported ransomware attacks that forced their facilities to operate without access to information systems for some time and, to some extent, inhibited their ability to admit patients. We are likely to face attempted attacks in the future. Accordingly, we may be vulnerable to losses associated with the improper functioning, breach or unavailability of our and our vendors’ information systems, including systems used in acquired operations, and third-party systems we use. Threat actors continue to attempt to exploit commonly used software and services to gain remote access to a large number of the information systems of the businesses using the software and services. For example, in December 2021, widespread exploitation of a vulnerable logging software installed within commonly used applications, services, and websites 34 gave threat actors the ability to execute code remotely and potentially take control of affected systems. In May 2023, an international ransomware group began exploiting a vulnerability in a prevalent enterprise file transfer tool allowing the group to steal data from thousands of government, public, and business organizations worldwide. Generally, we, working with our cybersecurity vendors, attempt to monitor various channels and sources to identify vulnerabilities and threats in both third-party vendor software and services as well as our own systems and to mitigate the risks promptly. We also routinely work with industry and governmental cybersecurity partners to identify and combat cyber threats, which are particularly acute in the healthcare industry. When we become aware of threats, we undertake forensic investigations of our systems using all the indicators of compromise identified by leading security experts. Our forensic analysis to date has discovered no indicators of compromise. There can be no assurance that we will identify or adequately mitigate all threats to our systems, particularly in light of the number of well-funded and organized threat actors working to attack healthcare providers and the possibility of zero-day vulnerabilities and exploits yet to be identified. To date, we are not aware of having experienced a material compromise from a cyber breach or attack. However, given the increasing cybersecurity threats in the healthcare industry, there can be no assurance we will not experience business interruptions; data loss, ransom, misappropriation or corruption, theft, or misuse of proprietary data, patient or other personally identifiable information; or litigation, investigation, or regulatory action related to any of those, any of which could have a material adverse effect on our patient care, ability to admit patients, financial position, and results of operations and harm our business reputation. Moreover, a security breach, or threat thereof, could require that we expend significant resources to repair or improve our information systems and infrastructure and could distract management and other key personnel from performing their primary operational duties. In the case of a material breach or cyber attack, the associated expenses and losses may exceed our current insurance coverage for such events. Some adverse consequences are not insurable, such as reputational harm and third-party business interruption. Failure to maintain proper function, security, or availability of our information systems or protect our data against unauthorized access could have a material adverse effect on our business, financial position, results of operations, and cash flows. In addition, costs, unexpected problems, and interruptions associated with the implementation or transition to new systems or technology or with adequate support of those systems or technology across numerous hospitals could have a material adverse effect on our business, financial position, results of operations, and cash flows. The failure of our business partners and vendors to maintain the proper function, availability, or security of their information systems or to protect against unauthorized access could have a material adverse effect on our business, financial position, results of operations, and cash flows. Our business involves sharing of protected health information and other sensitive information among employees and with third-parties, including acute-care hospitals, which are typically referral sources, healthcare service and information vendors, and the federal government, our primary payor. In fact, federal laws and regulations require interoperability among healthcare entities in many circumstances. The use by our employees and healthcare partners of portable devices to facilitate patient care increases the risk of loss, theft or inadvertent disclosure of that information. A compromise of the network security measures or other controls of those businesses, vendors, or governmental agencies and their contractors with whom we interact, including our direct and indirect cloud service providers and CMS, which results in confidential information being accessed, obtained, damaged or used by unauthorized persons, or unavailability of systems necessary to the operation of our business, could impact patient care, claims billing and collection, harm our reputation, and expose us to significant remedial costs as well as regulatory actions (fines and penalties) and claims from patients, financial institutions, regulatory and law enforcement agencies, and other persons, any of which could have a material adverse effect on our business, financial position, results of operations and cash flows. ACE-IT, our enterprise-level clinical information system, is subject to a licensing, implementation, technology hosting, and support agreement with Oracle Cerner Corporation. In addition, we have a number of partners and non-software vendors with whom we share data in order to provide patient care and otherwise operate our business. Our inability, or the inability of our partners or vendors, to continue to secure, maintain and upgrade information systems, software, and hardware could disrupt or reduce the efficiency of our operations, including affecting patient care. On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group that acts as an intermediary for processing of our payment claims for all payors, notified us of a cybersecurity incident affecting some of its systems. To date, we have not identified any compromise or unauthorized access of our systems or networks. The Change Healthcare incident has not affected our operations, except the submission of payment claims. In the event the Change Healthcare service is not restored in a timely fashion, we may experience payment collection delays as we turn to alternative channels to submit claims. For additional discussion of potential impacts from the Change Healthcare incident, see the “Liquidity and Capital Resources” section of Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations . A security breach or other system failure involving Oracle Cerner, Change Healthcare, or another third-party with whom we share data or system connectivity could compromise 35 our patient data or proprietary information or disrupt our ability to operate, including submitting claims for payment, any of which could have a material adverse effect on our business, financial position, results of operations and cash flows. We face intense competition for patients from other healthcare providers. We operate in the competitive, fragmented inpatient rehabilitation industry. Although we are the nation’s largest owner and operator of inpatient rehabilitation hospitals in terms of patients treated, revenues, and number of hospitals, in any particular market we may encounter competition from local or national entities with longer operating histories or other competitive advantages. For example, acute-care hospitals, including those owned and operated by large public companies, may choose to expand or begin offering post-acute rehabilitation services. Given that approximately 91% of our hospitals’ admissions come from acute-care hospitals, that increase in competition could materially and adversely affect our admission referrals in the related markets. There are also large acute-care systems that may have more resources available to compete than we have. Other providers of post-acute care services may attempt to become competitors in the future. For example, nursing homes frequently market themselves as offering certain rehabilitation services, even though nursing homes are not required to offer the same level of care, and are not licensed, as hospitals. Competing companies may offer newer or different services from those we offer or have better relationships with referring physicians and may thereby attract patients who are presently, or would be candidates for, receiving our inpatient rehabilitation services. The other public companies and large health insurance companies expanding into post-acute care have or may obtain significantly greater marketing and financial resources or other advantages of scale than we have or may obtain. Other companies, including hospitals and other healthcare organizations that are not currently providing competing services, may expand their services to include inpatient rehabilitation services. There can be no assurance this competition, or other competition which we may encounter in the future, will not adversely affect our business, financial position, results of operations, or cash flows. In addition, from time to time, there are efforts in states with certificate of need (“CON”) laws to weaken those laws, which could potentially increase competition in those states. For example, in 2023, South Carolina enacted legislation to repeal CON regulations for several provider types, including IRFs. Conversely, competition and statutory procedural requirements in some CON states may inhibit our ability to expand our operations in those states. For a breakdown of the CON status of the states and territories in which we have operations, see
Item 1C. Cybersecurity Process for Assessing, Identifying and Managing Material Cybersecurity Risks The proper function, availability, and security of our and third-party information systems are critical to our business. We have attempted to structure our cybersecurity program and its incident response policies and procedures, including an incident response plan (the “IRP”), around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, which provides best practices to identify, protect from, respond to, and recover from cyber attacks. The cybersecurity program, led by our chief security officer (“CSO”), consists of dedicated internal IT security employees, including the staff of a security operations center, and long-term third-party security service providers. Our IT security staff, led by our CSO, is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. In furtherance of our cybersecurity program, members of our internal security staff participate in industry and governmental cybersecurity cooperative groups, including the Health Information Sharing and Analysis Center (“H-ISAC”) and the FBI’s InfraGard. Our CSO, who assumed his current role in 2022, has over 10 years of cybersecurity experience with us and over 27 total years of cybersecurity and IT experience across various industries, including telecom, engineering, and finance. He also holds several cybersecurity certifications: GIAC Certified Incident Handler, GIAC Certified Penetration Tester, and Certified Healthcare Information Security Leader. Our CSO reports directly to our chief information officer (“CIO”). Our CIO, who assumed his current role in 2011, has 34 total years of cybersecurity and IT experience. Prior to assuming the role of CIO, he served in senior IT and security roles for us beginning in 2001. As a highly decorated United States Air Force officer, he served as a CIO, regional CIO, and chief technology officer responsible for the USAF health system’s IT worldwide operations. He also served as a senior staff advisor to various levels of the United States Department of Defense’s military health system on strategic matters related to IT policy, procedures, procurement, solutions, and is a subject matter expert on cybersecurity. He has numerous professional certifications and affiliations, including a CERT Certificate in Cybersecurity Oversight from National Association of Corporate Directors’ Cyber-Risk Oversight Program; Certified Information Systems Security Professional; lifetime member, fellow, and previous board member of the College of Health Information Management Executives. We maintain an inter-departmental privacy and security committee that oversees our programs and initiatives that seek to protect and secure patient information as well as our data and information systems. This committee is responsible for, among other things, administering our incident response policies and procedures and various training and awareness programs that promote good system security practices by employees. This committee consists of our CSO, CIO, deputy CIO, chief privacy officer, and director of information security and compliance as well as in house attorneys responsible for cybersecurity and securities matters. It currently meets monthly and as warranted by privacy and security events. The IRP sets forth the strategy to prepare for cybersecurity threats and incidents and the processes and procedures to detect, analyze, contain, and recover after any actual or suspected cybersecurity incidents. The IRP also sets forth the internal reporting process for cybersecurity incidents. In the event of the detection of an actual or suspected cybersecurity incident, the IRP provides that our IT security staff score the incident based on established criteria and manage the incident pursuant to the standard operating procedures. Depending on the assessed criticality of the incident and the systems affected, the staff will report an incident to a security triage team, consisting of the security operations incident response lead and several members of the privacy and security committee. Working with our third-party security vendors as needed, the triage team investigates the incident, manages the response, and reports threats and incidents deemed significant to securities counsel. Securities counsel then works with the executive team to assess materiality for the Company. A member of the executive team would inform our board of directors as warranted. In general terms, under our cybersecurity program, we undertake measures to protect the safety and security of our information systems and the data maintained within those systems. We have implemented administrative, technical and physical controls on our systems and devices in an attempt to prevent unauthorized access and to promote business resilience in the event of that access. Core elements of our program include the real-time monitoring of both our network and external cybersecurity activity by our internal security operations center and our third-party service providers and the procedures for backing up and recovering our systems. We periodically test the adequacy of our security, business continuity, and disaster recovery measures, including an annual tabletop exercise involving representatives from all key functional departments with the Company, our outside cybersecurity legal counsel, and our primary forensic services firm. Our legal and technical advisors direct the exercise and provide feedback on our performance, which is shared with management and our board of directors. We provide our employees annual training and regular reminders on measures they can take to prevent breaches and other cyber threats, including phishing schemes. We participate in the vulnerability scanning service offered by the Cybersecurity and Infrastructure Security Agency on our internet facing systems and engage external security consultants to perform an annual 43 penetration test of our network. Our systems that process electronic protected health information are risk assessed on a quarterly basis against NIST security controls. Additionally, we maintain insurance coverage for cybersecurity incidents. Third-party Engagement in Connection with our Cybersecurity Program We maintain engagements with our cybersecurity legal counsel and forensic services firms, each of which has visibility into current events through its client base. We engage throughout the year with not only our security vendors but also H-ISAC, the FBI’s InfraGard, and other communities dedicated to sharing information regarding developing cybersecurity threats. Third-party IT Vendor Risk Management Our IT security staff also maintains a third-party IT vendor risk management process. The staff identifies the third parties with whom we contract or otherwise have a relationship involving our network or digital assets that represent an elevated risk based on a detailed rating process. The IT vendor risk management process involves input from various departments, including the affected internal business constituencies, legal, and compliance. Using a platform endorsed by the H-ISAC, the IT security staff performs risk assessments of third parties that appear to represent the greatest risk to our systems and data. Annually, the privacy and security committee reviews and approves our listing of tier one vendors subject to the assessment. The IT security staff then works with the internal points of contact responsible for the applications, software or systems and the vendors to gather the information necessary to assess the associated risks using common cybersecurity standards and frameworks. Any significant risks identified are shared with the vendors and the compensating controls for those risks are documented in collaboration with the vendors. The internal points of contact and other constituencies then review the results of the assessment process in order to assess the associated value of the product or service against the risk. Integration into the Overall Risk Management System Assessing, identifying, and managing cybersecurity related risks are integrated into our overall enterprise risk management (the “ERM”) process. Cybersecurity risks are included in the risk universe that the ERM function evaluates to assess the most significant risks to the Company as a whole. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. Management presents quarterly the ERM risk assessment, including key risk indicators, to our board of directors. Board Oversight of the Cybersecurity Program and Patient Privacy Matters Our board of directors has actively sought out experience and expertise among its members to further its oversight of cybersecurity risk. We believe that Messrs. Carmichael and Reidy and Ms. Herman have extensive knowledge and experience in cybersecurity oversight. Mr. Carmichael previously served as chief information officer at multiple companies, and Mr. Reidy directly supervised and oversaw the information security programs at two companies. Ms. Herman has completed the National Association of Corporate Directors’ Cyber-Risk Oversight Program, which is designed to enhance cybersecurity literacy and strengthen cyber-risk oversight practices, and holds a CERT Certificate in Cybersecurity Oversight. The Compliance and Quality of Care Committee of our board of directors has primary responsibility for oversight of our cybersecurity risk management program. Our CIO provides quarterly reports on our cybersecurity program to that committee and at least annually to our full board. The reports to the committee and the full board include details and metrics on, among other things, our routine vulnerability assessments, internal and external threat intelligence, quarterly NIST framework assessments, quarterly Company-wide phishing exercises and training, device encryption, routine resilience efforts including quarterly disaster recovery exercises, third-party vendor risk management, annual tabletop incident response exercise, annual business continuity exercise, cyber penetration tests, and 23 NIST cyber hygiene controls. Similarly, our chief compliance officer provides quarterly reports to the Compliance and Quality of Care Committee on patient privacy compliance efforts and related matters. The Compliance and Quality of Care Committee and the full board review, and the committee approves, the annual cybersecurity plan that sets out the primary initiatives and internal audits of the IT security function for the upcoming year. Historically, one or more board members have observed and participated in our annual tabletop incident response exercise. Effects of Cybersecurity Risks on the Company To date, we are not aware of having experienced a material compromise of our systems or networks from a cybersecurity incident. However, we routinely identify attempts to gain unauthorized access to our systems. Additionally, some of our vendors and business partners have experienced compromises of their information systems, including systems that we 44 use. On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group that acts as an intermediary for processing of our payment claims for all payors, notified us of a cybersecurity incident affecting some of its systems. In response to the incident, both we and Change Healthcare severed those business service connections between our systems and Change Healthcare’s. We promptly conducted forensics on our systems based on the shared information regarding this Change Healthcare incident. As of February 28, 2024, we have not identified any compromise or unauthorized access of our systems or networks. The Change Healthcare incident has not affected our operations, except the submission of payment claims. At this time, we have not determined that this disruption to our submission of claims is likely to materially affect our business strategy, results of operation or financial condition. Given the increasing cybersecurity threats in the healthcare industry, there can be no assurance we will not experience business interruptions; data loss, ransom, misappropriation or corruption, theft, or misuse of proprietary data, patient or other personally identifiable information; or litigation, investigation, or regulatory action related to any of those, any of which could have a material adverse effect on our patient care, ability to admit patients and to bill and collect for services provided on a timely basis, financial position, and results of operations and could harm our business reputation. We expend significant capital to protect against cybersecurity threats, including denial of service attacks, email phishing schemes, hacking, advanced persistent threats, malware, and ransomware. Substantial additional expenditures may be required to respond to and remediate any problems caused by cybersecurity incidents, including the unauthorized access to or theft of patient data and protected health information stored in our information systems, the inoperability of our electronic clinical and business systems, and the infiltration or disruption of the information systems of our business partners. In the case of a material cybersecurity incident, the associated expenses and losses and lost revenue may exceed our current insurance coverage for such events. Some adverse consequences may not be insurable, such as reputational harm and third-party business interruption. For further discussion of the risks associated with cyber threats, see Item 1A, Risk Factors , “Other Operational Risks.”


Company Information

NameEncompass Health Corp
CIK0000785161
SIC DescriptionServices-Hospitals
TickerEHC - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30