Oncology Institute, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Oncology Institute, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 06:47:11 EDT.

Filings

10-K filed on 2024-03-28

Oncology Institute, Inc. filed an 10-K at 2024-03-28 06:47:11 EDT
Accession Number: 0001628280-24-013444

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company prioritizes the protection of our critical systems and information through a robust cybersecurity risk management program. This program outlines our approach to identifying, assessing, and mitigating cybersecurity risks to ensure the confidentiality, integrity, and availability of our assets. We adhere to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as the guiding framework for our cybersecurity risk management program. While we do not claim compliance with specific technical standards, the NIST CSF serves as a valuable tool for identifying, assessing, and managing cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: a. risk assessment using industry-standard methodologies such as threat modeling, vulnerability scanning, and penetration testing. These assessments encompass a thorough examination of our critical systems, networks, and applications to identify and prioritize cybersecurity risks. Leveraging tools such as SIEM (Security Information and Event Management) and IDS/IPS (Intrusion Detection System/Intrusion Prevention System), we analyze network traffic patterns and behavior to detect potential threats and vulnerabilities. Additionally, we utilize vulnerability assessment tools to scan our infrastructure for known weaknesses and misconfigurations. These assessments inform our risk management strategies and resource allocation efforts, ensuring that we address the most critical vulnerabilities and threats effectively b. a security team principally responsible for managing cybersecurity risk assessment processes, implementing security controls, and orchestrating responses to cybersecurity incidents. They ensure alignment with organizational objectives and regulatory requirements. c. The use of external service providers specializing in penetration testing, security auditing, and incident response, selected based on their track record, certifications (e.g., CISSP), and adherence to standards (e.g., ISO/IEC 27001). We also enlist Managed Security Service Providers (MSSPs) for continuous monitoring and threat analysis. Cloud service providers with robust security measures host our critical infrastructure, ensuring encryption, multi-factor authentication, and regular audits. Through careful selection and oversight, these partners enhance our cybersecurity defenses and align with our security requirements efficiently. d. cybersecurity awareness training covers phishing, social engineering, malware prevention, and secure password management. It includes hands-on exercises and simulations to teach employees to identify threats and adhere to secure coding practices. We also emphasize endpoint security measures like antivirus software and firewalls. Additionally, we educate on emerging threats like ransomware and zero-day exploits, fostering a culture of vigilance and proactive risk mitigation. e. a cybersecurity incident response plan includes procedures for detecting, containing, and mitigating cybersecurity incidents promptly and effectively. We leverage Security Information and Event Management (SIEM) tools for real-time monitoring and alerting, enabling rapid response to potential threats. Additionally, we employ incident response playbooks with predefined actions for various scenarios, ensuring a coordinated and efficient response. Our plan also 45 incorporates post-incident reviews and lessons learned sessions to continuously improve our response capabilities and resilience against future threats. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Compliance Committee (the “Committee”) oversight of cybersecurity and other information technology risks. The Committee oversees management s implementation of our cybersecurity risk management program. The Committee receives quarterly reports from management on our cybersecurity risks. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. Our management team, including the Vice President of Healthcare Information Services, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team s experience includes over 25 years of experience in healthcare IT operations, infrastructure deployment, IT governance, and change management. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us and alerts and reports produced by security tools deployed in the IT environment.

Company Information