Assure Holdings Corp. 10-K Cybersecurity GRC - 2024-04-26

Page last updated on April 26, 2024

Assure Holdings Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-26 16:49:52 EDT.

Filings

10-K filed on 2024-04-26

Assure Holdings Corp. filed an 10-K at 2024-04-26 16:49:52 EDT
Accession Number: 0001798270-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Strategy and Risk Management Assure Neuromonitoring s cybersecurity program is a comprehensive system fortified by policies and procedures aimed at safeguarding our operations, systems, and the sensitive data of our clients and customers from potential cybersecurity threats. This program is a crucial part of our risk management strategy. At the heart of our security model is a defense-in-depth framework. This framework consists of multiple layers of processes and technologies designed to prevent, detect, and respond to threats. Our strategy for defending against external threats includes a range of preventive technologies such as malicious email blocking, defenses against automated attacks, AI-enhanced advanced threat protection, SDWAN technologies, encryption, and multifactor authentication. These measures proactively intercept and neutralize cyber threats, ensuring data security within our environment. We also employ continuous event monitoring technologies that detect suspected intrusion attempts and alert our Security Incident Response team. Assure Neuromonitoring implements several key security processes to mitigate and protect against cybersecurity risks, including: 43 Table of Contents Identity and Access Management: We grant employees the minimum necessary access to perform their roles using a role-based access control methodology. Any privileged or elevated access to our systems requires additional approval, authentication processes, and is subject to increased logging and monitoring. Security Awareness and Training: We conduct annual HIPAA training programs, regular phishing simulations, and require employees to pass a general security awareness assessment every year. Security Operations and Monitoring: Our operational monitoring processes offer valuable insights into the effectiveness of our security program. A centralized system collects security logs and performs event correlation, triggering an alert if necessary. We review any deviations from our targets and implement corrective actions. Change Management: Any changes to hardware, software, network components, or processes introduced into production environments are managed by a change control process. This process requires the submission of necessary documentation and a business justification for the change. Disaster Recovery / Business Continuity: Our recovery processes are designed to maintain service to our customers, vendors, and members under a wide range of adverse circumstances. Recovery methods include rerouting business functions, relocating to an alternative site, online and offline backups, mobile recovery, and work-from-home arrangements. Physical Security: Our physical security system is used to identify appropriate individuals, authorize entry, and define the working areas they can access. Third-Party Vendor Security Reviews: Suppliers with access to, or who host or transmit sensitive data, must complete a business associate agreement, signifying their compliance with HIPAA laws. Vulnerability Management / Patching: We rate any discovered vulnerability by severity and assign a timeline for remediation. Patching activities are centrally managed, focusing on the identification, remediation, analysis, and closure of vulnerabilities throughout the vulnerability management lifecycle. Cybersecurity Incident Reporting: Our incident reporting protocol facilitates quick and efficient responses to cybersecurity threats. This includes providing employees with documentation on how to report a cybersecurity incident, a user-friendly phishing reporting tool in Outlook, and group email boxes that are monitored 24/7 for incident submissions. Our cybersecurity program, which is measured against industry-standard frameworks, undergoes penetration testing by third-party assessors. Our Chief Information Officer (CIO) leads our information technology team in frequent collaborations with industry experts and cybersecurity practitioners from other companies. This collaboration allows us to exchange information about potential cybersecurity threats, best practices, and industry trends. We manage cybersecurity risks on a routine basis through a defined framework that includes activities for identifying, assessing, treating, and monitoring risks. The results of our cybersecurity risk assessments guide senior management in making informed decisions about resource allocation to reduce cybersecurity risks and enhance our overall security posture. Each year, we review our entire program and measure it against widely accepted industry standards and frameworks, such as the internationally recognized security control framework established by the NIST. This framework is used by companies to assess and improve their ability to prevent, detect, and respond to cyberattacks. Our cybersecurity policies and standards, which are primarily guided by the NIST 800-53 Cybersecurity Framework, are also reviewed annually. In addition to these internal measures, external third parties evaluate the effectiveness of components of our overall cybersecurity program. This evaluation includes work performed over various levels of controls assessments for specific business lines and core processes. These assessments include the Health Insurance Portability and Accountability Act ( HIPAA ) and the Health Information Trust Alliance ( HITRUST ) for healthcare data security. The Joint Commission (TJC) also conducts an annual assessment and benchmark of our security controls to identify opportunities to strengthen our cybersecurity program. 44 Table of Contents Governance of Cybersecurity Risk Management Our board of directors collectively oversees our strategic and operational risks. The responsibility of reviewing and discussing our risk assessment and risk management practices, including cybersecurity risks, has been delegated to the audit committee by the board of directors. The audit committee regularly reports its findings to the board of directors. The implementation of risk management strategies on a day-to-day basis is the responsibility of our management team, which also suggests process improvements. Our Chief Information Officer (CIO), who has over 27 years of experience in various engineering, business, and management roles focused on information technology, oversees significant risks from cybersecurity threats. The CIO regularly provides updates and reports on cybersecurity matters and emerging industry trends to the CEO, who then reports this information to the audit committee. We have engaged an external cybersecurity firm to provide managed security services, reporting directly to our CIO. This firm boasts professionals with over 20 years of experience in IT-related roles and degrees in Information Technology, including cybersecurity. They have extensive experience in supporting firms with the application of information technology governance and security frameworks such as NIST, HIPAA, HITRUST, and COBIT. Our management team assesses our cybersecurity readiness using internal assessment tools, third-party control tests, vulnerability assessments, audits, and regular evaluations against industry standards. We have established governance and compliance structures designed to escalate cybersecurity-related issues, such as potential threats or vulnerabilities, to management and the audit committee. We also employ various defensive and continuous monitoring techniques in line with recognized industry frameworks and cybersecurity standards. Our CIO holds quarterly meetings with the CEO to review our information technology systems and discuss key cybersecurity risks.

Company Information