AMEDISYS INC 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

AMEDISYS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 08:03:38 EST.

Filings

10-K filed on 2025-02-27

AMEDISYS INC filed a 10-K at 2025-02-27 08:03:38 EST
Accession Number: 0000896262-25-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Amedisys recognizes the importance of assessing, identifying and managing material risks associated with cybersecurity threats, as such term is defined by the SEC in Item 106(a) of Regulation S-K. These risks include, among other things, operational disruption, intellectual property theft, fraud, extortion, harm to employees or patients, violation of privacy or security laws and other litigation and legal risk. Amedisys has implemented various cybersecurity related processes, technologies and controls to enhance our efforts to assess, identify and manage such material risks. Amedisys deploys a range of tools and services, including regular network and endpoint monitoring and vulnerability assessments and penetration testing, to mitigate our cybersecurity-based risks. In addition, we schedule tabletop exercises with management and other employees to evaluate our cyber incident response plans. Amedisys has also received HITRUST certification for our internally developed applications which allows us to baseline our program to industry standards and best practices. Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from cybersecurity incidents (as such term is defined in Item 106(a) of Regulation S-K) and to provide for the availability of critical data and systems to maintain regulatory compliance. These controls include the following activities: - Closely monitoring emerging data protection laws and implementing needed changes to our processes to maintain compliance; - Conducting annual cybersecurity management and incident training for all employees of the organization; - Requiring employees and third parties who provide services on our behalf to treat customer information and data with care; - Leveraging the HITRUST incident handling framework to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident; and - Carrying information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident, although our insurance coverage may be insufficient to cover all losses from a cybersecurity incident or our insurer may deny coverage for a claim. 39 Additionally, Amedisys performs periodic internal and third-party assessments to evaluate our cybersecurity controls and regularly evaluates our policies and procedures surrounding our handling and control of personal data and the systems we have in place to help protect us from cybersecurity threats or personal data breaches. Amedisys has established a cybersecurity risk management process that includes internal reporting of significant cybersecurity risk to our Enterprise Risk Management Committee (“ERMC”) on a quarterly basis. In addition, our incident response plan includes processes to triage, assess severity, escalate, contain and investigate and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. These processes are assessed annually for effectiveness during our penetration testing. Our risk management processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or those who have access to our customer and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. Amedisys performs diligence on third parties that have access to our systems, data or that have facilities that house such systems or data and monitors cybersecurity threat risks identified through such diligence. We face cybersecurity risks in connection with our business (see Part I, Item 1A. “Risk Factors - Risks Related to our Operations - Our business depends on our information systems. A cyber-attack, security breach or our inability to effectively integrate, manage and keep our information systems secure and operational could disrupt our operations.”). Although such risks have not materially impacted our business strategy, results of operations or financial condition to date, we have experienced threats to and breaches of our data and systems, including malware and computer virus attacks, and future such events or circumstances could have a material adverse effect on our business and consolidated financial condition, results of operations or cash flows. The Audit Committee of the Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The Audit Committee receives updates from management on a regular basis of our cybersecurity threat risk management and strategy covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk mitigation related goals, our incident response plan and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. The Audit Committee also receives materials, including a cybersecurity briefing, indicating current and emerging cybersecurity threat risks and describing the Company’s ability to mitigate those risks. The members of management who are responsible for assessing and managing cyber risk are the Acting Chief Information Security Officer and the Acting Chief Information Officer of the Company who, combined, have over 30 years of experience in managing cybersecurity. Our Acting Chief Information Security Officer is responsible for our cybersecurity risk management program and reports directly to the Acting Chief Information Officer. The Acting Chief Information Officer is a member of the ERMC and accountable for informing and updating the ERMC on cybersecurity risk management. The ERMC has ultimate responsibility for the risk management of cyber risk and is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents in addition to the Company’s cyber incident response and reporting processes.

Company Information