Ardent Health Partners, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Ardent Health Partners, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:46:21 EST.

Filings

10-K filed on 2025-02-27

Ardent Health Partners, Inc. filed a 10-K at 2025-02-27 16:46:21 EST
Accession Number: 0001628280-25-008727

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We identify and assess areas of risk for our business on an ongoing basis, and we have developed, and regularly update and refine, comprehensive practices to manage and mitigate existing and potential risks to our business. As part of that process, we continually identify and assess areas of cybersecurity risk for our business using the National Institute of Technology Cybersecurity Framework 2.0 (“NIST CSF 2.0 Framework”). We have an information security risk management framework that has processes dedicated to the identification, assessment and management of material risks from cybersecurity threats. Our approach to cybersecurity risk management includes the following elements: - a team dedicated solely to cybersecurity which is managed by our Chief Information Security Officer (“CISO”), who reports directly to our Chief Digital and Transformation Officer (“CDTO”); - a third party risk management process that includes cybersecurity assessments of third party products and systems proposed to connect to our information systems environment or access or store our data; and - a cybersecurity incident response plan. Our cybersecurity team, which includes both our employees and those of our managed services providers, is comprised of people with various functional areas of responsibility, including personnel from our information technology, operations, legal, compliance, risk management, communications, incident command center, security, human resources, finance and internal audit teams. We have contracted with a Security Operations Center service provider and a Managed Detect and Response service provider; both of which are staffed 24 hours a day to provide monitoring and active protection support for our cybersecurity risk management program. Our senior security leadership team has significant experience with data security, and members have served in various roles within our security program. We have devised a multi-faceted approach to assess, identify, protect, detect, respond to and recover from cybersecurity threats using the NIST CSF 2.0 Framework. We have implemented numerous threat management tools and processes, and developed disaster recovery and business continuity plans that are tested and updated periodically. We strive to stay abreast of cybersecurity threats through integrated threat intelligence feeds, industry and federal threat notices, and participation in healthcare industry intelligence sharing. We also regularly conduct table-top exercises, which serve to simulate cybersecurity incidents to practice our response and identify gaps. We routinely perform security risk assessments using internal and external services, including internal and external penetration testing. We also require all employees to complete cybersecurity awareness training annually, and we circulate cybersecurity awareness alerts, safety tips and newsletters to employees across the enterprise regularly. In addition, we routinely run phishing campaigns and perform other tests to increase awareness of cybersecurity threats. Our business requires us to share data, and have our systems interact, with third parties, including our service providers and vendors, as well as other healthcare providers and their vendors. This interaction and sharing of data creates risks to our systems and makes us vulnerable to third party systems and practices. Incidents and cybersecurity attacks at third parties can impact our operations and our obligations to patients, payers and others. We manage this risk through an information technology review and approval process that considers the anticipated use and implementation of proposed technologies and includes cybersecurity team assessments of third party products and systems proposed to connect to our information systems or access or store our data. A subgroup of our cybersecurity team is dedicated to risk assessment analyses of vendor security practices and protections. We leverage the FAIR (Factor Analysis of Information Risk) model to help quantify the third party’s cyber risk. We endeavor to incorporate security measures into contracts with vendors. In addition to protecting our assets and systems, our cybersecurity team is tasked with detecting and defending against cybersecurity threats to our systems and data. We maintain a response plan, updated annually, that outlines actions to be taken with respect to cyber incidents and includes procedures, notification processes, and protocols for escalation to senior management. We have a cybersecurity incident response team composed of a smaller, core group of our cybersecurity team. We also engage third parties, such as forensics consultants, external legal counsel and law enforcement, as needed and as appropriate based on the circumstances. Incidents are escalated to senior management as appropriate based on the nature of the incident. Governance Management Oversight - Management is responsible for the day-to-day handling of risks facing our Company, including cybersecurity risks. Our CISO , who reports directly to our CDTO, oversees and manages our cybersecurity strategy and related programs. As the head of our cybersecurity team, both internal and outsourced, our CISO is primarily responsible for assessing and managing risks from cybersecurity threats. The processes by which he is informed about and monitors the prevention, detection, 60 mitigation and remediation of cybersecurity incidents is described above. He reports information about such risks to the CDTO and other members of senior management, who, in turn, report them to our Board and Audit and Compliance Committee, as appropriate. Our CISO joined us in January 1998 with 13 years of experience in various technology and information security roles within Ardent. Board Oversight -Our Board of Directors (the “Board”) , as a whole and through its committees, oversees risk management, including cybersecurity risks. The Board has delegated certain risk management responsibilities with respect to cybersecurity to our Audit and Compliance Committee. Our Board has identified the oversight of cybersecurity risks to be one of its priorities, and it receives regular reports from management, including the CDTO and the CISO, on various cybersecurity matters, including the security of our information systems, anticipated sources of future material cyber risks and how management is addressing any significant potential vulnerability. The Board’s Audit and Compliance Committee receives regular updates on cybersecurity threats and other matters. In addition to regular updates to the Audit and Compliance Committee, we have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported in a timely manner to the Board and Audit and Compliance Committee. Existing and Potential Risks As discussed in the Risk Factors section above, our operations could be significantly and negatively impacted by cybersecurity threats and other disruptions affecting our information technology, related information systems and sensitive information. We rely on our information technology to process, transmit and store clinical, financial and operational data that includes PHI, PII and proprietary and confidential business data. We utilize EHRs and other information technology in connection with all of our operations, including our billing and other financial systems, supply chain and labor management tools. As described above, our information systems, in turn, interface with and rely on third party systems that we do not control, including medical devices and other processes supporting the interoperability of healthcare infrastructures. In November 2023, we experienced the Cybersecurity Incident, which temporarily disrupted our operations and involved the exfiltration of certain confidential employee and patient information. We incurred significant costs to remediate the issues, sustained lost revenues from the associated business interruption and incurred other related expenses. Following the Cybersecurity Incident, we implemented certain changes to our information systems and processes meant to provide additional protections to our environment, including, among other things, enhancing the visibility of our Security Operations Center, training practices, detection tools and capabilities, and implemented new tools and processes, expanded the scope of vulnerability management, and increased scrutiny of internet access. In addition, we adopted several technologies that incorporate artificial intelligence capabilities to enhance our protection capabilities. However, we continue to face a heightened risk of cybersecurity threats targeting healthcare providers, including ransomware attacks, which may materially impact our operations. Threat actors continue to proliferate, adapt and devote significant effort to attacking the information systems and electronically transmitted and stored data of healthcare providers and related entities. Except for the Cybersecurity Incident, no risks from cybersecurity threats or previous cybersecurity incidents have materially affected our business strategy, results of operations, or financial condition. However, there can be no assurance that our controls and procedures in place to monitor and mitigate the risks of cybersecurity threats, including the remediation of critical information security and software vulnerabilities, will be sufficient and/or timely and that we will not suffer material losses or consequences in the future. Additionally, while we have in place insurance coverage designed to address certain aspects of cybersecurity risks, such insurance coverage may not be sufficient to cover all insured losses or all types of claims that may arise.

Company Information