II. Information & Cybersecurity

Our operations depend heavily on effective information systems to process clinical, operational and

financial information. Information systems require an ongoing commitment of significant resources to

maintain and enhance existing systems and to develop new systems in order to keep pace with

continual changes in information technology. We also sometimes rely on third-party providers of

financial, clinical, patient accounting and network information services and, as a result, we face

operational challenges in maintaining multiple provider platforms and facilitating the interface of such

systems with one another. We rely on these third-party providers to have appropriate controls to

protect confidential information. We do not control the information systems of third-party providers,

and in some cases we may have difficulty accessing information archived on third-party systems.

Our networks and information systems are also subject to disruption due to events such as a major

earthquake, fire, telecommunications failure, ransomware or terrorist attacks or other catastrophic

events. If the information systems on which we rely fail or are interrupted or if our access to these

systems is limited in the future, it could have an adverse effect on our business, financial condition or

results of operations.

A cyber-attack or security breach could result in the compromise of our facilities, confidential data or

critical data systems and give rise to potential harm to patients, remediation and other expenses,

expose us to liability under HIPAA, consumer protection laws, common law or other theories, subject us

to litigation and federal and state governmental inquiries, damage our reputation, and otherwise be

disruptive to our business.

We rely extensively on our computer systems to manage clinical and financial data, communicate with

our patients, payors, vendors and other third parties and summarize and analyze operating results. We

have made significant investments in technology to protect our systems, equipment and medical devices

and information from cybersecurity risks. During the second quarter of 2014, our computer network was

the target of an external, criminal cyber-attack in which the attacker successfully copied and transferred

certain data outside the Company. This data included certain non-medical patient identification data

(such as patient names, addresses, birthdates, telephone numbers and social security numbers)

considered protected under HIPAA, but did not include patient credit card, medical or clinical

information. The remediation efforts in response to the attack have been substantial, including

continued development and enhancement of our controls, processes and practices designed to protect

our systems, computers, software, data and networks from attack, damage or unauthorized access. Also

in connection with the cyber-attack, we have been subject to multiple purported class action lawsuits

and government investigations by various State Attorneys General and the U.S. Department of Health

and Human Services Office for Civil Rights, and may be subject to additional litigation, potential

governmental inquiries and potential reputation damages.

In spite of our security measures, there can be no assurance that we will not be subject to additional

cyber-attacks or security breaches in the future. Additionally, in the definitive agreements we enter into

in connection with the divestiture of hospitals, we routinely agree to provide transition services to the

buyer, including access to our legacy information systems, for a defined transition period. By providing

access to our information systems to non-employees, we are exposed to cyber-attacks or security

breaches that originate outside of our processes and practices designed to prevent such threats from

occurring. Any such cyber-attacks or security breaches could impact the integrity, availability or privacy

of protected health information or other data subject to privacy laws or disrupt our information

technology systems, devices or business, including our ability to provide various healthcare services.

Additionally, growing cyber-security threats related to the use of ransomware and other malicious

software threaten the access and utilization of critical information technology and data. As a result,

cybersecurity and the continued development and enhancement of our controls, processes and

practices designed to protect our information systems from attack, damage or unauthorized access

remain a priority for us. Our ability to recover from a ransomware or other cyber-attack is dependent on

these practices, including successful backup systems and other recovery procedures. As cyber-threats

continue to evolve, we may be required to expend significant additional resources to continue to modify

or enhance our protective measures or to investigate and remediate any information security

vulnerabilities. If we are subject to cyber-attacks or security breaches in the future, this could result in

harm to patients; business interruptions and delays; the loss, misappropriation, corruption or

unauthorized access of data; litigation and potential liability under privacy, security, breach notification

and consumer protection laws or other applicable laws; reputational damage and federal and state

governmental inquiries, any of which could have an adverse effect on our business, financial condition

or results of operations.

• Describe the risks involved. Note: use as many facts as possible in describing the risks in questionconcreteness is key.
• Describe one traditional risk management approach that you learned from the class that you would recommend to the board of directors for managing the risks in question.
• Describe at least one innovative, out-of-the-box risk management solution for those risksin answering this last part, please note that there is no right answer, and that the goal is to think as creatively as possible to come up with something new or different. .

Previous