Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

Cybersecurity Governance

Astrana Health’s governance framework reflects our commitment to managing cybersecurity risks with accountability and transparency. This framework is rooted in collaboration among executive leadership, employee operational teams, and the Board of Directors, resulting in comprehensive oversight at every level of the organization.

Board Oversight

Executive Leadership

AI Policy and Governance

Astrana Health recognizes the transformative potential of AI in healthcare and the corresponding responsibility to implement it ethically and securely. Our AI policy and governance framework emphasizes transparency, fairness, and accountability in the use of AI technologies across our operations. This includes data privacy safeguards, monitoring to mitigate algorithmic bias, and adherence to industry best practices and regulatory standards. An internal committee comprising experts in technology, legal, compliance, and healthcare operations ensures that AI deployments meet ethical and cybersecurity standards. Periodic audits and risk assessments are conducted to evaluate the performance, reliability, and security of AI systems in critical workflows. The Board oversees the ethical deployment of automated intelligence and machine learning, ensuring algorithmic accountability and the mitigation of security risks inherent in AI-driven clinical workflows.

Cross-Functional Collaboration

Cybersecurity Program Components

Astrana Health’s cybersecurity program employs a multi-layered approach, incorporating a wide range of policies, technologies, and processes to detect, prevent, and respond to cyber threats.

Proactive Monitoring and Threat Detection

We leverage security technologies and tools to continuously monitor our IT systems and networks. Our Security Operations Center is equipped to detect anomalies and respond to emerging threats in real-time, aiming to minimize the risk of undetected cyberattacks.

Employee Training and Awareness

Astrana Health fosters a culture of cybersecurity awareness through mandatory training programs, phishing simulations, and engagement campaigns. These efforts aim to enable employees to identify and report potential threats, thereby reducing organizational vulnerability to common attack vectors.

Data Encryption and Access Controls

Robust encryption protocols safeguard sensitive data, both in transit and at rest. Multi-factor authentication and role-based access controls further restrict unauthorized access, ensuring that only authorized personnel can access critical systems and information.

Incident Response and Recovery

Third-Party Risk Management

Vendors and service providers are vetted through a structured third-party risk management program. This process includes security assessments, compliance with contractual requirements for cybersecurity standards, and ongoing monitoring to ensure alignment with Astrana Health’s security policies. We employ a risk-based tier system for third-party providers, conducting continuous security posture assessments and requiring adherence to stringent contractual cybersecurity standards.

Independent Audits and Assessments

External firms conduct regular penetration testing, Service Organization Controls (SOC) 2 audits, and other assessments to validate the effectiveness of our cybersecurity controls and identify areas for improvement.

Industry Standards and Benchmarks

Our cybersecurity program is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Additionally, periodic tabletop exercises simulate real-world scenarios to assess our readiness and enhance incident response capabilities.

Cybersecurity Incidents

Although we have been subject to breaches of our IT systems, including breaches of the IT systems of third-party service providers, the impact of such attacks has not been material to our business strategy, operations or results of operations, financial position, or cash flows through the date of this report. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect the Company. For additional information on the risks we face from cybersecurity threats, please refer to Part I, Item 1A, “Risk Factors” of this Form 10-K.

Our comprehensive incident response plan outlines detailed procedures for addressing and recovering from cybersecurity incidents. This plan, which is integrated with our business continuity and disaster recovery strategies, aims to ensure operational resilience and timely remediation of affected systems. We maintain a cross-functional Cyber Incident Response Team (CIRT) tasked with the real-time assessment of incidents to determine potential materiality based on quantitative and qualitative impact thresholds.

The Board of Directors oversees cybersecurity as part of its enterprise risk management responsibilities. The Audit Committee reviews cybersecurity risks, including IT internal controls, the use of AI, business continuity plans, disaster recovery programs, and data protection initiatives. The Audit Committee also receives regular reports from management, including the CISO (as defined below), on key cybersecurity metrics, threat landscapes, risk mitigation strategies, and significant cybersecurity or data privacy incidents (if any). In addition, the Audit Committee receives regular reports from other operational committees of the Company, ensuring a holistic view of risk management.