CPSI 2017 Annual Report

16 Health Information Security and Privacy Practices The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is a federal law governing the use, disclosure, transmission and storage of certain individually identifiable health information, referred to as "protected health information," and that was enacted for the purpose of, among other things, protecting the privacy and security of protected health information. As directed by HIPAA, the Department of Health and Human Services (the "DHHS") has promulgated standards and rules for certain electronic health transactions, code sets, data security, unique identification numbers and privacy of protected health information. HIPAA and the standards promulgated by DHHS apply to certain health plans, healthcare clearinghouses and healthcare providers (referred to as "covered entities"), which includes our hospital clients. The Health Information Technology for Economic and Clinical Health Act and its implementing regulations published in January 2013 (the "HITECH Act") significantly expand HIPAA by extending privacy and security standards to "business associates" of healthcare providers that are covered entities. Under the HITECH Act, business associates are required to establish administrative, physical and technical safeguards and are subject to direct penalties for violations. Certain of our services frequently entail us acting as a healthcare clearinghouse and/or in the capacity of a business associate to the hospitals that we serve. As a result, we are covered by the patient privacy and security standards of HIPAA and subject to oversight by DHHS. We believe that we have taken all necessary steps to comply with HIPAA, as it applies to us as a business associate, but it is important to note that DHHS could, at any time in the future, adopt new rules or modify existing rules in a manner that could require us to change our systems or operations. Protecting individually identifiable health information and other sensitive data is a critical and essential function of CPSI’s software solutions. A variety of industry-standard approaches that meet or exceed regulatory requirements such as HIPAA and HITECH are employed. In order to avoid unauthorized access for the life span of this data, diverse methods of identification, authentication, authorization and encryption are utilized at various points throughout the operating system, application software and hardware. These methods and processes are shared amongst servers and other end-user devices and are complemented by change management processes and tools, which allow the software change control cycle to be a formal, defined process. Managing Cybersecurity Risks Our business operations, including the provision of the products and services described above, involve the compilation and transmission of confidential information, including patient health information. We have included security features in our systems that are intended to protect the privacy and integrity of this information, but our systems may be vulnerable to security breaches, viruses, programming errors and other similar disruptive problems. The Board of Directors is responsible for exercising oversight of management’s identification and management of, and planning for, the material risks facing the Company, and we believe our policies and procedures are adequate to ensure that relevant information about cybersecurity risks and incidents is appropriately reported and disclosed. In connection with its oversight responsibility with respect to cybersecurity risks facing the Company, the Board authorized in 2017 the formation of a Cybersecurity Committee comprised of the Executive Vice President of CPSI, the Chief Technology Officer, the Senior Vice President of IT Services, and the Senior Vice President of Professional Services of TruBridge, LLC. The Cybersecurity Committee meets quarterly to discuss the primary cybersecurity-related risks currently facing the Company, and the Committee reports to Mr. Fowler, the Company’s Chief Operating Officer and President of TruBridge, LLC, who in turn provides updates to the Board. Additionally, we appointed a new Security Operations Center (SOC) Director to oversee a number of initiatives designed to improve our cybersecurity protection, readiness and response. The SOC Director oversees penetration testing for TruBridge customers, vulnerability scanning by CPSI and TruBridge, endpoint threat detection and response development, insider threat detection and monitoring, security event application management and other cybersecurity-related projects. The Company also consulted with a third party in 2017 to conduct an evaluation of our cybersecurity risks. Finally, all users employed by or contracted to the Company are required to complete annual cybersecurity education and training, which includes identifying suspicious emails, Internet threats, telecommunication threats and ransomware. Intellectual Property We regard some aspects of our internal operations, software and documentation as proprietary, and rely primarily on a combination of contract and trade secret laws to protect our proprietary information. We believe, because of the rapid pace of technological change in the computer software industry, trade secret and copyright protection is less significant than factors such as the knowledge, ability and experience of our employees, frequent software product enhancements and the timeliness and quality of our support services. The source code for our proprietary software is protected as a trade secret. We enter into