Cybersecurity & Privacy
At Quest, the strength and resilience of our cybersecurity and data privacy programs are critical in maintaining the trust of our customers, partners, employees, shareholders, and other stakeholders.
We have robust governance practices with respect to cybersecurity and data privacy. Our Board of Directors oversees and is regularly engaged in our cybersecurity and data privacy efforts. The Board’s Cybersecurity Committee, which consists solely of independent directors, oversees the company’s cybersecurity policies, plans, programs, practices, and risks related to cybersecurity and data security. The Board’s Audit and Finance Committee, which is responsible for overseeing our enterprise risk management program, receives updates regarding cybersecurity at least annually. The Board’s Quality and Compliance Committee oversees and receives regular updates on data privacy. Management is responsible for cybersecurity, data privacy, and related risks, including through committees consisting of senior officers of the company. The Board regularly receives briefings and updates on cybersecurity, data privacy, and related risks from each of the responsible committees and management.
Data Security & Privacy
Quest maintains comprehensive cybersecurity and privacy programs aligned to best practice frameworks, data privacy and security laws and regulations, as well as our contractual obligations. These enterprise-wide programs are designed to secure our facilities, information systems and protect data throughout its lifecycle, including data provided to third parties performing services on Quest’s behalf. As a company operating in a highly regulated industry, we are subject to extensive data privacy and security laws and regulations, including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA), various state privacy laws, and the General Data Protection Regulation (GDPR). Management regularly evaluates the cybersecurity and data privacy programs. As discussed above, the Board provides oversight. Data security incidents are reflected in our financial statements in accordance with regulations and accounting standards. We meet our breach reporting and notification obligations by notifying affected individuals, regulatory authorities, and other entities as required by law.
- Our HIPAA Notice of of Privacy Practices, Privacy Notice, and Cookie Notice, all available on our website, include information about our data use, data disclosure, and privacy practices.
- Our data privacy program is supported by a comprehensive set of policies and procedures that describe appropriate uses of data and the administrative, technical, and physical safeguards we have in place to protect the privacy and confidentiality of the information with which we are entrusted. We adhere to HIPAA’s minimum necessary standard, which requires that we limit the use or disclosure of protected health information (PHI) to only what is necessary to accomplish the intended purpose of a particular use, disclosure, or request. We have a well-established program to receive, investigate, and respond to privacy complaints. As set forth in our Code of Ethics, all employees have a duty to report potential or suspected violations of company policy or the law, including those involving data privacy. In the event a breach occurs, we take corrective action to address the breach and implement proactive measures to help reduce the risk of future breaches.
- Our cybersecurity program incorporates standards, processes, and activities over best practice domains, such as governance, access controls, facility and data protection, IT systems and data transmission security, threat intelligence and incident response, third-party risk management, disaster recovery, and vulnerability management.
- At our facilities, we employ strong physical security measures, including limiting access to authorized employees, requiring visitors to be escorted at all times, utilizing environmental security controls, and maintaining secured storage areas for confidential information.
- Our Strategic Threat and Intelligence Center manages our threat landscape and uses a variety of security technology and threat intelligence tools designed to detect, prevent, block, analyze, and respond to cybersecurity threats. We have a well-established incident response program and at least annually, we review and test our program to simulate emergent threats and scenarios that could arise from potential cybersecurity attacks and data breaches.
- Due to the constantly changing nature of technologies and security concerns, we regularly conduct audits and risk assessments and review our security and privacy policies and procedures.
- Our cybersecurity program is based on multiple security frameworks including the National Institute of Standards and Technology’s NIST 800 Special Publication Information Security standard, MITRE Att&ack, the Payment Card Industry Data Security Standard, the System and Organization Controls for Service Organizations 2 (SOC 2), ISO 9001:2015 and ISO 15189, and Sarbanes-Oxley.
- The cybersecurity program is aligned with the company’s Enterprise Risk Management Program.
- We educate employees through cybersecurity awareness and data privacy training programs at least annually and policies and procedures are available to employees on our intranet site. Training activities are designed to educate employees on important subjects (e.g., protecting patient privacy; ensuring safe data storage and transit; and recognizing potential cybersecurity attacks) and to build awareness about cybersecurity and data privacy risks (e.g., through security awareness challenges, alerts, and simulated phishing campaigns).
- We maintain risk management programs designed to assess and address the security and data privacy risks of our suppliers, outsourcing partners (including with respect to revenue cycle management), potential acquisition targets, and other business partners.
- It is our policy to enter into business associate agreements with vendors that obtain, maintain, use, or disclose PHI on our behalf; these vendors agree to safeguard the PHI as required by HIPAA. We also have policies and procedures in place that govern data transfers to third parties, including appropriate methods and controls, such as standard contractual requirements.
- We engage in industry forums and with US intelligence and law enforcement agencies to make faster, more informed security decisions to identify, respond to, mitigate, and prevent cybersecurity threats.
- We carry insurance for cyber-related incidents and breaches at industry-standard levels. The policy, including types and amounts of coverage, are reviewed annually. For more information on our board committees, including the Cybersecurity Committee, please refer to our 2023 Proxy Statement. For more information on risks relating to cybersecurity and how we mitigate such risks, please refer to our 2022 Annual Report on Form 10-K.