Originally published in Quest Diagnostics' 2023 Corporate Responsibility Report
Safeguarding our patients’ data
Quest safeguards the privacy and security of our patients’ health information through policies, procedures, and by developing solutions to tackle emerging data security threats.
DATA PRIVACY
We have a mature and effective privacy program that includes detailed privacy policies and procedures, training, auditing, and ongoing privacy awareness reminders. Our comprehensive program addresses a broad range of privacy subjects including protected health information disclosures, key privacy safeguards, and minimum necessary access to patient health information. These policies are available to employees on our intranet site. All employees undergo annual training on the Health Insurance Portability and Accountability Act (HIPAA). For both new and existing employees, we may provide more specialized privacy training based on an employee’s job function. In addition, the Company continues to review new regulations and state laws and implements required controls as needed.
CYBERSECURITY
The strength and resilience of our cybersecurity and data privacy programs are critical in maintaining the trust of our patients, customers, employees, shareholders, and other stakeholders. Securing our business, customer, patient and employee data, and our information technology (IT) systems is an important part of our overall risk management framework. Quest’s cybersecurity program is overseen by the Chief Information Security Officer who reports to our Chief Information and Digital Officer.
Quest maintains a comprehensive cybersecurity program developed to align with best-practice frameworks, applicable laws and regulations, and our contractual obligations. We’ve designed the enterprise-wide program to secure our facilities and information systems and safeguard data throughout its lifecycle, including data provided to third parties performing services on our behalf. Our cybersecurity program incorporates standards, processes, and controls over a number of domains, including, but not limited to, governance, IT risk management, access controls, facility and data protection, IT systems and data transmission security, threat intelligence and incident response, supply chain risk management, disaster recovery, and vulnerability management.
Our cybersecurity risk management program monitors our systems and networks for threats, breaches, intrusions, and other vulnerabilities; assesses the security of our company-wide software, applications and systems; conducts security audits and threat assessments; responds to cybersecurity incidents; and facilitates training for our employees. We’ve also convened an IT Risk Council, with enterprise-wide representation, which receives quarterly and ad hoc updates on our cybersecurity efforts. Recognizing the interconnected nature of the healthcare industry, we prioritize supply chain security to mitigate the risks of third-party breaches. We assess the security posture of our vendors and partners with whom we interface, or who store, process, host, or transmit confidential patient and employee data or other confidential information.
Our cybersecurity program is based on multiple security frameworks, including, but not limited to, the National Institute of Standards and Technology’s NIST 800 Special Publication Information Security standard, MITRE 40 ATT&CK Framework, the Payment Card Industry Data Security Standard, the System and Organization Controls for Service Organizations 2, and International Organization for Standardization (ISO) 9001:2015 and ISO 15189.
Our cybersecurity program is continuously evolving to adapt to emerging threats, strengthen our security posture, and ensure the resilience of our services. Our Board of Directors oversees our cybersecurity via the Cybersecurity, Quality & Compliance, and Audit & Finance Committees.