Customer Insights: John Nelson reacts to the HITRUST and American Medical Association Cyber Risk Announcement

In late September, HITRUST and the American Medical Association announced a partnership to provide education on cyber risk management to healthcare organizations across the US. Their efforts focus on information security risk management, HIPAA compliance and cyber security; with recommendations specifically tailored for small practices, who often lack the resources and personnel that larger organizations have.

Today I spoke with John Nelson, Systems Administrator / Security Officer for U.S. Expediters, Inc. to discuss the ramifications and opportunities of this partnership. John is the Security Officer for U.S. Expediters, Inc. He is responsible for policy development and operations related to information security and compliance. Following a career in Fire and Emergency Medical Services, he has been involved with information technology in the healthcare sector since 2000.

Wes: John, tell us your thoughts on the AMA and HITRUST partnership for security education around cyber risk management.

John: I am encouraged to see the AMA stepping up and seeking partners to help educate their members about the challenges they face in effectively dealing with a rapidly changing threat landscape. This initiative seems to fit well within the AMA’s stated mission: “Our mission is to promote the art and science of medicine and the betterment of public health.” The last few decades have seen digital technology bring radical changes in everything from practice management to the very tools used to diagnose and treat patients. Along with that change, of course, comes new risk. It is well that the AMA is expanding it’s advocate role to include education about those risks and how to mitigate them.

Wes: What do you think this means for small and mid-size healthcare organizations in the US?

John: Honestly, my fear is that the serious gaps I often see in the security posture of smaller organizations (which include, by the way, most hospitals and medical practices) will remain largely unmitigated. So often, many excellent solutions, designed and marketed to larger enterprises, are unapproachable for most smaller organizations. They’re either too complex, or too expensive, or both. My hope is that, with educational pushes like this, the great numbers of these smaller organizations will recognize this gap and create demand for effective and more affordable solutions.

Wes: As we all know, smaller healthcare organizations have their hands full with so many priorities. Cybersecurity is just one challenge among many. In your experience, what should security leaders in small and mid-size healthcare organizations be thinking about to enhance their cybersecurity posture?

John: In a word - vigilance. I wish I had a dollar for every time I’ve heard it asserted that, “Our anti-virus software is up to date, so we’re good.” For years, passive defenses like that were usually enough, but the modern threat landscape demands a more proactive approach. We must continually assess that landscape and our security posture within it. We should be actively identifying and mitigating vulnerabilities within our environments. We should be actively looking for signs of compromise in our environments. The “2017 Cost of Data Breach” report from The Ponemon Institute puts the “mean time to identify” a breach at 191 days. That’s down significantly from 229 days in the 2016 report, but it still dramatically underscores the need for more, and better… vigilance.

Thanks for your time, John! We really appreciate you talking to us today.

About U.S. Expediters: U.S. Expediters, Inc. is based in the Houston, TX area. It is a group of companies, each of which is involved in the treatment of sleep apnea. Among those entities is cpap.com, the world’s largest Internet retailer of CPAP equipment.

About Perch Security: Perch Security offers the first Community Defense Platform. For the first time, even small and midsize businesses can use their sharing community membership (ISACs and ISAOs) to access their relevant industry-specific threat intelligence and participate within the community – all without purchasing specific tools or increasing staff. www.perchsecurity.com

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: CCleaner: how to use Perch to confirm you weren't compromised