Wilmington Gastroenterology uses the CIS Controls as a Foundation for Securing their Practice

In early 2016, Wilmington Gastroenterology brought a systems administrator and security officer in-house to manage their IT systems, security compliance, and training.  Wilmington Gastroenterology is the largest GI practice in the area, with nearly 100 staff members and is ranked one of the top 10 in the state of North Carolina.  We recently spoke with John Culotta who stated, “this really is my dream job – being able to take my skills and have the opportunity to apply the CIS Controls to an organization that is more than willing to raise the bar for cybersecurity maturity.”

CIS Controls Introduction

CIS learned that Mr. Culotta always had a desire to work in Information Technology.  He got his chance back in 2013 when he enrolled in Healthcare Business Informatics at Cape Fear Community College where the curriculum prepared him as a specialist in installations, data management, data archiving/retrieval, system design and support, and computer training for medical information systems.  Mr. Culotta was required to take a security class and stated, “I was blown away with a great instructor who introduced me to the CIS Controls and how great it would be to get into somewhere to use the CIS Controls.”

A Foundation

Mr. Culotta explained that upon arrival he helped the practice transition from out-sourced IT to in-house.  The practice now relies on the CIS Controls as their security guideline and foundation for securing their environment.  He further explained that he has been resourceful in finding people and specialized support teams to assist him with implementing the CIS Controls with their ongoing endeavor of improving security posture.

Leadership Buy-In

Leadership understands the importance of security, that there many challenges, and to be open to new ideas and techniques required for securing their practice, medical and patient information.  Mr. Culotta stated, “I could not ask for more, when I present project proposals to leadership in an IT scope where we need to improve, they help make it happen.”

Resources and Training

A variety of resources are used by the practice to provide security training for the physicians and staff.  The practice takes advantage of a number of vendors and service providers for varying levels of additional support for backup and disaster recovery (DRaaS), host intrusion detection, peripheral and endpoint management, data encryption, advanced network and firewall configurations, hardware maintenance, etc.

Commitment to the Controls

The practice is committed to standing with others in the Healthcare industry, improving cybersecurity standards by adopting the CIS Controls as their security guidelines, protecting patient information, prioritizing their endeavors, creating policy and developing a long-term plan.