Jericho Simmons – Sound Physicians

Jericho Simmons is not among the doctors, CRNAs, advanced practice providers or nurses Sound Physicians provides to health care networks throughout the U.S. for acute care services.

However, as chief information security officer, Simmons manages the company’s security, ensuring that sensitive data such as personal health information is protected.

Jericho Simmons | Chief Information Security Officer | Sound Physicians

Founded in 2001, Sound Physicians is a physician partner to more than 400 hospitals in 40 states, as well as health systems, health plans, physician groups, and post-acute providers collectively caring for more than 1.5 million patients. It’s headquartered in Tacoma, Washington.

Drawing from a decade in the field, Simmons says continued training and education are the best ways to prevent malware, ransomware and hacks, especially with cybercrime more than quadrupling since the onset of the COVID-19 pandemic.

“When I began my career, technology seemed to be the answer,” he says. “But you have to have a person to work that technology—it’s not necessarily the key to success, it’s a component.”

Testing required

Simmons says it’s crucial to emphasize security throughout the organization before deciding which cybersecurity vendors and platforms to add to the IT operations. He also ensures compliance with regulations such as the Health Insurance Portability and Accountability Act.

In 2019, he established a 12-week program that’s open to everyone—whether working in tech or not—who wants to become a security expert. The program provides colleagues with a structured plan and a security professional as a mentor. The participant gains basic experience in security practices and is a part of the security team during the program’s term, Simmons says.

“Risk can’t be fully remediated because of the human factor,” he says. “We rely more on colleague behavior to develop our training exercises. Our colleagues went from 68 percent in identifying a threat to 92 percent within a couple of years.”

Simmons also leads annual security training using a course from Cornerstone that includes testing. But once a year training and reinforcement isn’t enough, he says. So, he and his team of six send their own phishing emails throughout the year—he says investing the team in the exercises enables creative innovation.

At least once a month, Simmons meets with business units to inform them about developing cybersecurity threats. His goal is to make security relatable—to show the connection and how it can also be applied to their personal lives. He also provides contact information people need if they are hacked or attacked by ransomware.

“If I can get someone to change their habits at home, they will bring those habits to work,” Simmons says.

He also relies on LBMC Information Security for penetration tests on the Sound Physicians network. LBMC provides National Institute of Standards and Technology and HIPAA risk assessments and expertise for compliance related changes he might need to consider.

This year, he added HITRUST Assessment Exchange to vet new partners’ cybersecurity capabilities and ensure they meet National Institute of Standards and Technology standards for protecting personally identifiable information and personal health information. HITRUST’s surveys can reduce the vetting time from six weeks to two weeks.

“Being naive is a big weakness for a security leader,” Simmons says. “Things can become neglected because of the failure to understand what’s on the outside for threats.”

Cooking up a tech career

While Simmons enjoys guiding IT for Sound Physicians, the St. Louis-area native hadn’t aspired to a tech career as he was growing up.

Even after he began working at Jefferson College in Hillsboro and decided to take advantage of the free tuition it offered employees, he says he was interested in a degree in culinary arts and a career as a chef.

However, the courses were filled, as were those for his second choice in architecture. So, he asked a guidance counselor what was open, and the answer led to him earning an associate degree in networking.

“I did well, and it turned out I have the skillset,” Simmons says.

He began working as a computer technician at Jefferson College in 2003 and two years later joined the Regional Justice Information System in the same role. REJIS is a computer information network that provides data processing services and online information systems to law enforcement agencies, courts and corrections departments in Missouri and Illinois.

When Simmons joined Something Cool LLC in Potosi, Missouri, in 2007, he managed technology for three school districts and assisted the company’s tech support for governments, banks and physicians’ offices.

In 2009, he became network administrator for Mineral Areas Regional Medical Center in Farmington, Missouri, which was owned by Capella Healthcare Inc. While managing the network and its security, Simmons also created and maintained the hospital’s intranet system, which included the cafeteria menu, an anonymous suggestion system and help desk ticketing system.

In May 2012, Simmons moved to Franklin, Tennessee when promoted to systems administrator for Capella. He led the system’s 11 IT teams on asset management, hardware provisioning, networking and security protocols. He also assisted in large-scale projects including Health Management System conversions and upgrades.

A ‘Sound’ shift

Simmons joined Sound Physicians in September 2014 as systems administrator responsible for security. He investigated security incidents, developed using Alien Vault for security information and event management, and created a system to notify him of any suspicious behavior from any domain user activity.

In January 2017, Simmons was promoted to senior manager for information security. When he was named director of information security in July 2018, he also returned to Missouri. He was named to his current position in June 2021.

Simmons, who enjoys spending time with his family and studying biblical scripture while volunteering at his church (he’s also written articles from his biblical studies), says his approach to network security is based on understanding his workplace.

“If I were stubborn as a security person, I’d want every piece of technology,” Simmons says. “I understand the business needs to run as a business and not a security business, though. I also believe that if people think about security upfront, then they incorporate it and ask the right questions to make sure they’re putting something in that will stay long term.”

View this feature in the Summer II 2022 Edition here.