Jesse Fasolo believes there are two types of leaders: those who “sit back and allow the vendor to come to them when they need something,” and those who do the legwork. In fact, by the time he speaks with a prospective partner, he has already done his due diligence, Fasolo said in an interview with Anthony Guerra, Editor-in-Chief of healthsystemCIO. “I want to be the person who’s proactive; who has the vision, the strategy, and the roadmap, and knows how to plot the steps required to get down the road. I don’t wait for a vendor to tell me what steps to take.”
During the discussion, which took place at ViVE22 in Miami, Fla., he spoke the critical role frameworks play in ensuring organizations remain compliant; the pros and cons of migrating to the cloud; how he works with his CIO to “build a vision”; and the advice he would offer to other security leaders.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 26:29 — 18.6MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
Infrastructure and security go hand in hand. You obviously need to secure the infrastructure to ensure security across your whole system.
At the end of the day, you want to ensure confidentiality, integrity, access, and availability for your data. It just so happens that in healthcare, all of your data is really compromised into your EHR.
The framework I landed on, NIST, is really the breadcrumbs for the trail to bring you onto the roadmap. It is essentially what sets your organization up to become compliant. It gives you every list and every question that you need to follow, and the items and toolsets you need to put in place.
It’s a whole new skill set to learn the ability to manage workloads in the cloud, regardless of what provider you choose.
In alignment with my CIO, Linda Reed, we strategize, and we build a vision. I give tactical and strategic direction on how to get things done and where we should go. Where does the future see us in the next couple of years?
I would be investing in technology, faster networks, faster capability, and storage, so when the time comes to add more artificial intelligent systems, I’m prepared. That’s my thing. So far, I’ve been successful at staying two steps ahead as to when things come out and are available.
Guerra: Hi Jesse, thanks for joining me today.
Fasolo: Thank you, Anthony.
Guerra: Can you tell me a little bit about your organization and your role?
Fasolo: I represent St. Joseph’s Healthcare. We’re based in Paterson, N.J. We serve and underprivileged, underserved community. We’re approximately a 1,000-bed system across two acute care facilities and about 30 or 40 practices that we support.
Guerra: Do you work for my friend, Linda Reed?
Fasolo: I do. Linda Reed is my mentor and direct supervisor.
Guerra: I’ve known Linda for many years; she’s wonderful. So you have a big purview with security and infrastructure. From my experience talking to a lot of security folks and CISOs, I’ve seen that a lot of them come out of infrastructure. Was that your path?
Fasolo: I started out full infrastructure. I went through networking and system architecture, and I got to the point where I started using my knowledge of infrastructure to then secure it, and then I transitioned and absorbed information security and cybersecurity.
Guerra: We are here at ViVE22, which is done in conjunction with the CHIME Spring Forum. This is the first iteration of the show. What are your thoughts so far? You’re on some panels and I’m sure you’ve had a number of conversations. What are you hearing around infrastructure and security, either one or both?
Fasolo: I think infrastructure and security go hand in hand. You obviously need to secure the infrastructure to ensure security across your whole system. The conversations I’ve been having and the questions coming to me are around how I use frameworks to better secure our environment — which framework and what type of software I use to build efficiencies. Resilience, cloud, and ransomware have also come up multiple times. I think everyone in healthcare is still looking at security. It’s a volatile environment.
Guerra: So these are frameworks that we use. If we use some of them, like 405d and maybe NIST, we’re in the good graces of the regulators if things go wrong, right? We get forgiveness. We tried.
Fasolo: Yes. Regulations state that you have to do everything you can. Having a framework in place and applying the rules to your organization and putting forth security tools, processes, procedures and governance. All of those things help, but obviously, organizations are good at a C-level, which we talked about in the panel that I was on. There’s so much more to build on from being just being adequate to being compliant.
Guerra: Let’s talk about some of the terms. There’s compliance, which technically means to be in conformity with whatever is required to meet the letter of the law. But compliance has another meaning, from what I understand, around security, and it mostly has to do with inappropriate access to EMRs. Is that accurate? When we use the words compliance and security, are we talking about that and having an audit trail to make sure records were not accessed inappropriately usually by an employee?
Fasolo: When you talk about healthcare, the biggest component is the EMR and your patient data. But it’s so much more. It covers the entire organization as far as contracts and business associates. It covers all different data types and data encryption. At the end of the day, you want to ensure confidentiality, integrity, access, and availability for your data. It just so happens that in healthcare, all of your data is really compromised into your EHR. And so, it becomes the central topic when you talk about protecting it.
Guerra: You’re talking about compliance.
Fasolo: Yes. That’s what they’re looking for. They’re looking to make sure you’re in compliance to protect your patient’s data.
Guerra: And you’re working with ComplyAssistant to help you in this area?
Fasolo: Yes. We work with ComplyAssistant for our governance risk and compliance (GCR) software, which helps us do internal assessments and list out our risk register. We place all of the risks we identify on a list so that we can share them with executives and with the organization. And so, we have a good risk landscape for all of our threats and vulnerabilities, and we make business decisions based off of those.
Guerra: We talked about NIST and some of the different frameworks. I’ve heard individuals and leaders in security talk about the importance of doing the basics — not doing the second and third level type goals until you get the basics. Some of these frameworks essentially are the basics. It’s the blocking and tackling, to use a sports analogy. You have to get the blocking and tackling right before you do second level things. Does that sound right?
Fasolo: Yeah, I spoke to that in another session where I explained building a strategy for risk management. The framework I landed on, NIST, is really the breadcrumbs for the trail to bring you onto the roadmap. It is essentially what sets your organization up to become compliant. It gives you every list and every question that you need to follow, and the items and toolsets you need to put in place. It’s a tool to actually measure your organization’s compliance as well as its capabilities.
Guerra: In your mind, is there some sort of framework where there’s blocking and tackling and then there’s second and maybe even third-level security related initiatives? And what might be some of those higher-level things you want to look at once you have the blocking and tackling down?
Fasolo: I think blocking and tackling is a great foundation for your program. There are two things. On a technical perspective, you have to look at the products that all work well together. There are advanced technologies coming down the pipeline that use artificial intelligence and machine learning to better use the data that you’re pulling from your tools and measures to then take actions. There are tools that now are doing automated actions in your environment. And then there are outsourced solutions and services to help assist you with a lot of changes you need after you get that baseline in there.
Guerra: So those are some of the second and third level things that you might want to think about to keep your organization secure. Let’s talk about infrastructure and cloud. One of the things I heard in a session was that it’s not as easy as taking an on-prem workload or database and just moving it in the cloud. There’s more involved to get it cloud-ready, or to get the data into the condition where you can leverage the benefits of the cloud. Can you talk a little bit about that?
Fasolo: Any organization can become cloud capable. When I came to the organization, I did an assessment against all of the infrastructure and identified what system solutions — database specifically — could be transported and cloud-host and serviced. It’s based on access, on storage, and on usage, in terms of what makes sense to go to the cloud.
On the other side, with most organizations, especially in healthcare, there’s a little fear of taking data out of your own organization and putting it into someone else’s organization. There’s a lot of control within healthcare where if I can’t see and touch it, it’s not mine. There’s also a small risk increase when you’re moving infrastructure services out of your realm.
I think that goes to education. We talked a little bit about that yesterday where now, you have people who may not be capable of managing a migration to the cloud. And there are changes that happen when you have security lapses in your infrastructure. It’s a whole new skill set to learn the ability to manage workloads in the cloud, regardless of what provider you choose.
They’re all different. So sometimes people have hybrid environments where it’s on multiple clouds with storages on different providers; it’s a skill to make that all work well together. And then on the contract side, you need to go through large contract agreements with cloud-hosted providers to ensure your data is secure, to ensure they’re doing their controls and meeting their compliance levels, and to make sure they do that on a continuous basis, because you don’t know what they’re doing. You know at the point of contract, but you don’t know what happens down the road.
Guerra: It must be quite a process going through that contracting. Let’s back up a little bit and talk about the terms. There’s on-prem; we know what that means. There’s multi-cloud, where you’re using multiple cloud providers. And then there’s hybrid which is a combination of on-prem and cloud, and there could be some overlap between those terms. Is that how it works?
Fasolo: Yes. I would also add private cloud, which is infrastructure that’s hosted in someone else’s organization that you’re relying on.
Guerra: What’s the difference between private cloud and public cloud?
Fasolo: So public cloud are the big players — the top three players in the marketplace, and they’re global. They cover an expansive amount of infrastructure and networking. They have huge SLAs — 11-9’s of reliability for an organization like that. And then there’s organizations that are much smaller and provide private cloud services. They offer you a full stack of infrastructure; it’s hosted on their environment, and they offer it as a service just like these big providers, but in a small niche.
Guerra: The terms don’t make a lot of sense to me. They’re the same thing, but you have a big company versus small company and you’re saying you could get the exact same service. You could buy it here or you could buy it here.
Fasolo: You could. It gets confusing. The smaller ones offer services also to host it, manage, and maintain it, and for organizations don’t have the experience, it can help the transition. When we talk about multi-cloud, I think one of the biggest cost drivers that people look at and get scared of is the cost of storage in the cloud. Now there are storage providers in the cloud that have multiple tiers of data. Same thing with the bigger ones, but they actually have a much smaller price point. And so, you have organizations that tier their data and their environments; some are on this low-cost cloud storage and their main workloads are on higher ends.
Guerra: You’re saying it’s coordinated to availability, meaning you pay less but the data is somehow less available. You’re going to pay more if you want greater access. Is that correct?
Fasolo: Yes. You pay more for advanced technology services, capabilities, or availability.
Guerra: Is everyone going to have some data on-premise still?
Fasolo: I think everyone’s going to have on-prem for a while. I think the transition to healthcare being fully cloud-hosted is still years away. There are still a lot of legacy systems that would be very difficult to transition from on-premise to cloud. It’s just a matter of time.
And I think what’s happening now is you see software vendors going from offering on-premise software solutions to complete SaaS solutions, where it’s getting rid of even the option of you hosting it and having to put it in your own private or public cloud. Now, it’s a total SaaS product and you’re just accessing the environment they themselves put on a cloud hosting environment.
They’re not managing those servers; they’re using one of the big three. You don’t have to deal with that company; you just deal with your vendor. But that also increases a whole level of risk because you’re dealing with a vendor that now deals with other vendors and other contracts, and you have to worry. We saw that last year there were some cloud providers that lost connectivity because of changes in the environment. It took down major organizations across the US for hours based on an individual change. Luckily, it wasn’t anything worse.
Guerra: And so, it’s your job to navigate this and to provide the feedback to your CIO about what makes sense? For example, our objective is flexibility. We want to be able to provide services for our users that require computing space. Therefore, going to the cloud offers us more flexibility. We don’t have to build out our data center more. We can just make a phone call or push a button, and we can handle it now. It’s that flexibility. But as you mentioned, there are also some risks involved with the migration. You don’t get away from worrying about the security.
Fasolo: Security is still on the mind.
Guerra: So you’re calculating all this and providing feedback and opinion to your CIO and whoever else, saying ‘Here’s what I think based on what I know about what’s available, and here’s what we’re trying to do. Here’s my recommendation on the terms we sign up for. Here are the things I want in the contract, and the things I won’t accept. Am I seeing this right?
Fasolo: You’re painting the picture beautifully. It’s a big effort. In alignment with my CIO, Linda Reed, we strategize, and we build a vision. I give tactical and strategic direction on how to get things done and where we should go. Where does the future see us in the next couple of years? I did that for the last seven years while I’ve been at the healthcare system. When I came here, the data center was huge. Over the last five years, it’s been consolidated down to a small infrastructure. I could run the entire enterprise on two racks. It’s become so much smaller to manage and handle internally.
And then you’re using your cloud and you’re using SaaS providers. You have to pick and choose. With certain SaaS providers you want to determine if they are a critical partner. Maybe you need another level of redundancy. Maybe you need access to the data offline. Maybe you need to ensure there’s a secondary or tertiary plan. Even if they say they have 11/9s, there’s always something there.
You find organizations that go out to cloud, and then they back up their data on-premise. You have organizations that offer SaaS and we select them and I give the direction. ‘Yes, we should select that a SaaS solution, but if they go down, what’s the recourse? What’s your downtime system? What are we going to do? What’s the appetite for it? How can we deal with this if it does go down and does the organization accept it? What’s the risk acceptance for it?’ That’s what my part is in all of this, from a technical perspective, as well as cybersecurity and information security. I paint the picture and give it Linda and to the organization, and I offer solutions or technologies that we need to invest in.
So far, at St. Joseph, we’ve transitioned and transformed from a technical perspective. And again, this is not all on me. It’s a team of 100 people that are behind me as well as Linda that make this happen. And we’re all transforming the organization and it’s an ongoing transformation. Once you start down the path of digital transformation — and I know that’s a buzz word — it’s something that you continuously have to put money toward; it’s an investment. And you need to look at new products and partners specifically, because if you can’t sustain and do it yourself, you have to strategically pull in partners to help you.
Guerra: And you have to know who those partners should be. You have to know who the players are. You have to know how technology is evolving. As options change, and something that’s new and bleeding edge and risky becomes more acceptable, you have to know as it happens. And so, what’s your best way to stay informed? A lot of it is going to come from the vendors. Do you do a lot of briefings? Is that part of it?
Fasolo: I would say there are two different types of people. There are people who sit back and allow the vendor to come to them when they need something. ‘I’m in need. I’m going to put my hand up or I’m going to send an RFP or I’m going to talk to other vendors or other partners or go out to conferences and learn from the vendor.’
And then there’s someone like me, who is addicted to technology and learning. I go out and I learn about products and software and capabilities and tie it to the organization and all of its components and tie it my policies. And then I try to reach out to the vendor. But at that point, I’ve already done the due diligence.
Guerra: How do you do it — by reading articles? Google searches?
Fasolo: 100 percent. There’s a lot of information on the internet about software solutions. There are blogs, forums, etc. This is on the infrastructure side. There’s a lot of talk in the industry of what is coming down the pike and what’s on the Gartner curve. You have to investigate those and see if it’s going to align with your strategy.
Artificial intelligence has been the talk of the town for four years now and we’re finally to a point where healthcare is adopting and using it for certain use cases. And again, there is a need for infrastructure to be able to support that. I would be investing in technology, faster networks, faster capability, and storage, so when the time comes to add more artificial intelligent systems, I’m prepared. That’s my thing. So far, I’ve been successful at staying two steps ahead as to when things come out and are available.
Yesterday, we talked a little bit about IoT in medical information technology. When we looked into this, I did the same thing. I did the due diligence all on my own. I pretty much understood what I needed, and I went out and grabbed it. We talked a little about EDR, MDR, and XDR. Again, I was ahead of the curve. In fact, as soon as Covid hit, the one thing I thought about was what, from a security perspective and technology perspective, would hinder our capabilities of providing care for patients, and which systems, if compromised, would prevent us from caring at that critical point time. And so, immediately, I started sourcing and doing my own research and finding what products would fit, and what services would complement them. I went out and I contacted the vendor and sold it to myself.
It was funny because when I talked to the vendor, they said, ‘Who spoke to you? Why do you know all this?’ I practically could sell it myself.
Guerra: You should be the one getting commission.
Fasolo: Well, that’s another story. But I want to be the person who’s proactive; who has the vision, the strategy, and the roadmap, and knows how to plot the steps required to get them down the road. I don’t wait for a vendor to tell me what steps to take.
Guerra: I’m guessing you think it’s key for someone in your position at any health system to be a specialist; to have that knowledge. And everything is evolving so quickly that you need to constantly be keeping up with all things or you won’t be able to provide the services your organization expects from you.
Fasolo: Absolutely. I never want to be put in a position where I’m looked to and I say, ‘I can’t do that.’ That’s something I just don’t ever iterate. I want to be able to prepare the organization, my team and IT. It’s a service. If I can offer myself as well as the organization’s technology and cybersecurity teams, and the other teams I manage, and deliver that service the best I can, it requires that me to be in touch and involved every step of the way.
Guerra: Are you able to stop doing research and put on Netflix, or are you always learning?
Fasolo: I don’t really watch shows. They’re in the background, but I am on my phone, on a device. I’m working. I have focused and dedicated my life to technology and cybersecurity to the degree where I could literally wake up in the morning and that’s top of mind. When I go to sleep, that’s top of mind.
Guerra: Do you have any time where you want to turn that off, intentionally?
Fasolo: When I’m at the beach.
Guerra: And are you still reading the white paper at the beach?
Fasolo: No. I will purposely put my phone away. But that’s how I’ve been in tune with technology throughout my career. The more you learn about the technologies and capabilities — and, on the security side, the threats and vulnerabilities that are out there — the more proactive you can be. Again, I never want to be put in a position where I would either say, ‘I can’t,’ or, ‘No, I didn’t know about it,’ when someone asks me something.
Guerra: Right. Well, I think we’ll have to talk another time, because I’ve got so much to ask you about business continuity planning, disaster recovery, dealing with third-party security, vetting all your vendors, and going back and vetting the ones that you didn’t vet properly before.
Fasolo: And fourth party vendors.
Guerra: We’re going to have to have another conversation. But I want to give you an opportunity to provide a parting thought for your CISO colleagues. What’s your best piece of advice?
Fasolo: The best advice I’ve learned throughout my tenure here is there are always areas where you’re not the best; the capabilities aren’t there. And just because you are compliant and you’re meeting the measure of the governance and the mark, it doesn’t mean you don’t have to rely on partners. You have to look at technology solutions that compliment your organization. You have to build relationships. Relationship building, from a cybersecurity or information security perspective, is sometimes a difficult thing to do. I think if you focus on building relationships with those key departments — HR, legal, compliance, and even the IT organization in general (sometimes they separate information security and IT) — you complement the business. You can’t impede the business, even on the contract side.
You mentioned contracts. If you make it too difficult to pass through a contract, they’re going to start going around you. With information security, if you make the process very simple and get the security part out of the way, they’ll be your partner. They’ll look up to you. They’ll trust you.
For CISOs, relationship building is key. You can’t be the alpha department in the organization. You need to blend with them. You need to help them. You need to assist them in their endeavors to care for patients.
Guerra: It can’t be no. It has to be, ‘here’s how we can do this thing you want to do. We can’t do it exactly how you want. There has to be some of that, right?
Fasolo: Correct. There has to be some give and take. Sometimes there’s rigidity in the CISO suite. You need to build that relationship so it’s not rigid and you’re helping the organization and are perceived as doing so.
Guerra: That’s part of making them understand the risk. It’s saying, if you don’t do what we’re asking you to do, we could go down. We could have a ransomware event. You wouldn’t be able to practice medicine the way you want to.
Fasolo: Right. Education is paramount. Physicians, nurses, and everyone else all need to know the changes you’re making that delay things or add a couple extra clicks, because everything is measured by seconds and clicks. And so, you have to explain. You need to educate. Once you get past that and they see you as a trusted source in the organization, you can start making changes incrementally to secure the organization better.
Share Your Thoughts
You must be logged in to post a comment.