St. Joseph Health Director of Technology Infrastructure & Cyber Security (Information Security Officer) Jesse Fasolo talks with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra at the Vive Conference about the benefits of having clinical engineering report up to IT security; some key points for proper cyber-hygiene; and the importance of developing a process for vetting and approving apps before they come onto the network.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
We understand who’s acquiring medical devices now, where previously organizations struggle because business units buy medical devices without the cybersecurity individuals understanding how to secure them. And then they bring them on the network and then you find out they’re vulnerable and no one’s managing them.
… once cybersecurity is seen as the bane of the organization, that’s a really tall hill to climb back up.
Over the last three years, we’ve gotten to the point where any new acquisition, new hardware acquisition through our purchasing team or value chain team and/or legal contract, has gates that they have to get past. And one of the gates is a cybersecurity assessment, third-party assessment, and a review by me.
Anthony: Tell me a little bit about your organization and your role. We’ll start there.
Jesse: Absolutely. St. Joseph’s Health is a hospital system in New Jersey. We care and dedicate most of our care in clinical teams towards helping the underprivileged, underserved in the community. We’re very large charity care facility. We’re about 1,000-bed system, 40 ambulatory sites, two acute care facilities at the moment. I have a background in multiple industries and I brought all different types of transformational projects that I’ve led in finance, legal and other industries into healthcare. And I’ve been helping them for the last eight years transform not just technology, but innovation and processes and procedures.
Anthony: Very good. I’m going to start with an open-ended question. What are some of the main trends that you’re watching, looking at or trying to position your organization to deal with?
Jesse: I think top of mind as the information security officer of the organization is ensuring safety and confidentiality of data. We had just recently talked about that in the panel of securing your data. So with the risk of ransomware and bad actors attacking healthcare recently, my role more or less keeps me very busy trying to prevent that. And I think communicating to the executive team, communicating to the organization how we need to position ourselves, what products, what technologies, what procedures we need to put in place to allow us to protect the corporate data, patient data specifically, is critical. At the end of the day, the data security is paramount to protecting our patients.
Anthony: When we talk about protecting the data, is that the same thing as medical device security? Meaning that when we can secure our medical devices, we are keeping bad actors from getting to the data.
Jesse: I think it’s an ecosystem. I think when you think of cybersecurity, cybersecurity focuses on the securing of the devices, the securing of the infrastructure. Information security also is a higher level where with information security you’re protecting the data, transmission of the data, the access of data. So when you put both of those together in an environment such as healthcare with legacy devices, and you just mentioned medical devices specifically. Healthcare is plagued with medical devices that are aged out well beyond capabilities of patching and vulnerability management. So I think it goes hand-in-hand: protecting data, protecting the devices and coming up with strategies to isolate or mitigate or protect them from a physical attack, just because of the prevalence of legacy medical devices in healthcare.
And then just to add to that, I recently took over clinical engineering which helps me better grasp of all medical devices in the facility, the inventory, the database of all the devices, the management and maintenance of those devices. Where now I have the ability to dovetail cybersecurity and protection of those devices in the same time.
Anthony: Yes, I’ve heard there’s different reporting structures, but definitely a trend is clinical engineering reporting up cybersecurity.
Jesse: That’s how we have it here at St. Joseph’s Health and it’s working in our benefit because I’ve been able to bring the refinements and efficiencies I brought to cybersecurity and program management and vulnerability management to the same level of preventive maintenance and management care of devices.
Anthony: So when you don’t have that, what are the challenges that come up when clinical engineering or biomed does not report up through cybersecurity? What are the difficulties that come up?
Jesse: Oftentimes even when it was prevalent in the environment, there’s a gap of who owns the device, who managed the device, how do I get access to medical devices if information security has a list of vulnerabilities and you just don’t know where and how to find them? And then most security professionals don’t understand that these devices are connected to patients. At the end of the day, they’re either preventing or helping a patient in care. And there’s sensitivity around acquiring that device. They need to be cleaned and brought to a specific location in the hospital. And those are the areas where you need to collaborate with central sterile and biomed and clinical engineering to start approaching them with vulnerability management at that point, because once they come in for service, you’re missing the opportunity. And I think previous to cybersecurity having access to that, we would not be able to access those devices in time or it would be something that we have to accept on the environment just because these are legacy devices.
But it’s been successful being able to identify vulnerabilities, being able to pull and coordinate. For example, we had our pump system, infusion pump system and they had not just recalls but we were able to upgrade firmware and mitigate vulnerability, and we’re talking a fleet of thousands of devices. Being able to manage the inventory on the clinical engineering side, and mitigating the cybersecurity vulnerabilities at the same time, and do both groups at the same time, allowed us to be successful in closing out those vulnerabilities quicker.
Anthony: What has that transition been like, bringing that group under you? Any time you’re changing reporting structures and things like that people can feel like their toes are getting stepped on.
Jesse: I think it starts with an open mind that you have to slowly introduce yourself to the idea that now the department is going to be run and manage in a different way. I think, in our case, it was a welcome invitation where I was able to lead and drive and be present and help them transform inefficiencies that they had with their leadership, just because they didn’t have the direction that they needed. So I’ve brought more control and more refinement. I immediately deployed a medical device management system that allowed us to really recognize the sheer scope of these medical devices and the concern. We went through all the policies and procedures and aligned them to new standards. We ensured that everyone both on the clinical engineering and security side and IT side understood what was in their policies and how we’re going to deliver this program.
And then from a leadership perspective on my end, I think having my one-on-ones with clinical engineering management leadership, looking at career paths and really engaging with the individuals on the team is helping. So I think we’re starting to promote the team and promote that across the organization. So monthly, we provide list of preventative maintenance. We’re more aware of the business units. We built a governance structure around clinical engineering for the organization with nursing and IT and cybersecurity and other areas. So we all come together. We understand who’s acquiring medical devices now, where previously organizations struggle because business units buy medical devices without the cybersecurity individuals understanding how to secure them. And then they bring them on the network and then you find out they’re vulnerable and no one’s managing them.
So we’ve fixed all of that, simply by me overseeing that group and building some governance and structure around how we handle medical devices. And that’s both on the on-site and when you acquire medical devices and when you retire medical devices as well.
Anthony: When an organization brings clinical engineering under IT security, is it important to let them know you are just as concerned about patient safety as they are?
Jesse: Yes. I think even in the IT roles and areas that I oversee, everything I do, I understand that what I’m doing is to protect or help a patient at the end of the day. So it’s reframing what you do in that lens, it helps you identify that mitigating vulnerabilities, for example, managing that department in a different way, is all essentially helping patients.
Over the last year, we’ve rebuilt the awareness for the team and how they are seen. So oftentimes biomed or clinical engineering is often looked at as the ones that just fix the product, but they’re really are the ones that maintain the devices to provide clinical care. So if the preventive maintenance is not done on the device, they should not be using it on the patient, which means it could impact clinical care.
It took a long time, but nursing leadership understands the role and appreciates the urgency that we put around making sure we have on-time preventive maintenance, that we have on-time good inventory of our systems when things are needed or requested.
Anthony: Can you break down intrusions into two buckets – one in which you need help from a human (such as phishing) and one where you do not (a device hack)?
Jesse: It’s definitely different factors. And what you see, what I’ve seen is once someone has a credential and they’re able to get on the environment, the easiest thing they can do is identify a machine or a piece of equipment like a medical device that doesn’t have native protection, that doesn’t have monitoring. They don’t have oversight of that device and that device then can be used to infiltrate masses across the organization. Because essentially no one’s watching it.
Anthony: I’m sorry to interrupt but you said in this scenario you’re coming up you said they got a credential.
Anthony: How did they get the credential in your scenario?
Jesse: So there’s many different ways. Now you’re seeing credential theft, whether it’s internal, an individual selling their credentials. That’s a popular way for bad actors to be accessing internal environments. Other areas like you mentioned are social engineering or phishing or credential stealing where you are prompted to go to a website and put in a credential. All of these areas are avenues of how to get a credentials or just legacy passwords that are used. We recently adopted a password check utility where it identifies the passwords that you’re using across the a database of 6 billion common passwords, and it doesn’t allow you to use them. But previous to that, you can imagine, welcome1234 is a simple password and you could use that. So eventually, someone can get a password and credential to get access to your systems.
And obviously, there’s other system service accounts that vendors can have. You’re seeing password database vendors being breached which means all of the passwords, database passwords for customers that are stored in those databases are now stolen. So for example, if the healthcare system’s passwords were stolen, now they have access to your system and you didn’t even give them to anyone. They went through this secure system or software that you were using as a database for all your passwords in the system.
So there’s many avenues of how someone can get a password and once they’re in, they’re in. And again, medical devices, if they’re not up-to-date, if they don’t have good firmware, if they’re not managed, it’s a way to really impact healthcare and patient care specifically. Because if you impact the devices that are connected to patient, you directly impact the patient.
Anthony: Are there open doors where you don’t need a password or credential per se? It’s just an open door that no one realized was open.
Jesse: Most organizations, if they don’t have good oversight of the devices, the devices and equipment and computers and systems come in and they’re leveraging administrative passwords and default passwords that are well-known. I could probably name off a couple of different vendors that are well-known that if you use their technical support service accounts, it’s the same everywhere. It’s the same account, same login, same password. So if you don’t change that and require that to be changed, then potential bad actor can come in and try to use that account to gain access. And again, there’s many possibilities here.
Anthony: And you think that’s still happening? You think there’s people with such bad cyber hygiene that that’s still going on out there?
Jesse: I think when you look at the amount of devices that any one healthcare system can have, for example, a small healthcare system may have 30,000 devices on their network at any given time. And on average, they have five people in their network team and maybe three in their security team to manage all of these.
And most of it predated them in the organization, and you’re talking 15-year devices, 10-year devices, they don’t know who set it up and who configured it. So you literally would have to go through the entire database of devices and the entire environment one by one and identify this application and put a security control or put a standard against it and move on to the next. So yes, there’s the possibility of things being overlooked out there.
Anthony: Let’s say somebody asks you to mentor a new CISO at a health system, maybe not a lot of experience, just promoted from a director position, what would be the top three things you would say – Hey, listen, one, two, three, you have to work on this and then we’ll talk about your next steps?
Jesse: I think day one, any new cybersecurity individual whether they’re management or at an engineering analyst level, they need to look at all of their surface area and understand their vulnerabilities and their risks. And if they’re not documented well to begin with, they need to start looking at that. Some of the standards that are out there, NIST, etc, they give you a guide of what you need to put in place to secure your environment and to secure your environment as far as the HIPAA security rule goes and it’s a good model. So, anyone new into healthcare obviously needs to follow a model. You can’t boil the ocean.
So you’ve got to start strategically and go through and do it based on risk. So if you have something externally facing, high risk, that anyone can get to, that’s your first line of business. Secure your external assets, secure what anyone out there can get to. And then obviously with cybersecurity, as a CISO, you have to start partnering.
Most organizations, they see the security team as an issue or impediment to business operations. Because security always has to get in the way of moving a purchase or integrating a vendor or they put specific controls around the deployment and it makes it more difficult for vendors to access. But all of this stuff takes building relationships. So a new CISO really needs to start reaching out to nursing, building and establishing relationships with nursing, clinicians, legal, risk, privacy, compliance and really do more relationship management for security. Because once cybersecurity is seen as the bane of the organization, that’s a really tall hill to climb back up. So start with that.
And then, the third I would say is establishing your team and your bench. Oftentimes in this day and age, cybersecurity capabilities are lacking. The cybersecurity products, technologies and vulnerabilities are far outspanning the capabilities of teams internally. So really seeing where they are and developing education, developing programs to really propel them, get them up to speed and identify your systems and tools that they either can manage, can’t manage or should not be managing and start picking your devices as far as what can be managed outside, what should be supported internally, what should be supported by a vendor, a manufacturer and start there.
Anthony: NIST seems to be the de facto roadmap that everyone works towards, is that correct?
Jesse: That’s the most popular. It’s not a model that’s impossible to achieve compliance against. What you’re referencing I think is 800-66r2, they just came out with a new revision of how to implement it – how to implement the program. It’s a guide. It’s a guide to succeed and organizations, the cybersecurity leaders really need to do an assessment themselves, in addition to the third-party assessments they are required to do. And they need to track progress and try to get to 100 percent compliance. And each year should be an iterative process of trying to achieve success in that model. And then once you succeed there, you can start looking at other models, such as HITRUST and ISO and other more stringent models to accompany that NIST model.
Anthony: How do you think about Zero Trust in all this?
Jesse: Zero Trust is a really good perspective that people should be adopting. If you look at anything in security, cybersecurity and technology you should not trust it. You should not trust people using it without ensuring their security and controls are in place. I think it’s a good model to be adopted. You need to secure your devices before people actually get used to using them with a Zero Trust model. You need to implement multifactor authentication and force stringent passwords and force minimum access required, for example, using roles and using minimum access. Not everyone needs full access to things and it should be very small as far as what you need access to. Eventually, organizations should start going down the path of Zero Trust, it takes a while. Because you’re changing how the whole team does their work and it can be successful. But again, I think it takes that relationship building, the communication of what we’re doing, why we’re doing it and slow and simple steps. And again, when you do new products and new deployments, those are opportunities to gain big advancing moves toward Zero Trust.
Anthony: You talked about IT security not being an impediment to business. I’ve talked to CISOs who have SLAs with the businesses, in that they promise to get the basic evaluation done on an app in two weeks. What do you think about that? How are you handing it?
Jesse: So we went through that over the last, I would say, three to five years where there was instances where systems were popping up or purchased and at the last-minute provided to security technology asking for assistance to bring it on to the network and implement it and integrate it. And at those times, what we learned was you can’t just say no because this is ultimately a product that’s going to help patients. So you have to think of it like that. The business had already acquired this asset and this tool or the software, and if it’s already too late in that aspect from a purchasing and acquisition perspective you need to accommodate it to some degree.
Over the last three years, we’ve gotten to the point where any new acquisition, new hardware acquisition through our purchasing team or value chain team and/or legal contract has gates that they have to get past. And one of the gates is a cybersecurity assessment, third-party assessment, and a review by me. So I have to look at the product before it’s purchased and during contract renewals. I asked the organization to update our BAAs with every single contract renewal.
And in those BAAs, we’re requiring some minimum security standards. So those are one of the areas where organizations need to focus – their contract and their purchasing arms because that’s the way things come into the organization. Typically, you don’t see clinicians or departments running around with their credit card buying devices. They’re going through the process of using the healthcare system’s money to acquire it.
So you have to build that relationship with that purchasing team so that when they have a new product or new request, say for a pump or a vent, they’ll reach out to me and say, “Hey, we have this request, please review it.” So often they already know and they’re providing me the MDS2 form, which is an overview of the security controls on the device, if it’s a device. They’re providing me the minimum security documentation and white papers and information in advance, and then we have a conversation. Typically, my turnaround for any third-party assessment is about two weeks.
So we close that out within two weeks, we give you a decision. If it’s high risk to the organization, whether its software or a system or an integrated system or a SaaS system, then we have a conversation with risk, legal, with my executive team, myself. And we talked about it. Then we log it. If it’s high-risk, we’re not going to do it. If it’s a low risk, if it meets our threshold, will accept it and then we’ll do whatever we can to control that risk; whether it’s putting boundaries or access lists or other accommodating factors to protect that device or that software.
Anthony: Are you seeing a very wide range of security sophistication or quality in the apps that come across your desk that people want to buy?
Jesse: I think most software vendors are designing and developing software when it comes to healthcare system in a secure fashion. They understand that there are minimum security controls that we require. So I have to say, in the recent times, I’m not seeing security be a major concern as far as vulnerabilities. I am seeing how they want access to these devices or access to the environment’s systems, the integrators and/or the vendors want direct access.
Anthony: They want direct access to your environment.
Jesse: To our environment to access and support those devices or systems. And St. Joseph’s and myself, we have a vendor management system that they have to go through to connect to any device in our environment. It records the entire session. We have logs. We have reports on what’s being done. But again, vendors come in and they expect to use whatever service they have and they use, but then you really don’t know what they’re doing in your environment. You have no oversight of that. So for me, I still think that’s the sticking point.
I think CISOs really need to make sure – when you go through software or device manufacturers, vendors, integration contracts or agreements – that you focus on how they’re going to access the device. Because that’s just another avenue to you if they’re breached or if their passwords are breached, they can get direct access into your whole healthcare system.
Anthony: Right. And if they are breached, you want to know how to sever those connection immediately?
Jesse: Absolutely. And our medical device environment helps us do that. There’s a lot of automation with some of our MDR and EDR products that will trigger automation. If there’s malicious activity on these devices then, as you had mentioned, it doesn’t allow them on the network. We have tools that don’t allow the device on the network or if it is vulnerable or has malicious activity on it, it will block it off the network as well. And again, these tools help complement a device if it’s not as secure as it should be. Those are compensating controls. But you should be looking at these agreements with a fine-tooth comb.. The security team should be able to take two to three weeks to assess and identify if there’s any alarming issues with the vendor, the manufacturer, the software or the product.
Anthony: Jesse, that’s about all we have time for today. I appreciate your time and I want to thank you for the discussion.
Jesse: Thank you very much.