Technology Expert Jesse Fasolo Highlights Cybersecurity Threats to Healthcare (Interview)

Posted by Ken Reiher

ComplyAssistant colleague St. Joseph’s Health’s Jesse Fasolo, PhD student, director, technology infrastructure & cybersecurity, information security officer, said Information security is changing so fast, healthcare systems need to work on shorter strategies so they can pivot to what’s current. To view the entire interview hosted by Chief Healthcare Executive, please visit their website or refer to the transcript below.

Health systems and hospitals have obviously been thinking about cybersecurity for years now: how can they ensure they are staying ahead of threats?

Well, healthcare systems really need to work on a shorter strategy. Somewhere in the area of one to two years, versus the historical three years. Information security is changing too much. The threats are changing and evolving. So, you really need to focus on what’s present and what’s current. And the tools that are actually coming out really need to be focused on, some of the other areas concern [like] really security operations. While we’re all comfortable with information security, and how it’s running, those plans, procedures and policies really need to be looked at to make sure they’re up to date, and continue into the future with different regulations or different changes.

New tools that are coming out also have different synergies and interconnected components, where you can actually have a toolset that all work together for a better cost. Really, understanding the data that you have. Healthcare systems are known for unstructured data, legacy data, new data. It’s really hard and difficult sometimes to find out who needs access to what, and healthcare systems leaves that open. So really, finding those out and finding the identities that really need to access that data is important. And then classification of that data for security purposes is really understanding who has access and what level of access they need. Is that data really secure or not?

Trending analysis, right? Looking at the trends that are happening in the industry, looking at what’s happening on a landscape, the threat landscape, and then adapting to it, really as it happens, is something really important that healthcare systems cybersecurity professionals need to do. Within healthcare, what I’ve seen also is partnership. You really need to partner with business units such as risk, legal, compliance, and really get everyone on the same page.

Security is historically seen as kind of the wall, right? It’s a hurdle, it’s always an inefficiency. But now security is seen as something that can protect the organization from extended downtimes, right? We’ve seen a downtimes in this industry longer than we’ve ever seen before. So, you really need to protect yourself to be resilient against it.

And then emerging threats is really sharing data, right? So, knowledge sharing, information security is really important to share what you see, and then attach and connect to other sharing networks that share that information with you. So, you can find that data or find the threat or find the vulnerability before it’s really attacked or leveraged in the wild. And then also, probably now more than ever is third-party. Third-party assessments and third-party partners is a vector where you see now they’re going after the partner or the vendor or manufacturer to really attack them, which in turn impacts your business.

St. Joseph’s Health’s Jesse Fasolo, PhD student, director, technology infrastructure & cybersecurity, information security officer

What are the biggest threats or weak points that are vulnerable?

Honestly, I think the biggest weak point and/or the biggest threat right of right now is really the increased amount of phishing attacks that are targeted to healthcare systems. Just our organization alone, we receive 50 million emails a year, on average, and we only allow 4 million in. That’s a huge vast number of what emails are actually identified as malicious. And those are just increasing as we go through. And that’s really a big threat in the industry, because that’s the entry point for a lot of issues within cybersecurity, right? So, talking about ransomware, and all these bad malware and viruses that can happen, phishing is one of the biggest vectors.

Another area is really understanding, like I mentioned before, is identity. Who’s accessing the data? So right now, there’s a big push for identity management, where you really understand the individual and you identify and put a profile around that user, where the user can only access certain things in the organization and nothing else, right? Locking it down to specific targeted appliances or systems. And then on the same vein with identity is really passwords, right? So, the biggest weak point in healthcare is, we have doctors, we have nurses that don’t want to use strong passwords. And it’s an impact to their operations because they have to type it a lot. So, really leveraging products like badge swiping, you know tap-and-go type of systems, and then also, using changes with your passwords, using password list checks where you check for previously pawned or previously breached passwords. Right now, there’s a publicly available database of over 600 million passwords, where they’re well known. You should not allow your healthcare individual’s staff to use those passwords. Right? It’s an easy, it’s an easy win.

Those are those are some of the, I think the biggest threats I’m seeing. And then one other is really back to third party. We don’t know what they’re doing all the time, right? It’s a third party. You’re putting your trust into another organization. And you signed a deal or a contract or an agreement based on what they’re offering you, and you can only understand their security based off of your initial assessment. So, ongoing posture assessments, ongoing checks, ongoing scans of the environment, and really holding your vendors accountable.

St. Joseph’s Health’s Jesse Fasolo, PhD student, director, technology infrastructure & cybersecurity, information security officer