Resources

6. Hoala Greevy "We're seeing in the market right now is an increased level of sophisticated spam and phishing attacks."

Written by Rick Kuwahara | Jan 29, 2020 8:00:00 AM

This week on HIPAA Critical, learn more about the largest healthcare investment symposium, what Epic Systems warns about Google Cloud and more. 

 

 

 

Rather read?

Here’s the full transcript of this episode.Olena Heu: Time for another edition of the HIPAA Critical Podcast. And joining me on this episode 6, we've got founder and CEO, Hoala Greevy.

Hoala Greevy: How's it going, Olena? Great to be back with you.

Olena: Wonderful, looking forward to our chat. And of course we're gonna talk about who's winning and who's failing this week. But first, let's dive in to what's in the news. [THEME MUSIC] Olena: Alright. So, Hoala, what can you tell us about what's in the news right now?

Hoala: Well, I was back home in Hawaii for the holidays and that was a great recharging of the batteries and connecting with customers and friends.

Real quickly, we did a couple of lunch and learns back home with the Pacific Club and folks like the Queen's Health Systems and the Diagnostic Laboratory Services, came down and learned more about our Project Orca, which is our solution to the need we see in the market for HIPAA-compliant email marketing.

So we showed them what we're working on and got their feedback on what they'd like to see next.

Now, fortunately, we were able to launch that on Christmas Day. And then we rapidly went to work, iterating on some of the features they were asking for.

Namely, we've since added segmentation and smart text to Project Orca, which is what we're calling our HIPAA-compliant email marketing solution.

Segmentation allows you to segment to your email list, so you can have better targeting for your email marketing campaigns. And smart text is our unique method by where the front end user, which is most likely a marketing manager, can choose a drop-down menu box within the text field of their email campaign composer, and they can choose variables to insert to personalize the email.

So pretty excited about that. We also had a social mixer at Murphy's at the beginning of the year. Thanks, Olena, for coming down.

Olena: I was there. The food was great. The company was even better.

Hoala: Yup. We just love having events at Murphy's. They really know how to take care of us. We're looking forward to doing our next one there. So that was a good vibe there. Thanks for coming out.

And then lastly, I was able to get in the water and shoot some fish and catch some tacos. So pretty stoked on that. Water is really cold here in the Bay Area, so any chance I get to go diving in Hawaii, I'm all for it.

Olena: That's wonderful. I'm so happy for you. And I was glad to see you in person as well and meet your dad!

Hoala: Yeah, my dad came out. He was chillaxing. That was good to have him there. He ran into a lot of my old friends, so that was really neat.

Olena: Wonderful. If you don't mind, I do have a side note question that kind of popped up. The name Project Orca, where does that come from?

Hoala: Ah, yeah, so, well, I like being in the water, and trick question, what hunts Orca? And yeah, so nothing.

So that's how we got Project Orca, when we're top of the food chain type of solution here, so that's how we got it. And our customers and prospects seem to have a positive connotation with Orca as an animal, so that's great for us. And yeah, that's how we got the name.

Olena: Excellent. [chuckle] And so, when you headed back to the Bay Area, were you busy diving back into work?

Hoala: Yeah, right. Great pun, great segue. Yep, dove back into work here in SF. We went and had our first social mixer of the year, which was last week, which coincided with the JPM Week Healthcare Conference in San Francisco.

So we had that on the 15th at the Brex Oval Room, and we teamed up with our friends at Zentist, which is a healthcare startup like us. And we had about 30 or 40 people at our social mixer, and I thought that was well-attended and got to catch up with friends and prospects, and I think there was a few customers there.

And then we finished the week with a community service event at the Glide Church in San Francisco, and we served meals to the needy, and we served, I think, about 722 meals and prepped over 400 pounds of chicken. Now, of course, there were much more people than us. We were helping out among a large volunteer base.

And then the JPM Week more specifically, for those that haven't been to it, it's usually the first or second week of the year in January, and it's held by JP Morgan obviously.

About 9,000 of people flock in, looking like they most likely came from the east coast 'cause there's a bunch of suits and ties on Market Street.

It's a big healthcare conference, and so we usually go to the after-parties, that's where most of the networking occurs. So we went to the after-parties, and we held our own after-party. And so that pretty much catches us up the first couple of weeks of the year.

Olena: Excellent, congratulations. What else can you tell us about what's happening in the news really to HIPAA compliance and whatnot?

Hoala: Yeah, so what we're seeing in the market right now is an increased level of sophisticated spam and phishing attacks affecting some of our customers.

And so any time we see that, especially when there's a multilayer level of sophistication, because I've been in the email game for 21 years, this has all the look and feel of a nation-state coordinated attack.

And so, what's going on right now is we've got this geopolitical conflict with Iran, and so not only is Iran most likely launching cyberattacks on us, but it's also a nice plausible deniability if you're another nation-state, let's just say North Korea, and you have a network of hacked machines in Iran, you can launch your attacks through Iran and have all accountability diverted from you because the attack looks like it's coming from Iran when in fact it's coming from another nation-state, let's just say North Korea.

I expect that trend to continue, at least for the first two quarters of the year.

And we're talking about like sophisticated stuff. I mean, we're talking about university web servers, for example.edu.

So they'll hack the web server, they'll install a mini-website hanging off the URL structure of that web server.

They'll combo that with a zombie domain, a domain name that's been around a while, but doesn't necessarily send a lot of email until the time of the attack.

And then it'll have a have a neutral reputation as far as the domain name goes, they'll send from an IP that has a neutral reputation, and then they'll embed a link asking you to, whatever, reset your password or take some action, all basing on the URL of a legitimate.edu site.

And so, when we see all three and four of these working at the same time, that's definitely a sign of sophistication.

Normally, when I saw it last, it was a nation-state attack, so I think we're seeing the same here again. And again, not necessarily coming from Iran, and it provides great cover for other nations to do it at the same time we're having this conflict with Iran.

Olena: Mm-hmm, interesting and definitely something that people will fall victim to.

Hoala: Yeah, so I believe in the next four or five months, as the attacks get settled in and the HIPAA breach gets discovered, and you have the 30 days to report it, we'll see a rise in HIPAA breach occurrences as it's coming in through email.

Which is crazy to think about because, due to our Paubox HIPAA breach reports that we do every month, you already know that email as an attack factor was the number one most likely source for a HIPAA entity to get hacked. So it's already number one, and I expect it to further its distance from second place.

Olena: Alright, well, that was a wealth of knowledge. Thank you for that. Now we're gonna transition over to our winners. Who would you say is winning right now?

Hoala: Well, we went to the Redox social mixer during JPM Week last week, and that was on a Tuesday, and I'm pretty sure that was the social mixer of JPM Week. So we're gonna go with our friends at Redox.

They're growing like crazy. They always have the best parties, usually involves a taco and maybe a margarita. And it was much the same. I got to hang out with Niko Skievaski and James, two of the co-founders of Redox.

So just really excited to see their success, and also proud to have them as a customer as a Paubox Email Suite customer. So I'd say that's my winner for this week's HIPAA Critical.

Olena: Congratulations to them. Alright, and transitioning over to those that are failing. What would you say about that?

Hoala: Well, it was announced last week that Epic, which is probably the number one largest healthcare EMR vendor on the planet, if it's not Cerner, they announced they discontinued their integration with Google Cloud, citing that their customers are no longer asking for it, might be some cloud cover, pun intended, for all the bad news Google's been getting lately with its surreptitious integrations with other EMRs.

So I think Epic might have been like, "Hey, just stop. We've also been doing the same with you, we don't wanna be affiliated with it anymore, we're gonna cut the cord."

So I'd say Google Cloud was a loser, a failure last week. And maybe Epic in the long run because now they've gotta find a new vendor.

They did say they were talking to AWS and Azure, so we'll see. But definitely Google Cloud, all that sneaky stuff about... Just uploading patient data into their cloud without allowing you to opt out, I mean, just... Who wants to be in that? It's just creepy. And there's just no opt-out functionality, right? So I don't think people are into that.

Olena: Wouldn't it be advantageous for Epic to have something to move it over to prior to canceling Google Cloud, or can you not do that?

Hoala: I'm just imagining here that they were just trying to cut the story off at the head because of the revelation that other health systems had been already giving Google Cloud access to their data. So I think they were trying to just stop it cold in the water, that's my guess though.

Olena: Gotcha, alright, well, definitely something to learn from. And as we move along into predictions, this is also related to HIPAA breaches.

Hoala: Yeah, so I'm gonna go on the record here and... So I'm gonna go on the record and, again as mentioned, due to the geopolitical turmoil we have with Iran, my prediction is HIPAA breaches in total for 2020 will be 50% higher or more than they were in 2019.

I believe that nation-state hacking will be just on all fronts. I mean, we're talking China, North Korea, Russia, all using this opportunity and probably other countries too, right? All using this opportunity that we have with Iran to launch their own campaigns against us.

So we'll be compiling and issuing the HIPAA breach report for all of 2019 and we'll have those numbers in place, and to see if I'm full of it or not, by the end of 2020. And we'll see if there indeed were 50% more HIPAA breaches in 2020. So that's my prediction, laying it out there.

Olena: What specifically is nation-state hacking?

Hoala: It's sanctioned or set up by a foreign government that is adversarial to the United States.

China and Russia are renowned for this, and now North Korea as well. And so, it's a government-backed hacking operation by which they normally insert some sort of plausible deniability, which Russia excels at. So that would be nation-state.

Olena: Okay, gotcha, alright. Well, we also have a lot of information available on our website, which is paubox.com. That's P-A-U-B-O-X.com. And until next time.

Hoala: Aloha everyone.