Greg Hoffman: Well, that's a good question. Sierra.
To give you a little background on Bellhops, that's a moving company designed for students. I helped start-up and manage the Hawaii branch while I was at the University of Hawaii.
The great thing about this service is that it's based on convenience. Students are very busy, and they can't always work all the time. The beauty of Bellhops is that it allows students and those moving to pick and choose the times that work best for their busy schedules. It all comes down to helping people and convenience.
Today, I'm a senior enterprise account executive at Paubox, a fancy way of saying that I'm a sales guy. I spend most of my time helping individuals and companies uncover and solve their security and compliance vulnerabilities.
So whether you're moving furniture or you're securing the transmission of sensitive data, at the end of the day, it all comes back down to helping people and convenience.Sierra: Right, it sure does. I know you are an industry expert. I'm so glad that we have you on the podcast today. How did you end up at Paubox, you know, in a role primarily focused on building and maintaining customer relationships just like you did it at Bellhops?
Greg: That's an interesting story. The short answer is a lot of hard work and a little bit of luck.
I met our fearless CEO and founder, Hoala Greevy, through an internship while I was at the University of Hawaii. That internship actually snowballed into another internship with a company called PauSpam, which was the first Hawaiian spam protection company in Hawaii.
Now to clarify, we're talking about email spam. Although, you know, Hawaiians do love eating their spam as well.
As a side note, in Hawaiian, “pau” actually means done or finished. So the name PauSpam means “done with spam.”
While interning with PauSpam, we had a customer you may have heard of called Make Wish Foundation. Hoala built Paubox for the Hawaiian chapter. They grant more wishes than any other chapter because everyone wants to go to Hawaii. They had a tremendous need for an easier way to send and receive sensitive data, like protected health information.
After developing Paubox for Make a Wish, we realized there's a massive demand for this service type.
Long story short, we ended up moving the company from Hawaii to San Francisco. In the early days, we figured out that I was inherently decent at building, maintaining customer relationships,
What I love to do is help customers solve their email security and compliance problems. The rest is history.Sierra: Nice. Well, I'm glad you gave me that background. I didn't even know that. I love that you were an intern, too. We had Nick Wong, who was also an intern with us and is pretty much our resident expert in email API. It's so great that we have interns, and then those interns will turn into full-time employees. Thank you so much for that background. I mentioned this earlier, but obviously, we're friends. I know he firstly, and I know how passionate you are about helping the healthcare industry communicate more securely and freely as you discuss. Can you elaborate on this passion and mission?
Greg: Healthcare has always really been behind the times when it comes to technology. That seems pretty wild because healthcare is one of those industries that affect us all.
The thing about this thing called life that everyone who's tuning in to this podcast shares is that, unfortunately, none of us are going to get out of this life alive. We all have an expiration date.
So, why are we not putting the most innovative technologies to work in healthcare?
Sometimes, innovation happens, but many times true innovation is impaired by humans being stubborn and slow to adopt change, along with the long red tape of HIPAA regulations put in place by HHS.
HIPAA mandates how you can handle data like protected health information, which is is a good thing for the patient. Sometimes HIPAA regulations can slow down the way that data is transmitted and processes are handled.
For example, if you look at that ancient hunk of technology sitting in all healthcare offices today.Sierra: I know you're talking about the fax. Oh, man, I hate the fax. Everyone hates the fax machine. If you're listening and you like fax machines? I don't know about you.
Greg: You may not know this, but the fax machine dates back to 1843. That's well over 150 years ago, and we're still using that today.Sierra: Knowledge bomb. I did not know that.
Greg: Yeah, it's pretty bizarre.
To get back to your question, I'm passionate about helping healthcare communicate more securely and freely because we're talking about the transmission of vital medical history, patient conditions, and ultimately, life and death. Right? Paubox is literally helping save lives.Sierra: I agree with that. Everyone needs to get on with the times. Fax machines are a thing of the past. I'm so glad that you brought that up. We're in a pandemic, so more people are working and learning from home. This increased number of at-home employees and students gives cybercriminals more opportunities to exploit and attack. Do you have any tips for our listeners on securing their home networks from cyberattacks?
Greg: That is an interesting question. There are a ton of things that you can do. I read a blog post recently that outlined this very well.
The five top things that you should do are number one move from complex passwords to phrases. It's a common misconception that changing your passwords constantly is more secure, but actually, changing your password all the time can introduce its own security vulnerabilities. The length and unique pattern of your passphrase will increase your level of security of your passwords. You won't have to update them so frequently.
Number two, you can add and update passwords on internet-connected devices. You need to secure the things that you can. So, control the things that you can control.
Number three, use a virtual private network (VPN).
Number four, set up a guest network. This will keep you safe from security vulnerabilities from a guest that comes over to your house.Sierra: I never even thought about that.
Greg: You're also going to want to make sure that that's password-protected as well.Sierra: Okay, great. I'm doing that today.
Greg: Good call.
Number five, restrict administrative access on your devices. You don't want all of your employees at home to have admin access. The less admin access that you have out there, the more secure you are.Sierra: Thank you so much for providing those tips. I will be doing some of them today. Greg, I know you talk with members of the healthcare community daily; what are the most significant threats you're seeing from customers right now?
Greg: The top things that I'm seeing from our customers as far as security vulnerabilities, actually are themselves.
Unfortunately, the most significant security issue is the human element, and hackers know this. That's why they target employees. Whether they are merely making a mistake or acting out of ignorance, the human being is the weakest link.Sierra: It makes sense. We just talked about my human error and not securing my home network. I'm sure lots of people are sitting here, thinking, “I am that error.” What are any upcoming threats are trends that the healthcare industry or people listening should be aware of?
Greg: I believe that we're going to see an increase in the display name spoofing, phishing, and farming attacks. If you aren’t familiar with display name spoofing or phishing attacks, hackers are impersonating key employees within an organization, such as a CEO or CFO.
What happens is, these cybercriminals are using a generic Gmail, AOL, or Yahoo! email address and change the display name on the email to match one of these key employees. Then they email an employee and use their fake authority to establish urgency and demand sensitive data or even money be sent to them. Employees without actually looking beyond the display name or checking the email address will go ahead and comply because they don't want to upset their boss.
These are so effective because it's really easy to do, and it's tough to catch. Since 2019, this has been the number one type of phishing attack.
I would keep an eye out for this one. I think we're going to see a lot more of these types of attacks.Sierra: I'm so glad that you brought this up because this just happened to me at Paubox. Somebody emailed me via my personal Gmail impersonating our CEO, Hoala. He was asking if we could meet. I immediately sent a message to Hoala because he never sent me an email to my personal Gmail. We decided, obviously, that that was display name spoofing. Then he let me know that that had happened to our finance director on the same day. Paubox, we’re an email security company, but we're also experiencing these display name spoofing attacks. I can only imagine what other companies are experiencing, as well. Thanks so much for mentioning that.
Greg: The second point, on farming attacks, is something that we've seen a lot more of. It works the same way.
A hacker is going to purchase a domain name that's remarkably similar to an existing domain name. When someone goes to plug in a website name, maybe they have fat fingers, or they just put it in a typo there or misspell it only slightly, the user is redirected to a different website that looks similar.
That's where they farm your data. You give them your data by plugging into a contact form, filling out credit card information, or whatever it may be.
With Black Friday right around the corner and Cyber Monday following shortly after, we're going to see an overall spike in cyberattacks. It happens every time.
Tall the listeners out there, definitely be careful when you're doing your at-home shopping.Sierra: That is a great point. I have heard of that being an attack strategy, but with Black Friday happening, I will probably not do any online shopping because you have freaked me out. Greg, where do you see the security compliance and healthcare industry going in the next ten years?
Greg: I think that HIPAA is going to become even more heavily regulated.
If you take a look at protected health information and its value on the black market, there is a reason why these hackers are going after your medical records. They can fill out false claims. It's really difficult to change your social security number. You can change your credit card number.
I think that as cybercriminals continue to go after this data, HIPAA is going to kick in more regulations. We're looking at heavier restrictions going forward.Sierra: I'm glad you mentioned that because I got a letter from my high school two days ago saying that a vendor that they use was compromised and that my social security number may have been compromised as well. I've gotten multiple letters about my social security number over the years, so I'm a little fearful that that will continue happening. I've experienced numerous attacks from cybercriminals, so thanks for making us aware of that. I love asking this question. You're an industry expert in healthcare. How do you keep up with industry trends? Are there any good podcasts, blogs, influencers, or newsletters that our listeners should be following?
Greg: Podcasts, absolutely. My favorite podcast is, I don’t know if you have heard of it, the HIPAA Critical Podcast. That's a great one.Sierra: Ours! Yeah, it is great. Thanks.
Greg: That's my number one for sure. I listened to CISO Talks, that's a great one, and CISO to CISO Cybersecurity.Sierra: Okay, great. I love asking that question. I always learn something new from that question. Last but not least, what do you do to de-stress and relax? A lot of guests say drinking wine.
Greg: I would say that I enjoy hiking, camping, snowboarding, and going to the beach. Luckily, these days I'm living right on the beach. I took advantage of this remote work situation.
In a few weeks, I'm going to be doing a 35-mile hike on Catalina. I'm looking forward to unplugging for a few days.Sierra: Wow. So are you doing that alone? Are you going as a group?
Greg: A couple of buddies.Sierra: Okay, that sounds amazing. Dallas isn't the greatest for hiking, but I love going to Colorado and hiking. Thank you so much, Greg, again, for joining and speaking on the HIPAA Critical Podcast.
Greg: My pleasure. Thanks for having me. I hope it was educational.Sierra: It was! I'm sure our listeners got a few laughs also. Our next webinar for Paubox will actually take place on Thursday, December 3 at 10 am PST with the topic of “How to Overcome HIPAA Challenges and Work as a Team in Healthcare.” Greg, who is on today, will be on the panel with Mike Docktor, the owner of Dock Health. If you would like to register, feel free to send me an email at firstname.lastname@example.org. You can listen to our other podcasts as we do this bi-weekly Paubox.com or subscribe via Apple Podcasts, Spotify, iHeartRadio, Stitcher, or Amazon Music. Thanks again, and see you next time.