October 8, 2021

When it comes to healthcare InfoSec, it’s the Wild West. Most healthcare organizations just don’t have the necessary IT budgets to make it a priority.

But it should be a priority. The truth is a large number of hospitals have been targeted by ransomware in the last few years. 

Today’s guest, Hoala Greevy, Founder and CEO at Paubox, shares how his company is arming healthcare organizations with HIPAA-compliant email and APIs in their ongoing battle against cyber threats.

In this episode, we discuss:

  • The current state of information security in healthcare
  • How Paubox provides HIPAA-compliant email and APIs
  • Where security and privacy in healthcare is headed

 

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

 

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (intro/outro) (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there, and welcome to yet another episode of the Virtual CISO Podcast, with you as always your host John Verry, and with me today is Hoala Greevy. Aloha, Hoala.

Hoala Greevy (00:36):

How is it, John?

John Verry (00:40):

How are you today? Did you see what I did with the aloha? And not even a reaction.

Hoala Greevy (00:45):

Same letters as my name. No, it has the same letters as my name as well.

John Verry (00:51):

Now, I know you’re Hawaiian or in Hawaii minimally, by any chance does the fact that your name have those letters in it, is there any significance to that?

Hoala Greevy (01:00):

No, a completely different meaning, just a coincidence.

John Verry (01:04):

Okay, that is cool. So thanks for coming on today, looking forward to this conversation. Always like to start super easy, tell us a little bit about who you are what is it that you do every day?

Hoala Greevy (01:13):

Sure. I’m the founder CEO of Paubox. We provide seamless encrypted compliant email in the US healthcare vertical. Our mission is to become the market leader for HIPAA compliant email in the US. I built the product in Hawaii, pulling an all nighter, and I moved the company to San Francisco in 2015 for our launch. And since then we have over 3000 paying customers, all 50 states, 12 countries, team of about 50 employees and three distinct product lines.

John Verry (01:44):

So before we get down to business I always ask the question, what’s your drink of choice?

Hoala Greevy (01:50):

Well, I’m in Hawaii right now so it’s coffee. But if it was later in the day, it might be tequila. So yeah, it depends on the day.

John Verry (02:01):

All right. So I was really interested in having this conversation because my experience in healthcare is that the information security posture in our healthcare systems is not quite what I think it should be, but I was anxious to chat with somebody like yourself who works in it every single day. Talk a little bit about the current state of information security in healthcare and whether or not that differs from the larger hospitals that you work with versus the smaller medical office programs.

Hoala Greevy (02:31):

Yeah, sure. So among our 3000 plus customers, we have a pretty good SMB segment there. And drilling down into it, in my opinion, when it comes to compliance and infosec, still the wild west. Some dentists will go, “Oh, well that doesn’t apply, I don’t need to do that,” smaller practices. You go up to the larger healthcare organizations and a [inaudible 00:03:00] without any solid data to back it up is, their EMR deployments have evaporated IT budget with nothing much left for necessary security investments. But to be clear, that’s just the hypothesis. So, whole industry needs help.

John Verry (03:16):

I would agree. We do a little bit of work in the healthcare space, and the reason it’s only a little bit is because they really don’t have the funding, it appears, to do what they need to do. And they know that they’re at risk, I feel bad for some of the CISOs that I’ve spoken with because they know where they are and just their hands are tied from a financial perspective. And even something as simple as investing in a proper security risk analysis, which is the first step of being HIPAA compliant, they’re like, “Oh, we got this little spreadsheet,” and I’m like, “Look, here’s the OCR final guidance on risk assessment,” and they’re like, “Yeah, yeah, yeah, I get it, but I don’t have the bucks.”

Hoala Greevy (03:52):

Yeah, and as you said it’s required by law once a year at a minimum, an annual risk assessment. And yeah, most of these folks are looking to check the box and invest the least amount possible, on average.

John Verry (04:06):

Well, and I think that’s what makes you guys valuable and important to the healthcare industry is that they can engage with a single vendor and it takes a lot of the risk off them. So talk a little bit about like Paubox’s HIPAA compliant, what does that mean? What makes you HIPAA compliant?

Hoala Greevy (04:24):

So at a high level for HIPAA compliance when it comes to data, you want to be encrypting data at rest and you want to be encrypting data in motion. So we focus on encrypting email data in motion. So I’ve been doing email for a long time, that’s my first job out of college in 1999, so I’ve been doing email 22 years, and it’s one of the oldest protocols of the internet SNTP, if not the oldest, and the highest priority of the SNTP protocol is message delivery, that’s hard coded in. And a lower priority is message encryption. So if the receiving mail server is not capable of accepting a TLS connection using STARTTLS, this is message encryption in motion, it will automatically downgrade the connection to clear text because it has to achieve its highest priority, getting the message there. This happens without the end user’s knowledge or approval. You can read mail headers and they can get very confusing, you can see the proof in the mail headers. But this is why all the other competitors have build portal based solutions or apps, because when you have a portal you can force an HTTPS connection and a log in. But the thing that everyone hates, seven steps, 15 minutes just to read a message, the experience is even worse on a smart phone, it’s just terrible.

Hoala Greevy (05:54):

And so what we’ve done, because we’ve been doing this for so long, is we just took the message encryption component of the SNTP protocol and made it equal in priority to message delivery, and that’s the breakthrough we’ve done is re-engineering the SNTP protocol without breaking anything, and then providing that as a service for our customers. And in healthcare, it turns out a lot of stuff you’re emailing can be construed as protected health information and sensitive data. And so the benefit we provide our customers is for our flagship product you set your email gateway or your smart host, depending if you have an exchange server, and all outbound email gets routed to Paubox. So we encrypt every email for every sender on every device. No change in behavior, you don’t have to remember to type the word encrypt or secure in the subject line or any of that crap, it’s just totally seamless and we just put a footer on the bottom letting the recipient know that the sender has taken diligence to encrypt the message. And luckily for us, it’s a hand and glove fit with healthcare.

John Verry (07:05):

Yeah, it sounds really interesting, and I love the idea of that frictionless because I’m a security guy, I’ve been doing this a long time and I understand the value of secure email. But when it’s not implemented well, I hate it, it’s such a hassle to deal with. So it sounds like what you’re doing, and correct me if I’m wrong, is they’re pointing their mail server to you, you’re accepting a TLS connection from their mail server so we know the email stays encrypted during that course, you’re encrypting local data, and then you’re taking the responsibility to ensure that if you’re going to deliver an email that it’s delivered in an encrypted fashion on their behalf.

Hoala Greevy (07:41):

Yes. So we for our encrypted email product, we do not allow unencrypted connections from our customers. And in fact, we require our customers to establish at least a TLS 1.2 connection, we also support 1.3. This is the exact guidelines at the NSA’s guidance earlier this year in January. And then on the same side, we enforce the same requirements when we send the email to their intended recipient. Now, if the recipient is not capable of handling a connection that high or doesn’t have TSL at all, then we detect that on the fly and upload it to our secure message center and then send that recipient a link to go and view the message. And then there’s different levels of security our customers can enforce on how much friction they want to impose on that particular message that gets delivered. And we have two patents around that, and so we’re building an IP portfolio as well.

John Verry (08:43):

Yeah, I like that model where what you’re doing is you’re creating friction for somebody because of their misgivings about their security posture. It almost incents them to actually do what they should be doing which is allow a TLS encrypted communication in their mail server. And what you do is your client doesn’t feel any pain, any friction. It’s just that if they’ve got people that are not, so that’s a nice model.

Hoala Greevy (09:11):

Yeah, you’d be surprised John. Ironically enough, there’s a lot of these email securitY appliances in the wild, Barracuda’s a common offender. By default, these appliances ship without TLS enabled, and so they’re sitting in front of this on-prem exchange server or something racked in a data center, TLS is not enabled, so it’s stripping off any sort of encryption coming in or going out from their exchange server. All their email is flying through the internet in plain text because of this security appliance that got shipped by default with the thing disabled. And there’s quite a few of them out there, so it’s not as clear cut as you’d think.

John Verry (09:50):

Yeah, it’s just another great example of where people get budget to buy product, but then they don’t get the budget for the training or to keep the tool updated, and it’s misconfigured and they’ve got a false sense of security. And we see it all the time, so not really that surprising to me unfortunately.

Hoala Greevy (10:07):

Yeah.

John Verry (10:08):

So question for you, so when you think about HIPAA compliant email, I think the classic case that you think of is protecting your outbound communication. I’m working in a doctor’s office, I’m sending something to somebody and I want to make sure that I’m being HIPAA compliant. How is it different if I’m in the medical profession and someone might be sending me EPHI in an email or something of that nature, how does your solution handle that particular use case?

Hoala Greevy (10:35):

Yeah, great question. So from a HIPAA strict interpretation, it’s not required that you encrypt incoming communication. But we pride ourselves on customer feedback and using it as a roadmap of what to build and where. And so enough customers started asking for it, so we rolled it out, so we have a complimentary service that provides inbound security whereby it’s a similar concept, we become the MX record for our customer’s domain name, therefore routing all inbound traffic to us. And in this case, if the sender is offering an encrypted connection, we’ll of course encrypt it, send it along to our customer, assuming of course it’s not a ransomware or phishing, et cetera, and we’ll put a little footer at the bottom letting our customers know that we encrypted that inbound email as well. So again, not required for HIPAA, but a lot of people love it. And in addition to that, every paid customer of ours, we also provide them with a secure contact form. It’s just a link with some default fields you can use to drag and drop a PDF document, for example. You hit send, me encrypt it to the customer. So another method our customers can use there, patients or other doctors in the ecosystem, to send an encrypted email.

John Verry (11:56):

That’s cool. Question for you, so I like what you said where you have some ability to filter, if you will, emails that might be malicious in nature and things of that nature, has anyone ever requested, I would think, is there any concept of almost like white listing an email address? So in other words, let’s say that I am a doctor and somebody who’s not my patient sends me medical information before they’ve become a patient and they’ve signed all the paperwork, is there any way to do almost like a white listing if you will of, “Hey, only accept emails from customers that we know are inbound emails from customers that we know are already a patient of ours”?

Hoala Greevy (12:36):

Our system can be configured that way. I don’t know if anyone’s using it that way, but it could be done, yeah. That can be done in our system.

John Verry (12:45):

Because that would seem to make sense to me, because that way you don’t ever end up with PHI from somebody that you don’t intend to have PHI from, that was what I was just thinking.

Hoala Greevy (12:54):

Healthcare is the last American business segment to use email, it’s just amazing to me, even to this day. A lot of unanswered questions around easy email and healthcare, and that’s probably one of those, yeah.

John Verry (13:07):

So I know you make a point on the website of that you provide HIPAA compliant APIs. That peaked my interest. Who would be using your APIs and why?

Hoala Greevy (13:18):

Sure, yeah. So we have a Paubox email API. Easiest way to think of it would be a HIPAA compliant SendGrid, high trust certified SendGrid. So we have a rest API, SMTP API, and the most common use cases right now are test results, COVID being classic use case. So you can send the test result straight to the person’s inbox, they don’t have to log into a portal, which data shows 93% of them don’t bother to anyway. You can also use it for personalized appointment reminders, where you may need to insert some PHI to really trigger the reminder, either to not eat before a surgery or don’t miss a certain appointment. And then lastly, they’re also using it to send lab test results which may contain, say, a PDF document. And that’s really neat too because you can deliver that straight to their inbox in a compliant manner without requiring your end users to log in. And for the boomers out there, they have a lot of problems with tech, and rightfully so, they never grew up with it. So if you deliver it straight to the inbox and be compliant, that’s a really good use case there.

John Verry (14:29):

Gotcha. Would that be and like the API would be being leveraged by, what, Epic or Cerner or one of there HMS, LMS systems, would that be what would be calling your API to deliver the things you talked about second ago?

Hoala Greevy (14:46):

We don’t have the big ones on it yet. We’re in talks with some larger lab testing, well actually we do have some lab testing customers, some big ones, but the big EMRs, not yet. But conceptually, yes, very much so.

John Verry (14:59):

Okay, that makes total sense. So healthcare is definitely one of our critical infrastructure agencies and we know that the government has been very keen on issuing guidance recently. So up to and including the presidential executive order, zero trust is a big topic of conversation. Where are you guys at from a Paubox perspective with zero trust?

Hoala Greevy (15:25):

Yeah, for sure. So for our inbound security product, which I was mentioning earlier, again, we value customer feedback so we started getting customers saying, “Hey, why did this get through your system?” So we got enough of these examples on our hands and I started diving in deeper, and what I realized what they all had in common was the phishing campaign was sent via American company infrastructure. These bad actors were opening accounts on AWS, GoDaddy, MailChimp, Mailgun, IBM, et cetera, and then launching their campaign. So the RBL for the IP reputation, check. DMARC, check. DCIM, check. It passes all known email security checks, of course, because it’s being sent on American company infrastructure. And so what we realized was, hey the barbarians are already in the castle, they’ve already crossed the moat. We need to come up with an additional piece of authentication in addition to what’s already out there.

Hoala Greevy (16:37):

And so we created this thing called zero trust email, we rolled it out a few months ago. And what we’re doing is, we’re focusing on the multifactor authentication component of zero trust, and so in this case, we’re requiring additional set of MFA between the mail servers themselves. So the process is invisible to the end user, but what we’re saying is, “Hey, I know you are sending from Amazon SES, but I still don’t trust you, I need one more piece of information.” And that piece of information is custom for each of our customers and it changes over time, so it’s very difficult to impersonate this information because it’s personalized and it changes over time. So we’ve had some great feedback from it so far, but it’s an evolving landscape.

Hoala Greevy (17:30):

We are in an unacknowledged war with hostile rogue states because at the same time we were getting these complaints from our customers, I’d be reading articles in the New York Times and Wall Street Journal saying Rogue nations like China and Russia, they know that the FBI, the NSA, et cetera, they are not allowed to go and break into American companies and surveil their systems, it’s considered out of scope. So that’s precisely what they’re doing, they’re setting up accounts on American companies using like legitimate credit cards, legitimate bank accounts. And I think there’s just so many of them created, these companies can’t keep up. So pretty harsh landscape out there.

John Verry (18:16):

Yeah, I guess that would explain why, I think it was yesterday I saw an article pop that said 50% of America’s hospital systems have been hit by ransomware in the last N period of time, I think it was a year or two, which I found somewhat staggering.

Hoala Greevy (18:30):

Yeah. Well yeah, I mean PHI data is worth more on the black market, it’s definitely a vulnerability in our infrastructure. These folks need a lot of help and we’re here to do it. It’s just an ever evolving landscape. And I think the cloud based solution is best, these on premise devices, they can’t keep up.

John Verry (18:51):

Well especially because, I mean again another thing that I read recently, I don’t know if it was accurate or not, but somebody asserted that many if not most healthcare systems don’t have a true information security person, or hospitals, excuse me, don’t have a true information security person on staff. Which again is one of things where, yeah.

Hoala Greevy (19:11):

So the CISOs, the CIO, and the yeah, yeah, yeah, I wouldn’t be surprised, yeah.

John Verry (19:18):

Yeah, which is staggering. And at that point, the idea that you’d have 50% hit by ransomware makes a lot of sense. So speaking of people ending up on the bad boys list, so to speak, I know that you have done a lot of work with the HHS wall of shame. Tell me a little bit about that.

Hoala Greevy (19:36):

Yeah, sure. So federal law, HIPAA, if you have a breach effecting 500 or more people, you’re required by law to report it to the HHS, Health and Human Services, within 30 days and then it gets posted on this site, which is nicknamed the HHS wall of shame. And so to make it more digestible, every month we do a Paubox HIPAA breach report and we just kind of break it down into digestible chunks. And the takeaway for the last four years that we’ve been doing it is the two most common breach point vectors, it’s not laptops, it’s not paper, it’s not the EMR system, it’s email and network servers or just servers. And that continues to this year. So statistically, just using this data, the most likely breach point is email in healthcare. And I think that would apply probably across verticals. So we do that every month.

John Verry (20:41):

Yeah, I think, I forget what the exact number is, but a very large percentage is some type of a social engineering most frequently at least initiated via phishing, right?

Hoala Greevy (20:51):

Yeah. Password resets, phishing, impersonating the CEO, the CFO. Yeah, it’s ever changing.

John Verry (21:01):

Yeah, business email compromise is definitely a pain point in every vertical. So the idea that you would see what you’re seeing isn’t surprising. So question for you, we recently did some work internally using, it was our first foray into leveraging some machine learning to try to move security from a reactive to proactive stance, and it was pretty promising and really interesting and fun for me. I would imagine you are processing millions of emails per day, and one of the core tenets of machine learning is having a large enough data set to train. So it seems to me like you have a fantastic data set for machine learning. Is that something that’s on your road map?

Hoala Greevy (21:43):

Yeah, that’s a great use case there. And we’re currently training our data sets now for those reasons you said, John. So access to the data is free, it happens a lot, and the training set of this component we’re asking our customers to do via a robot we’ve built. So we’re collecting data now and then we’re going to train it and I’m expecting, I’m pretty optimistic about the results we’ll get. So yes, that’s definitely something we’re already doing and I see AI as a pivotal part of our company’s future. I think it’s clearly the future in our business, without a doubt.

John Verry (22:20):

Yeah, I’ll be paying attention to see what you guys are doing because that sounds really exciting to me and I can see that it would be potentially insanely useful. So your model is really elegant, I like the way it works, and it would seem to me that it would work for any other client, not just the folks in healthcare. So have you guys thought about using it outside of healthcare space? So like as an example, the cybersecurity maturity model certification requirements, that encrypted email is a requirement for controlled unclassified information, and it would seem like that would be another potential good fit for you guys.

Hoala Greevy (22:58):

Yeah, well if our customers start asking for it, we’ll take a strong look at it. So that’s kind of how we base our approach to this stuff. Right now, healthcare has been a wise choice because as a startup, boiling the ocean probably doesn’t work. So it’s one set of laws, it’s one currency, it’s one language. From a sales and marketing perspective, it really allows focus. And it’s just a huge industry that’s massively underserved. But we do have finance, attorneys, accountants, we have those customers on our platform, but it wouldn’t be obvious to you if you came to our site because our language and positioning is healthcare, but we do have other verticals.

John Verry (23:46):

Yeah, it makes a lot of sense to me. So PHI, elements of PHI definitely fall into what we would refer to these days as personal information as defined by California Consumer Privacy Act, Virginia’s new law, GAPR, how does Paubox deal with personal information and what’s your plans there?

Hoala Greevy (24:07):

Yeah, so for the CCPA, that’s the California Consumer Privacy Act that went into effect earlier this January, I checked the fine print and when it comes to PHI, there’s an amendment that got put into it that exempts PHI from the CCPA. So it kind of says, “Hey, that’s PHI and it stays in HIPAA, everything else under this thing is CCPA.” So that’s one piece that’s covered or exempt. There’s a similar thing when it comes to the data requirements around the FERPA regulation. If there’s an overlap between FERPA and HIPAA, HIPAA takes precedence, so kind of a similar stance there. But FedRAMP, CCPA, GPR, we’ll take the same approach, if we see a pattern amongst our customer or potential customers, we’ll go that route. And I think it’s a matter of time before we get pulled into it. So that’s the approach we take with customer feedback.

John Verry (25:06):

Yeah, well one thing is good for you, is you’re already High Trust certified, as I understand it, and High Trust is a fairly large lift. That’s not a certification that’s easy to get, so it speaks to you having a very comprehensive security program in place. So getting to a CMMC, or getting to an 800-171, or getting to a FedRAMP, while it will require some effort it’s not going to be some Herculean task because you already have a very good security program.

Hoala Greevy (25:33):

Yeah, shucks, that’s precisely why we chose High Trust, enough customers were asking for it, so that’s why we pursued it and not Soc 2, we just didn’t have a lot of people asking for Soc 2 or FedRAMP. So that’s why we chose that, definitely a journey, I lived it. We were the first email encryption company to get it, that was a big lift, and I’m happy we did it, it was a tangible roadmap for us to level up our security posture as a startup because you’re building the parachute as you fall out of the plane. So I’m grateful for it and I’m hoping you’re right when it comes to FedRAMP, I haven’t done a lot of research on those just yet, mainly due because not a lot of customers are asking for it.

John Verry (26:16):

Yeah, the other one which we might, if you’re working at the state local educational level, FedRAMP spun off there’s a program called StateRAMP now, which is for entities that might not being work in the federal space but need to get to a high level out the station, so the states built a program based on FedRAMP. So that’d be another one to throw into the back of your brain there that at some point you’ll probably end up stacking on top of the stuff that you already have.

Hoala Greevy (26:44):

You know, our first High Trust auditor, he took a look at our business and he goes, “Dude, in a couple years you’re just going to have guys like me coming in your office left and right, re-certifying this and that.”

John Verry (26:58):

Every day.

Hoala Greevy (26:58):

“That would be a sign of success when you got guys like me just cycling in and out for all the stuff you got to maintain.” And I was like, “Oh, okay. Well.”

John Verry (27:08):

You know, in a weird way, I never thought about that, but in a weird way that’s sort of like, I know we all bitch about paying taxes, but when your tax bill gets really, really high, that’s not a bad thing because that means that you made a lot of money. And the same thing with you, when your [inaudible 00:27:26] station bill gets to be crazy and you’ve got FedRAMP and you’ve got High Trust and you got, and then you know CMMC. Yeah, that’s not necessarily a bad thing, right? That means you got a lot of clients demanding a lot of evidence that you guys are doing good things. So those are sort of good problems to have, right?

Hoala Greevy (27:45):

Yeah, those would be deep [inaudible 00:27:46], for sure, those are tangible [inaudible 00:27:49].

John Verry (27:49):

Yeah. So you spend every day all day in the healthcare space, talk a little bit about where you think security and privacy will go in healthcare over the next couple years. Is there light at the end of the tunnel for us? Because at the end of the day, it is like I’m glad to promote your product for selfish reasons, and the selfish reason is that I’ve had my medical information leaked multiple times. People get hurt by bad information security, so the more folks that are on your platform, the less likely it is that mine and the other people that listen to this data gets out there. So where do you think this is going?

Hoala Greevy (28:28):

Yeah, so thanks for that question. As it relates to HIPAA, I don’t think that’s going anywhere, so I think that’s something you can bank on from a business perspective. When it comes to privacy, I think we’re going to see more states creating their own one-offs, like California did when it comes to privacy laws. And then at some points, the feds will step in to create a nationwide privacy act just to simplify things. However, I think this will take some years to happen, the big tech monopolies out there will be inclined to steer their armies of lobbyists to kill such a maneuver. And in the end what I think will happen is a new privacy amendment will be added to HIPAA. And we’ve seen this in the past before with the HIPPA Privacy Act that came into effect in 2003, the HITECH Act 2009 and the Breach Notification Rule in 2009. HIPAA itself was enacted in 1996, so it seems to be an evolving piece of legislation, and I think they’re going to tack on a privacy act then. The monopolies will probably let it through because that’s not really their business, but when it comes to privacy in general, for some of them, that’s their entire business model, so I’d imagine they’d steer their lobbyists to kill something like that.

John Verry (29:45):

It’s actually interesting, you see diverse activity there. So there was a group, and I forget, it was a group of the big guys, it was the Google, Microsoft, Apple, a combination like that, that actually lobbied for a federal regulation, they were pushing for it not against it. And the reason they were pushing for it was they didn’t want to have to deal with 50 independent state regulations. I think they’re recognizing like, okay this happened with California SB, what is it, 314, the first of the privacy breach notification laws. And then over the course of the next 15 years, 50 states ended up launching them. So I think one of the concerns is that they don’t want to have 50 state privacy laws and then 200 country privacy laws to deal with. So I think in a sense, having one national privacy law would actually be easier for them.

John Verry (30:44):

So it’ll be interesting to see where this goes. I do think you’re right, I do think a privacy amendment onto HIPAA, I’ve heard other people talk about that as well. And that would also get complicated, because if you’re dealing with HIPAA data and you’re dealing with non-HIPAA data, now you’re navigating yet another regulation to deal with. So I’m hoping they figure it out, because that kind of level of complexity isn’t good for any of us, it just drives up friction, drives up cost for all of us with probably minimal actual value to the extra dollars spent.

Hoala Greevy (31:17):

Yeah, I can see your scenario playing out as well, John. In that case, I would probably guess the Federal Privacy Act would probably not have a lot of teeth in it and provide these monopolies with a lot of outs, they’d probably push it for that direction. Yeah, I could see that [crosstalk 00:31:33]

John Verry (31:34):

Oh yeah. I heard someone say, it was on a movie where they said, “If you’re not paying for the product, your data’s the product.” So yeah, these companies, these big guys they don’t want to lose their cash cow. We think, “Oh, this is great, I get this email for free, I get this SaaS application for free.” Nope, not exactly guys.

Hoala Greevy (32:01):

Yeah, that’s the common phrase for VPNs, right? If the VPN is free, you’re the price.

John Verry (32:09):

Yeah, unfortunately I don’t think most people realize that. All right, so we beat this up pretty good. Did I miss anything? Is there anything else that you’d like to cover with regards to the cool stuff that you guys are doing over there at Paubox?

Hoala Greevy (32:21):

Oh man, thanks John. Yeah, we’re really fired up on email AI. We like to talk to our customers and one thing we’ve noticed during the pandemic is they’ve taken advantage of a project they’ve wanted to eliminate for some years and that’s getting rid of the fax machine and if you’re not in healthcare, this may seem bizarre, but it is the default form of communication, it is the dominant form of communication in healthcare. So they can’t ditch the fax number because of the entities they deal with, but they did go eFax. And again, that’s just such a dated thing, but healthcare is healthcare. And so what that means is there’s more email coming in, especially on the eFax side. And what we see is a tremendous opportunity for workflow automation as it relates to email coming into an enterprise. And so we’ve rolled out Paubox Email AI, it’s part of one of our product lines. We’ve got our first paid customer using it. And this concept of workflow automation I think is really powerful. So we’re looking forward to further building that out and I really think it’ll open up new plateaus for us to automate workflows for our customers in a compliant, High Trust certified manner. I think the sky’s the limit on that on, so pretty fired up.

John Verry (33:41):

Gotcha. So when you say automation, so let me take a guess here, a fax comes in through the email fax and currently what someone does is they get that email, they open it up, they might look at that and then they’ll enter data into some system over here, an EMR. Is the idea that your AI would be able to look at that fax, understand what that fax was about, extract some of that information and let’s say populate that in the EMR directly for that person?

Hoala Greevy (34:10):

Yeah, that’s exactly it. We’d work with the customer to build a robot to identify a certain type of email, parse the message, input the data into the EMR. These folks that do this, they don’t like doing it anyway, and it’s error prone, it’s repetitive, it’s a prime candidate for workflow automation, which is a segment of AI, robotic process automation or RPA. So there’s a lot of work upfront integrating with a particular EMR, so that’s where we’re cutting our teeth on now is building out functionality and then we can re-leverage over economies of scale once we get all this stuff done. But yeah, that’s a classic example. And our customers are fired up on this thing.

Hoala Greevy (34:56):

Another one is, we learned this through a Zoom social mixer we did, these corporate voicemail systems that are sending emails of audio files if you don’t answer your extension. And so they’re terrified of them listening to it in public on their smart phone. So what we did is we hooked into NLP, natural language processing, and we transcribed the audio file of that message and we insert the text into the email. So now they get the email with attachment still there, but we’ve inserted the voicemail transcription. And that one’s been a home run out the gate because it lowers the risk profile of this one particular thing that they need to pay attention to. The end users love it because they don’t want to download the attachment anyway because it takes too long. And it’s accurate enough where it’s reliable, they just scroll on their phone and read the thing. Because of course some of these contain PHI, so a lot of sensitive stuff coming in these voicemails. So that’s another exciting use case we’ve already built, that was our first robot. And just sky’s the limit, man. If we look at our business, there isn’t anything that happens in our business that doesn’t happen in email. Receipts, invoices, renewals, notification, billing reminders, a lot of this stuff can be automated to a billing system, EMR, et cetera. Sky’s the limit, dude. Sky’s the limit.

John Verry (36:26):

Yeah, makes sense, because if you think about it, what percentage of people sit all day reacting to, processing email? I read email, I take action based on what’s going on in the email. If that action doesn’t require critical thinking, why couldn’t it be some level of automation be applied?

Hoala Greevy (36:46):

In the enterprise, there’s entire departments dedicated to this stuff, so you can reassign them, you can shrink them, there’s just all kinds of ways to do it. And these folks don’t even like doing the work anyway, this particular work, because it’s better suited for a robot. You want to let the humans do things that involve judgment and making decisions on limited sets of data. This stuff is perfectly suited for a robot and it all is basically revolving around transactional email. So if we can identify transactional email or eFax, then we can identify the business processes for our customers that we can suggest they automate. And if you Google the term email AI, John, there’s not much out there man. It’s a completely wide open landscape here, and we’re hoping to provide business leadership to further define what exactly email AI is. And this isn’t hype anymore, this may have been hype in 2015, this is the real deal and we’re already doing it.

John Verry (37:46):

Exciting stuff, man. I’m looking forward to it. So I always ask, give me a fictional character or if you like a real world person who you think would make an amazing or horrible CISO in a healthcare organization and why?

Hoala Greevy (37:59):

Oh yeah, that’s a great one man. Michael Scott, for sure. That’s a slam dunk. Because when the Prince of Nigeria emails you asking for help, you help him. Can’t ignore that.

John Verry (38:15):

And if anyone doesn’t recognize The Office reference, you’re no longer allowed to listen to this podcast. All right, anything else? So if folks want to get in touch with you, what’s the easiest way to get in touch with you?

Hoala Greevy (38:27):

I have a unique name, so Hoala Greevy, you can find me on LinkedIn, Twitter, very much opposed to anything Facebook does so I am not on anything Facebook related. But definitely on Twitter and LinkedIn.

John Verry (38:39):

Okay, so you didn’t react to my Aloha when we started, so I’m going to try one more and I don’t know how to exactly say it, I’ll probably use it somewhat non-contextualized, but I think it’s supposed to show appreciation. Mahalo. Is that the right way to say it?

Hoala Greevy (38:54):

Yeah. And then you can do mahalo nui loa, thank you very much. But yeah, mahalo’s great, yeah.

John Verry (38:58):

All right, well I got half of it, so I get points for trying, right?

Hoala Greevy (39:03):

Oh, lots of points man, for sure.

John Verry (39:06):

Hoala, man, thank you so much for coming on. I appreciate it. Best of luck. And like I said, I genuinely appreciate what you’re doing to protect all of the people that are going to their healthcare providers every day, you guys are providing a lot of value.

Hoala Greevy (39:20):

Right on, John. Thanks all, mahalo.

Narrator (intro/outro) (39:23):

You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.