Episode #10 - Zach Fuller - Securing Your Healthcare Organization

Zach Fuller of Silent Sector discusses how healthcare organizations can secure their data and protect themselves from cyberattacks.

  • 00:10:11 - 05:10:11

    Jerrod Bailey  00:09

    Welcome, everyone to reimagining healthcare a new dialogue with risk and patient safety leaders presented by Medplace. We're excited to bring you conversations with top risk and patient safety thought leaders from organizations across the country, please subscribe to get the latest news and content. And if you find value in this episode, please share it with your colleagues. We want to create some meaningful discussions in other communities in this community. And also, if you're interested in participating as a guest, please send us an email at speakers@Medplace.com. My name is Jerrod Bailey, I am the CEO of Medplace I'll be playing host today. And I'm really excited to introduce you to my guest today. Zach Fuller, is a partner and head of business operations and strategy at Silent Sector. His organization protects clients across industries like healthcare, also b2b technology, financial services, aerospace and defense with stringent cybersecurity and compliance requirements. Also, Zach is a good friend and Medplace actually use the Silent Sector for our own security and penetration testing and assessments and other things. So I've been able to work with you, Zack, for some time here, and I'm excited to have you on the show.


    Zach Fuller  01:32

    Thanks for having me, Jerrod. Good to see you.


    Jerrod Bailey  01:35

    Yeah. Now, for those who don't know, Zach already. He was is are you always a Greenbrae? Suppose you're always a Greenbrae.


    Zach Fuller  01:46

    Say that? No, no, that was a long time ago. I'm a has-been.


    Jerrod Bailey  01:53

    Well, I don't know about that. But I appreciate your service. But you also are pretty stocked up in certifications here. You're Certified Ethical Hacker. Is Comp TIA, is that the certification?


    Zach Fuller  02:08

    Correct. They have a handful of certs that they provide.


    Jerrod Bailey  02:12

    Yeah, that's right. You're also a CCIP in cyber intelligence. So you've been around this for a while . And you certainly work with some pretty interesting organizations. So appreciate you bringing us to the to this conversation.


    Zach Fuller  02:26

    Thank you. Thank you looking forward to it. Yeah.


    Jerrod Bailey  02:30

    Our audience tends to be in the in the healthcare arena, right might be hospitals, hospital systems, might also be other folks in sort of the risk sort of constellation out there. So folks from insurance carriers, and TPAs, third party administrators, that kind of thing. Everyone kind of looking at the overall scope of risk from a healthcare perspective. And certainly security and cybersecurity is top of mind in that conversation. Right? It's going hand in glove. And we're seeing a lot of news, right. I mean, just last week, we've got a report from Bloomberg, on tenant healthcare, which is for those who don't know, one of the largest for-profit systems here in the US, had a big cybersecurity incident. Department Health and Human Services just last week, issued an alert about a, quote, exceptionally aggressive Hive ransomware group. We're hearing about this stuff all the time, it only seems to be accelerating. I'd love to unpack this topic with you. First I'll just kind of start with if we're managing security the way we did even 10 years ago, we're probably behind there's, there's sort of been some changes in the industry that, that have, like opened up maybe new attack vectors or just new considerations, whatever, we can kind of talk through some of the just like what what's, what's some of the recent changes that have happened in the industry that are affecting us from a cybersecurity perspective?


    Zach Fuller  04:08

    Yeah, good question. Well, you of course, we've seen the rise in ransomware attacks, right? That's been all over the news. Everybody's heard about ransomware. On this net, unfortunately, that's causing people to forget about other things that are also important other types of attacks and other threats out there. But ransomware has become more and more prevalent. There are all these groups, and it's always interesting to see the name Hive is one but there's all these interesting, weird names that these criminal groups come up with. They probably sound a lot cooler in other languages, than they do in English. Some of them are like magic pony and different like weird, weird things. But it's, they’re popping up all over the place. And one of the big changes - one of the big things that we're seeing that's more prevalent in addition to ransomware is the compromise of technologies and tools that we would otherwise Consider trustworthy, right? We saw this with a Microsoft Exchange attack. We saw this with SolarWinds attack. Now it's not. It's not just affecting healthcare, but it affects healthcare in a very, very heavy way. It's got its own set of challenges. Because I mean, let's face the healthcare industry is so critical. And they have literally lives on the line. They're relying on their system uptime, and they have to have those machines running. So to have outages, like we just saw a tenant, right? I mean, that's, that's a rough, rough thing to face when you're in the healthcare space.


    Jerrod Bailey  05:34

    Yeah. Well, so what are you? What are you seeing? Well, so let's talk about some of the things that are kind of changing the landscape, right. So we've got sort of new or maybe exacerbated vulnerabilities. One right off the bat is we're seeing a lot more like hybrid remote work, right? People working from home people working maybe from their own devices and things like that. We're seeing an adoption of virtual care, right? So telehealth is starting to be very widespread. And that's creating some new things. And what we're seeing doctors moonlighting on telehealth and in doing other things, maybe outside of their normal practice, we've got this acceleration of the Internet of Things in you've got remote patient monitoring, you've got PHI, that's being generated at very large scale from remote locations and being sent to centralized processing and things like that. You've got just like an increased sort of just general digitalization of healthcare. You've got this new kind of heightened focus on the digital patient in general. So there's just like a lot more data flowing around, it's coming from a lot more different places. Maybe things that we like, to your point earlier, we took for granted, were secure and maybe are not, like, are you seeing any of these trends? Kind of pinging your radar?


    Zach Fuller  07:03

    Yeah, that there's, there are a whole bunch of them. I think some of them maybe get more notoriety than they deserve, and others maybe don't get as much. some really interesting stuff going on? Well, let's talk first about the remote workforce, because that's another one you have attacked, you're obviously ransomware. You have attacks on trusted system software that we consider reliable, right?


    And then the remote workforce, which remote workforce opens up a whole plethora of issues. Now, the companies that we've seen in the healthcare space, I give them big props, they've done an exceptional job, the IT professionals, the, the men and women in the IT field, were kind of the unsung heroes as COVID ramped up, because they were working day in day out nights, no weekends, very little sleep, to get their companies to transition from an on premise environment where everything used to live in the healthcare space to this remote distributed workforce. So that came with its own challenges. It certainly opened up some security flaws, but with the guidance and the technologies that are out there today. I'd say overall, they've done an excellent job.


    When we talk about remote workforce, there's some considerations. We have to take into account, right. And the companies that did the best at this, were the ones that said, take your desktop computer, take your laptop, whatever, just bring it home, we're going to put in hardware certs, we're going to make a direct connection in it's all encrypted, we're good to go.


    Where companies got in trouble where there were a lot of times a smaller or mid-market, ones that had limited resources, maybe sent people home working on their own computers that their kids were using for their homework or social media or whatever the case may be. That's where issues occur.


    The other thing too, is that with the remote workforce, a lot of times people weren't guided and weren't equipped with how to secure their own home networks. So you have people with their username and password are both admin on their router. And so anybody connected to their external IP address can go in and basically change the router settings right. It's stuff like that happened a lot. A lot more than we'll probably ever know.


    But overall, I'm blown away with at least the organizations that we've seen how well they've done with the transitions. And it comes to those a lot of jumping through hoops putting policies in place and things like that. So it wasn't it wasn't a glamorous thing to do by any means. But there was that was serious business to keep these facilities up and running while people couldn't be there.


    Jerrod Bailey  09:45

    It's interesting. I mean, we forget about those unsung heroes. I mean, it's our doctors and our nurses on the front line that we're going without sleep for months and months and pulling these insane 80 hour plus weeks. All right, you forget about all the support cast, that we're, we're also scrambling and all the hospitals try to keep up and sort of adapt in real time to this new paradigm.


    Zach Fuller  10:14

    Yeah, I mean, for it takes the team, right, it takes, it takes a huge team. And yeah, I think it everybody came together, people put in their best, their very best and dedicated that portion of their lives. So. So yeah, that that was an interesting time now, the remote work is the standard operations it's just how we, how we function, our industry, the cybersecurity industry has been that way, a long time. So it's, it was no real change for us, but a lot of industries heavily affected healthcare especially. So you have that that piece of it.

    Now, let's go to the opposite end of the spectrum, right, which stuff that a lot of people don't hear about, which is the nation state threat actors, I won't name the countries but you could probably think of the top five. And one of them might be at war with the Ukraine may or may not. But another does a lot of manufacturing that we rely on.


    That being said, there's a race for data and intelligence right now, that is, we believe is critical for the future that I'm especially worried about in the healthcare space, right above all else, and that is the nation state threat actors being heavily interested, much too interested in genetic data. So organizations that are dealing with genetic data, really need to, which is a huge portion of that healthcare space with facility, facilities, laboratories, applications, all kinds of stuff, but there's there extra precautions that need to be had there. I don't have a security clearance anymore. So I'm not privy to kind of what the latest is, as far as what that data is being used for. I don't even want to speculate.


    But long story short, they're, they're trying to collect interesting information about the US population. So they're heavily targeting those types of organizations. So you have considerations around the things that we see as citizens every day, but also some deeper level intelligence stuff that time will tell what it results in. So


    Jerrod Bailey  12:46

    nice man saying, Wait, you're just giving me a bad day. Like, I that's the last thing I wanted to say, I'm


    Zach Fuller  12:51

    bringing down the mood here. I apologize.


    Jerrod Bailey  12:53

    I mean, that's, that's, I mean, that, that data and how it could be used in probably is being used, is what we could all imagine, it's my imaginations, pretty active, and it can be really terrible. And I wonder if those listening are thinking about where they have honey pots of such data that that might be attractive to your troves of such data that might be attractive to these nation states. And when you look at the amount of organization that these nation states are doing across all industries, and across social media and other things, it's, it's pretty shocking. I mean, now that everything's online, you can build a quite a few things that that can just automatically go out and just look for the soft spots in the market or soft spots on networks, and what's easy to get into and go exploring around in there and finding out where there's veins to mine of good data, right?


    Zach Fuller  14:02

    That's absolutely what they're looking for is easy targets, I'd say you have, you do have your cyber warfare type attacks, you do have your hacktivism but 80% Plus, of all the attacks out there are financially motivated. They're looking for easy targets, easy ways to get in, and they're after money. They don't they don't really care how they get it. That's they they're in there to make a profit.


    Jerrod Bailey  14:28

    Okay, well, you started to give us some of this earlier and let's kind of explore this a little bit. What are maybe just looking at hospitals, and healthcare in general, what are people doing wrong most of the time? What are they missing most often? And then, and then who are the leader? What are the leaders really doing those that really have a good handle on their cybersecurity, cybersecurity infrastructure and best practices? Like what can we learn from you know, kind of who's leading the Yeah,


    Zach Fuller  14:57

    good question and there and this is no hit on hospitals, or in the healthcare industry in general, they're often times first of all strapped for their IT resources or technology resources for budget for things like security and compliance. And they're already strapped thin. So a lot of times, especially the kind of mid market and smaller organizations, they are local, local facilities, things like that have a really, really tough time keeping up with the demands. So what they're doing is they're focusing on compliance kind of their requirements, right, HIPAA compliance, protecting PHSI. Right, that's the focus. To be effective in cybersecurity, we have to step back and we have to follow an industry recognized cybersecurity framework. What most people don't understand is that cybersecurity is not just getting a bunch of smart techy people in a room and, and having them figure out stuff to do on the computers, it's not about make it up as you go. There's no magic behind it, or secret sauce we're following, we need to follow industry recognized best practices and standards, there are a bunch of them out there. A lot of people have heard of like ISO 27,001 standards. NIST, the National Institute of Standards and Technologies, cybersecurity framework, or NIST, CSF is an excellent framework for people to follow CIS controls is another one. And what these frameworks are, is really just a big list of all the things that a company should do, an organization should do to be considered proactive in their cyber risk management.


    So it gives you it really gives you a path forward direction and understanding of where you are today. And these things are readily available online, you can go to the NIST website, look up NIST CSF or NIST 853, there are a bunch of them out there. Reality is they all say about 95% of the same thing. They just laid out in different ways with some different verbiage, but what they're getting at, are those core security controls you have you have to have in place, then we have to look at it holistically, right, because that's where a lot of these organizations, hospitals, especially, are missing the point they're looking again, at protection of one dataset PHSI. Well, what about all their other systems? What about that protection? What about when those go down? Maybe they're not touching PGI.


    But we need we still need to maintain that availability. Availability is incredibly important in this industry. Right? So, so following industry recognized framework first, that's the basis of your organization, you do a risk assessment or a gap analysis, essentially, very, very similar process against that framework, understand where you are, and then you can understand where you need to go from there, where the


    Jerrod Bailey  17:57

    by the way, okay, so you're telling these act that we've got these larger frameworks, HIPAA, if I'm just checking HIPAA boxes, I'm not following these larger frameworks, right? And I'm, I'm it but maybe it's a subset of some of these are, could be considered something like that, or how does it relate to these larger frameworks?


    Zach Fuller  18:16

    That's exactly right. So in fact, HIPAA is essentially a derivative of NIST controls. So they pull out the controls related to protecting data, protecting that type of dataset. Now, if you can be, if you're compliant, you can be 100% compliant and very insecure as a company very open to attack. But if you're secure, you're going to be compliant as well, that basically you so that's why I say be work on security, first with an overarching holistic framework, and your compliance will fall into place much, much easier than starting with compliance and just saying we're good because we protect this data. But yeah, you think about HIPAA is looking at just those that really anything is in scope is going to be around protected health information, right, that PHI that's, that's going to be the focus. But hospitals, especially have lots and lots of other systems.


    For example, one thing that the healthcare industry really struggles with is all the deprecated systems, right? So as a hospital, we buy all this medical equipment. It was bought 10 years ago, 15 years ago, it's got to connect to the network, but there are no updates for it. Right. And we've dealt with, with medical device companies, and a lot of times I hate to say it, they don't care, they sell the product, it's out the door, it's in your network, your problem now. So it's important for people to again, follow those best practices, but then also understand within these deprecated systems that we have to work with, right? There's no replacement or no cost-effective replacement. We have to segment them in a way that that essentially creates a good happened, our network that is not easily, easily moved through, if an attacker gets into the network somewhere, all right, we have to segment them off, make sure that those are managed in a somewhat unique and separate way that's going to vary based on the device, there's no one size fits all approach.


    But we have to do that for the protection of our other systems, right, because classic ransomware attacks go through, and they infect all kinds of systems, a lot of times the ransom wares that have been out there for, for a long time, that are still hitting deprecated environments and taking them down. So we need to be careful that not just ransomware, but all types of attacks, they can use, use deprecated systems to host different types of malwares for data, exfiltration, and all kinds of things. So we need to be careful that another thing in the healthcare space, you have all these people around all the time, right people coming and going, nobody really knows who's who are checks or anything like that, we have to be especially careful of physical access to devices.


    A lot of people think of cybercrime as, Oh, these are a bunch of people overseas, that are that are just going in and they're hacking our networks, and they're not actually here. Well that's not entirely accurate. We have the dark web, right, and job postings and things where some college kid wants to go make 500 bucks over the weekend, right? Hey, well download this malware onto your thumb drive, go plug it in, to a device in this location, right? And once we get remote access, then we're what you get paid in Bitcoin, right?


    So that's, that stuff really, really does happen, we see it happen. So physical access to devices, that's critical. Just because No, not even that somebody's coming in. And you get your server and you got some bottles of coke, and there's something next to it, and somebody knocks it over and fries your machine there, there's stuff that there's non malicious things that can happen to, from well-meaning just unaware individuals.


    So we need to protect those devices. critical systems need to have access logs that we need to understand where who came in and out of there, what I ideally camera systems on things like that certainly locks, badge readers, if possible, all that sort of stuff should be into play in place to protect your critical systems. And then And then also, basically restrictions, right disable USB ports, on devices, things like that. So it's going to, in some cases, it might feel a little bit cumbersome, but unfortunately, in this day and age, this is what we have to do for security purposes, just to maintain the longevity of our of our organizations. So there's wireless considerations, right, I could go on and on. But those are a few of the things that we really need to look at. And then the overarching piece, too is the human element, right? Our staff or team members are our first line of defense, because we could have a very, very well put together security program from a technological perspective. But the human element is still needed, right? We don't want people download and ransomware installing software on systems that wasn't meant to be installed on allowing people to do malicious types of activities. So we tested against that physically go in and test and say, Hey, can we actually walk in and plant a thumb drive in this company server? Right, and there are ways to test that. So.


    So the human element and staff awareness training is critical, because they're your first line of defense, but also your weakest link. And that's any organization really


    Jerrod Bailey  23:55

    loves great. I mean, I know from the very beginning of Medplace, we started instituting some things that you and I have been talking since we launched because when you're when you're building from scratch towards some of these, these security standards, it's a lot easier to start there than to try to like retro actively move there. Right.


    So from the beginning, just building Medplace with some of the standards in place. So one of the things we started to do really early on is we have the entire company once a month meet for a cybersecurity meeting, where we talked about all of our systems, what changed what's new, what's old, what's deprecated who's got access, who's no longer needs access to things and it's it was it took us about an hour to get through it early on and we still do it today. We've got it to where it's pretty unreal, takes about 30 minutes to go through all the changes. But what it does culturally more than anything practically it keeps Top of Mind security, how we are treating security, not just PHI But PII and all of the systems that you know that create access to our infrastructure. And, and just being on top of that, and making sure that we're being responsible, there has just been a really good sort of cultural implementation, I would love to see other companies do more of that more often. It's the last thing, any last thing anybody wants to do that month is do the mandatory cybersecurity meeting, but I tell you what, from a culture and best practices perspective, it it's created a lot for us.


    And also, I think, in this is where the IT team can come in is, is rethinking how you do things as a company and challenging sort of the oh, well, we've been doing this for 20 years, what does that still need to be that way? Right? Like, for example, we take the approach of, hey, if you have PHP that needs to be shared externally for reviews, or with your carrier, or law firms, because we ended up getting involved in the risk side of things, do you actually have to send that out? Or can you just create a viewable access? Does that have to be a downloadable? You know? Or can you just create access for a temporary period of time for the duration of when it's needed, and then automatically revoke it automatically purge it do some other things that just maintain a very, very light data footprint, that maintain a very minimal amount of access, and that really, ultimately, don't even let PHI go out to the outside world, right? You couldn't do that 10 years ago, like it was really hard to, but now we can, we can render documents in the browser, and we can even render imaging studies in the browser, right, without actually creating downloadables and things like that. And, and I think there's, I think there's plenty of opportunity, also, just to stop and say what, with new technology, can we redesign entirely from the security perspective, some of the things that we sort of took for granted? Previously?


    Zach Fuller  27:02

    Yeah, and that's all those are great approaches, great thought processes, right? I mean, keeping security top of mind for people not only helps them in their, in the workplace, but at home, around their family, loved ones, all of that, that's what we all need to be doing. Throughout the world, really, organizations need to be educating people on this, because they're not going to get it anywhere else, right, other than their employer, and then the on the data side, never be a data hoarder maintain as little keep as little data as you possibly can less is more in that case, obviously, we all need data to function and perform our jobs. But the less we can get away with, the better off we'll be, and maybe we need to keep data for long term we can segment that output and put it on a on a read only type of type of disk, and basically file it away, get it get it off the off the web, out of the cloud, all of that. There are some old fashioned methods that still work to this day. So that all those are excellent. And then just then just continuous backups. But yeah, I mean, and it's the security, we call it the principle of least privilege, right? Only give people access to what they need in order to perform their jobs. And if you follow that principle of least privilege and think about that day in and day out, when you're operating, you're going to be much safer environment overall.


    Jerrod Bailey  28:39

    It's, it's true, and it does come back to that do you have a culture in your organization that's thinking about security? And is it top of mind? Another thing that we do here? At many places we have a Slack that we use to do intercompany chat communication, like many companies do. And when someone detects a phishing attempt, they'll post it on the Slack and say, Hey, I just got a phishing attack. And like, there's a really common one. I've seen this a million times, but because I'm the CEO, you'll in hackers will do this, they'll go through LinkedIn, they will identify all the employees, they'll, they'll figure out their mobile phone numbers, because guess what, that's all out there and public information. And then they'll proceed to text everyone. That's not me. And it'll look like it's coming from me and I'll say, hey Zack, this is Jerrod, I really need you to call me back really fast on something, or I need you to buy 10 gift cards for this highlight really quick right? Do that very common. But a lot of employees don't understand that or they they've never been texted by the CEO sudden he's asked me for something that jumped on it. And so our team is conditioned to now post that and say, Hey, here's an attempt and guess what 15 other people in the company got the same text, right? We're the same Email or, Hey, here's a really believable looking phishing attempt having to do with Microsoft admin credentials. And all of a sudden, I mean, it looks very, very believable. But you know, if the company is everyone is sort of almost gamified to like, Look what I found today. And then broadcasting to everyone else. Hey, guys, keep your head on the swivel. This is something that's going on. Yeah, it's just generally a good practice. And I wonder how many teams are doing that, or even seeing when there's attempts made? Because we can all sort of educate ourselves instead, hopefully abide by that stay ahead of some of the bad guys?


    Zach Fuller  30:40

    Yeah, that's exactly right. It's a good strategy. Because a lot of times, if they are looking at your organization, specifically, they're going to perform that, that attack that attempt in mass to try to collect what information they can, or compromise on a lot of times to email compromise, right, same sort of thing. But that's very, very common. And it's common, because it works, right, people are falling for it day in and day out, it works for the criminals. I mean, we had a company on the East Coast reach out with many, many machines and the four figures encrypted with ransomware, across multiple offices. And if somebody wanted to click on an email to get a free $100, Amazon gift card and so that stuff absolutely happens. But awareness is the thing in which said about gamification, if you can do that, and almost kind of make it fun, or even reward it, in some ways. That's what we want to do. We never ever want to talk down or, or kind of unleash, yeah, give somebody any kind of negative feedback for reporting anything, even if it's perfectly legitimate even if it really was you texted them. So, as leaders, we need to come from that frame of mind that, hey, that's real. And then leaders of organizations, they have to have to drink their own medicine, right? If you're going to say, “Hey, this is our acceptable use policy for our devices, you better be following that policy,” right. And those standards, otherwise your team members won't. So basic, basic stuff, but a lot of times, it's the basics that, that work that save us each and everything.


    Jerrod Bailey  32:23

    That's interesting, like as silent sector engaged with different companies, obviously, you guys come in, and you sort of assess what they've got, you look for gaps, you, you may or may not be attempting, to penetrate the different defenses to try to expose where there's gaps. When you get to the mitigation side. So gaps are identified with what do you find are in the most common mitigations sort of categories that you're, that you're engaging with, with companies, and maybe that's healthcare related, if you have that kind of specificity, but maybe


    Zach Fuller  32:55

    a lot of organizations, a lot of organizations, it's building from the ground up. In fact, like I said, a lot of healthcare organizations, though, they'll feel comfortable with their HIPAA compliance, but they won't have protected everything else. And so a lot of times, it's that and getting in, a lot of it has to do a common misconception that it's all about getting on machines, and configuring machines and devices and stuff, that's part of it. But a lot of it has to do and where the real value is, happens before anything else is thinking through how the organization works, and creating the governance around that for the security use of their IT assets. It doesn't matter if it's a if it's an application, or if it's an on premise network for a facility, or whatever it is, we have to think about the security use of our IT assets to include what the team members are doing. So a lot of a lot of things that we see in mid market and emerging sized companies are issues like bring your own device policies, right. So what happens? Somebody's accessing email or company information on their own phone. Is that okay? And if so, how do we mitigate a risk around that? Do we need to create a you know, set up a mobile device management platform are what are we doing to minimize our risk being that data can be out there on devices that we don't necessarily control or have physical possession on so things like that. Another thing is, you see a lot of organizations especially smaller size, where all their team members have administrative access to the devices that computers are using laptops, desktops, that can pose a serious problem and is big compliance risk as well. Because you could put the best you know, anti virus solution on there and they can go in and disable it because it gets because they think it's making their internet slower or some absurd thing you know, that stuff happens all the time, right? So we need to have you know, centralized management of CIS systems, making sure again, and that goes back to that that principle of least privilege, right, we can have role-based access control, giving people only what they need, based on their role. Right we can have, we can have those latest patches being pushed out all of that. And centralized management of devices is a common one. Among smaller organizations, you have a lot of them too, are just not in a practice of making security a, a function in the company that that continues to grow and strengthen with the company. So in other words, and there's two sides to the, we're talking about assessments and testing, there's really two sides to the coin there. When you're understanding what your security posture looks like. There's what I would call consider like a paper analysis that happens through interviews and, and documentation, review and review of system architecture diagrams, things like that. That would be your cyber risk assessment. And again, that would follow the industry best practices and in a framework like NIST, or CIS, or ISO, would be your cyber risk assessment. So companies will get into a rhythm of doing that, at least on an annual basis. Some, some more frequently keep it more fluid, just depends on the resources, right. And then the other side of the coin is the technical analysis, we also want to look at your systems and environment, the way a cybercriminal would, right want to see it from their shoes, from their point of view, using the same tools and technologies methodologies that they use to do their attacks. Right. So it's important to see what the enemy sees. So with that, that's typically called penetration testing. So penetration testing is also called White Hat hacking. Some people call it red team exercises, right. But that's the, the process of simply going in there trying to hack the systems. And then more important, while most importantly, out of that, remediate any of those technical deficiencies that are found before the cybercriminals, find them? Right. And that should, again, that's at least annually, more sophisticated organizations are going to do it on a much more frequent basis. And then you have lighter methods of monitoring and things continuous vulnerability scanning, and things you can do to kind of keep an eye on your environment in between those types of activities.


    Jerrod Bailey  37:33

    Sounds great. Well, Zack could tell you why this has been a great conversation. I appreciate you. Joining me for this. Well, we'll hopefully do a round two on this, especially because there's so much stuff in the news that I think, relevant to this audience. How do we find you? How does somebody get a hold of you if they'd like to? Yeah,


    Zach Fuller  37:55

    you can find me on LinkedIn. Just search for Zach Fuller's. Zach with an ancient silent sector, or silent sector.com is our website. There's contact forms on there, reach out either method and happy to chat and support. If we can


    Jerrod Bailey  38:12

    break in, we'll be sure to link all of that information on the show notes as well. But in the meantime, I appreciate it's good to see you as always, thanks for keeping us safe, Medplace and everybody else. But in the meantime, for everyone else. Thanks for listening to reimagine healthcare, a new dialogue and risk and patient safety leaders podcast. Again, subscribe and share if you found this episode valuable. And if you'd like to participate as a guest, just email us at speakers@Medplace.com. And anytime, Zack, thanks again for joining in. Good to see you. Thanks for all this helpful information and good luck in the fight out there.


    Zach Fuller  38:54

    Hey, thank you. Thank you for having me, and I'll see you soon. All right, bye-bye.

In Medplace’s second delve into Cybersecurity, Zach Fuller discusses cybersecurity threats that health systems face, the role of international events in hospital cybersecurity, and some best practices for keeping data safe. Fuller then describes what a security-savvy workplace looks like and how telehealth and goes over some security frameworks that healthcare organizations can implement.

Zach Fuller

Guest - Zach Fuller

CEO, Silent Sector

Zach Fuller is the head of business operations and strategy at Silent Sector. His organization protects clients across industries like healthcare, also b2b technology, financial services, aerospace and defense with stringent cybersecurity and compliance requirements. Also, Zach is a good friend of Medplace, which uses Silent Sector for its own security, penetration testing and assessments.

View More Related Content

Ready To Get Started

Whether you're ready to request a review or want to see the Medplace platform, we're available to help.