Transcript
Andy Slawetsky:
What’s happening, Andy here. I’m joined today by Paul Banco and Ben Manning of ETHERFAX. How are you guys doing today?
Ben Manning:
We’re doing well.
Andy Slawetsky:
Good to see you. What’s happening? What’s happening? First, let’s just revisit a little bit. We saw you Paul, a couple of weeks ago at the CDA dealer meeting conference. It was in Cincinnati. That was actually your company’s first meeting of that sort. You haven’t done really any of the peer groups or BTA meetings before. So welcome. That was exciting to see you guys there. Tell us a little bit about ETHERFAX and what did you think of your meeting there?
Paul Banco:
It was a great meeting. It was a great conference altogether. It was my first time there, obviously. I kind of went there last minute. Two colleagues of mine were there, Ken Romo and Jennifer Greco, who really managed that side of our business. I thought the conference was really well run, well put together. It was very intimate, which was really nice. It wasn’t this big massive conference. You actually had an opportunity to really sit down and talk to people. So we’re going to certainly do it again and looking forward to the next one. And it was great to see you there as well.
Andy Slawetsky:
Yeah, it was great to actually meet in person. Finally. It was a good couple of days. They had a security breakout session, or the first day or so was all security based with, not security so much, but just managed services in general with their MTA group. And you were there for the full meeting, so for the MTA side and then also the CDA owners part, which was after. So they did spend some time talking about security and then we were talking about an article that you had posted on LinkedIn that we’ll share a link in the bottom of that, but it spurred the idea of maybe we should do a video and discuss a little bit about some of the issues out there with data and security and just in general breaches that are going on and where things stand. So just maybe Ben, why don’t you give us a little bit of background on who is ETHERFAX? What do you guys do?
Ben Manning:
Yeah, so we are really, what we are built the entire foundation around what we call our secure exchange network. So connecting any two agnostic endpoints across the network, getting rid of what you would call traditional fax over telephony. So not two modems hissing at each other anymore. It is putting fax boards in the cloud and moving documents back and forth at the speed of digital. So we really, as Paul would like to say, if he had a crystal ball 20 years ago when he started ETHERFAX, he would’ve named it something different. We’re so much more than fax at this point. We are a secure exchange network, a software-defined network if you will, allowing any two endpoints to connect and exchange any type of documentation and really getting into more away from faxing. We’re creating what we’re calling the off-ramp from fax and the on-ramp to interoperability. And in that off ra-mp from fax, it’s really the idea of document exchange versus simply faxing something back and forth. So that’s kind of where we are in terms of the company and where we’re going. in
Andy Slawetsky:
So Paul, how is fax still even a thing? Great question. Just won’t go away every day. It’s the original way to move documents back and forth between businesses. It was still in its heyday when I was selling copiers, but how is it still a thing?
Ben Manning:
Yeah, the simple answer to that is it just works, right? So if I need to get a document from A to B, especially if I need to, if security is part of that document transport, I can’t just throw it into an email. Email is not secure. Secure email is really complicated to try and get through. It’s the exchanging of keys and all of that information on the backend and I have to have the key to open it, whereas fax just works. It has just worked for a long time. If I have a document and I need to get it from point A to point B, we all have an identifier as we like to say. You’ve got your cell phone, that is your unique identifier, your cell phone number, and so a fax number is a unique identifier. I can identify who it’s going to. In the same sense, if I’m getting a document, I can identify who it’s coming from and at the end of the day, type in 10 numbers, hit the shiny green button and it just goes and it just works. It is simple and it is easy. And also with ETHERFAX as a backbone, it is secure all the way across. So even in today’s day and age, this is why people are still faxing.
Andy Slawetsky:
It’s easy. How is it more secure, Paul? How is it more secure than just let’s say scanning? Everyone’s got scanning now everyone’s got email, right? What’s the difference in layman’s terms?
Paul Banco:
Yeah, it’s interesting.
Andy Slawetsky:
Fax is still legal for so many things, whereas scanning and just emailing documents is not right.
Ben Manning:
Yeah, an email is not HIPAA compliant in the healthcare world, but faxing as HIPAA compliant. So you’ve got that going for you as well,
Paul Banco:
Right? The idea behind it, and I often struggle with this in terms of security, the transmission can’t be altered or it can’t be altered in transmission. I mean, that’s really the layer of security behind the facts. And I would argue that in today’s day and age, it needs to be better. It 100% needs, but it needs to be as simple, but it needs to be better on the security aspect side of things, which is really where the secure exchange network for ETHERFAX comes into play because we have control of the entire path of that document where we can completely encrypt that tunnel. And then for added levels of security, if you really want to go crazy and wild out there, we can throw some end-to-end encryption out there as well. But going back to why is fact still here today? I think the number one answer or the number one reason for it is its simplicity, right? It’s ubiquitous. I don’t have to worry about interoperability between systems. Is your system going to be able to ingest the data of what I’m sending you? I can walk up, put it in, it’s secure, and I put in my 10 digits and it goes and I get a confirmation. It either went or it didn’t. That’s why it’s still so heavily used, especially in healthcare today.
Andy Slawetsky:
Well, the compliance issues, that’s got to be one of the drivers of that. So you wrote this article, it was targeted towards CIOs and you talked about audits and the importance of audits could, why don’t you give us some background on that and what were some of the points that you were making about that for our listeners?
Paul Banco:
Well, think about it. I mean, if you were to call a service and you wanted to use let’s say an ETHERFAX type solution, the very first question that you had ask them are, are you secure? Are you HIPAA compliant? Nobody’s going to tell you “No, no, we’re not secure. No, we’re not HIPAA compliant” right? Well, okay, you say you’re HIPAA compliant, you say that you’re secure. Here’s my 1000 questionnaire Excel worksheet. Please go ahead and fill this out so I can see how secure you are. Okay, so this is what a lot of customers are doing today. And truth be told, alright, we could fill those things out all day. They’re time-consuming–, and I could put anything and everything in there that you want and hand that back to you. And then you can put your little checkbox and say, well, they’re secure and they’re going to sign this BAA, and God forbid there’s a breach, they’re going to be financially responsible for that.
That’s what we’re seeing time and time again. Now for the organizations that are really, really secure and have security prioritized, and it’s the top of their mind, they’re going to, they’re not going to just take your Excel sheet of their questionnaire that they say for Word. They’re going to say, okay, this is great. Now what third party audits have validated this information? Show your attestations of compliance. Let me see that you were audited by a third party QSA for high trusts for PCI. Let’s see that. Because then we know 100% that someone else, a third party, not bias or unbiased third party looked at the information. You provided evidence and you are doing exactly what you say that you are doing in regards to securing data. That’s where we need to be.
Ben Manning:
Yeah, and I think on that point, Paul, you’ve got the numbers on top of your head. I never do talk through the number of controls that we have with going through third party, high trust, attestations of compliance, and then also FedRAMP, the number of controls there. Those are important, much more in depth than those security questionnaires that we get.
Paul Banco:
Yeah, I’m looking for, so PCI and FedRAMP, I’m sorry, PCI and high trusts, you’re around 390 plus controls, I think high trusts, and again, I’m not exactly, it’s give or take 10 or 15 controls around 420, 430 controls in their R two version. And then you take a look at FedRAMP, which we’re currently in the process of going through right now, and that’s around close to 1300 controls
On top. So hands down, I applaud high trust, I applaud PCI, the fact that you did high trusts four or five years ago, they just took your word for it. They had a lot of problems with auditors, QSA saying, oh, they provided us evidence when they didn’t provide us evidence. High trusts has done a phenomenal job of weeding out the bad and bringing in the good and actually making it harder and stricter to get their certifications because you’re having to present much more evidence to get that attestation of compliance, which is why these certifications are hundreds of thousands of dollars a year to maintain and just to even go through it’s resource intensive, but it does show a level of commitment to who’s ever looking at you and how serious you are about security
Andy Slawetsky:
And credibility. I mean, it’s one thing when I say, yeah, like you said before, but when you’re confirming your own numbers, I mean, if you were going to lie about it, then you’re going to lie about it and nobody’s ever hopefully going to find out about it. But if anything, if there was a breach, everyone’s going to find out about it. And then your recourse is, well, this person was this dishonest and maybe what else did they lie about? So it keeps everybody on the same page. And I like the idea that it validates what you guys do. And so is this something that vendors are doing? Is this something you think dealers could actually go and do on their own? And do they get certified? How do they play into this process?
Ben Manning:
I think the value of ETHERFAX is that we get that certifications and those adaptations of compliance. And then anybody who’s using Ether faxes services, whether it’s through Lexmark devices or Ricoh document scanner devices, anybody that is on our network using our services, any of the documents that are exchanged across our network, they all fall under that high trust compliance. We operate in a high trust environment. We operate in a HIPAA compliant environment. So there’s benefit of working with a vendor like ETHERFAX on the backend is that you don’t have to worry about getting those, each individual vendor, each individual dealer doesn’t have to worry about the security compliances. It comes along with working with ETHERFAX. And I think a large part of the article that Paul wrote was getting to the CTOs and the CSOs and the end user who gets the document into an inbox and they think, well, it’s there.
It must have come securely to them. Security is an afterthought at best. They just think, oh, there’s a document, I’m going to use it. It’s the CSOs, the CTOs that have to worry about did that document arrive securely? Is there some data breach? Think of like an insurance company, a law firm. A lot of our volume is in healthcare. One PHI data breach could shut down an entire healthcare system, hundreds of hospitals in a healthcare system or ambulatory clinics. And what does that do in terms of their visibility, in terms of their credibility that we went with a vendor that nod, nod, wink, wink. Yeah, they said that they were high trusts certified, just trust us versus going with a vendor that went through this attestation of compliance. And yeah, this really is a certified secure network. So that’s kind of where we draw that distinction for us.
Paul Banco:
Paul, you want to add to that? Yeah, absolutely. I mean, from the dealer side of things, I mean dealers, they’re on the front lines. Who’s the very first one getting a phone call in the event of a security breach? Hey, Mr. Dealer, you told me this was secure. Yeah, well that’s because the vendor told us it was secure. Did you do any due diligence to make sure that they were secure? No. Or, yeah, we gave ’em an Excel spreadsheet, they answered it. It looked great. So dealers, when they’re positioning, they know that ETHERFAX has spent the money. We’ve provided attestations of compliance, and not only high trust, but in PCI, we’ve provided HIPAA guidelines because HIPAA is really nothing more than a guideline. There’s no governing body that’s validating whether or not you’re HIPAA compliant. But vendors, when utilizing and pitching ETHERFAX, they know that we have gone through this rigorous process and that we have allocated the resources, we’ve allocated the financial resources, the manpower on what it takes to get these levels of certifications. So you could talk to dealers and they’ll tell you all day long, we sleep much better at night knowing that you have these certifications.
Andy Slawetsky:
Yeah, I could see that being hugely valuable. So I guess the advice really is that dealers need to look at who’s supplying all of their products, really, especially products that are security minded and secure facts obviously plays into that, but you should vet them and find out what kind of certifications they have and who’s provided those to them. That’s definitely something that I wouldn’t have thought about until reading that article. And how important is that process now as things continue to move to the cloud, especially as we get off?
Paul Banco:
I mean, more so than ever. I don’t think, and I’m not really on the sales side, but I do see the things that come across, especially when it relates to security, because we actually, if we get these massive security questionnaires, we obviously deal size it because it takes a lot of resources. I would say that if we had 50 healthcare deals a month, alright, 47 of them, the very first thing they’re asking for is third party attestations of compliance.
Andy Slawetsky:
Wow. So that’s becoming a huge deal then.
Paul Banco:
Huge. Because what do you read about every single day? Hospital breach, data breach, EPHI breach this and that. Why? Because all we were doing was the checkbox. All we were saying was, here’s the questions, answer them. Nobody ever validated them. Now, CISOs and CIOs and TSOs, who’s ever in charge of the security side of things, they’re getting smarter and they’re demanding and they’re requiring more because we are moving to the cloud no matter how matter what you say, no matter what you think, no matter how, whether you like it or not, we’re moving there and healthcare agree or disagree, but they’re the last, they were the to embrace the cloud. But now it’s more and more.
Andy Slawetsky:
Well nobody needs security more arguably than healthcare. Right. So good opportunity, good conversation. I appreciate you guys taking the time to come on and chat with us about this. This is really enlightening. Any last advice for everybody as we wind down our time here? Paul, why don’t you start?
Paul Banco:
Yeah, 100%. So for anyone that’s out there, vendors, customers validate, don’t just take their word for it just because they filled it out. Don’t use the, oh, it must be true. It’s on the internet type of mentality. Put your vendor through the due diligence, do the due diligence, put them through the process and require and ask and have them present you what they’re saying that they’re attesting to.
Andy Slawetsky:
How about you, Ben?
Ben Manning:
Yeah, I couldn’t agree anymore with that statement that we put so much weight into going through the third party attestation of compliance. And if others are not doing that, you have to question, is that a vendor that we’ll stand behind the dealer and the dealer knowing that then will stand behind us and they can do so comfortably knowing we’ve gone through all of the time, effort, and the money, as Paul mentioned, it is expensive, but we do it because it’s important to us and we do it because it’s important to the dealer. And so I think any of the vendors, any of the dealers, any of the manufacturers out there don’t, like Paul said, don’t take their word for it, ask, but also ask for that third party attestation of compliance as well. That really says someone else has verified that you’re doing this and that’s important.
Paul Banco:
Yeah. I do want to add one thing, Andy. And this was, we’re a very security conscious organization. When we built ETHERFAX from the ground up, we took a lot of what our sister company does in the government side of things and we put that technology into the ETHERFAX protocol service, what have you into the product line. When we went through our first high trusts audit, you really get an understanding. We all thought, hey, we were great. We had our I’S dotted our T’s, we knew what we were doing when it came to security. We didn’t have to worry about anything. We realized just how vulnerable and the lack of policies that we had from just this one audit. And it was shocking. And I remember hitrust, they score you across 19 different domains and you’re weighted, and I think you needed back then and high trusts.
If you’re going to watch, just don’t quote me, don’t get upset at me, but I think you needed a passing score of 70. And we came out of the box and we had a passing score of 60 after we did our first assessment. And our QSA, who by the way is great and I’ll throw them a plug compliance point, they’re doing our high trust PCI and FedRAMP. They came to us and said, you guys not for nothing. You guys were the highest that we’ve scored out of the box. And I said, well it’s interesting. What do hospitals score? They’re like, on average like a 30. And I’m like, wait, lemme just understand this my health now you go and you sign your Hippo waiver law and all of this and all of that and nobody reads it. And so knowing that I’m going to go into a hospital knowing that the overwhelming favoritism is the fact that my data is going to get hacked in this system, at what point, but what am I going to do? Refuse medical care
Andy Slawetsky:
Kind of in a situation, right?
Paul Banco:
It’s like, Hey, alright, I’m bleeding out of my jugular. I guess
Andy Slawetsky:
I’ll worry about that later.
Paul Banco:
Exactly. So it was just eyeopening for organizations that think they’re secure until they go through a third-party- validation,
Andy Slawetsky:
Until somebody else looks at it. Companies go like this and they don’t look outside off to the sides very often and they know what they’re doing and they do it day in, day out. But all of a sudden to have somebody else come in and go through your processes and your practices and criticize and try to find holes, it’s probably something every company should do at some point. So this has been awesome. Thank you guys so much for sharing this and we will catch up soon and have a great weekend. Good seeing you guys.
Paul Banco:
Likewise Andy. Thank you.
Andy Slawetsky:
Thank you.