Spotlight Interview: Scott Fuller, Chief of Cybersecurity Practice, CyberPro Partners

About Scott Fuller, Chief of Cybersecurity Practice

With over two decades of expertise in technology and security leadership, Scott has penned 14 bestselling books on networking, applications, and security. A distinguished member of the Forbes Leadership Council on Technology, he consistently delivers thought-provoking articles to the publication.

Scott’s expertise has been crucial in guiding numerous organizations through the complexities of technology security, enabling them to tackle and overcome significant challenges. In addition to his leadership in security, Scott leads initiatives in AI and blockchain technology, showcasing his dedication to advancing innovative solutions.

About CyberPro Partners

CyberPro Partners is a leading provider of cutting-edge cybersecurity solutions, offering access to experienced Chief Information Security Officers (CISO) and Chief Technology Officers (CTO) on a fractional basis. With a commitment to empowering organizations with robust cybersecurity measures, CyberPro Partners specializes in delivering tailored solutions to meet the unique needs and challenges of businesses across various industries. By leveraging the expertise of seasoned professionals, CyberPro Partners helps clients strengthen their cybersecurity posture, mitigate risks, and navigate the ever-evolving threat landscape with confidence. Whether it’s providing strategic guidance, implementing security measures, or managing audits and compliance, CyberPro Partners is dedicated to ensuring the security and resilience of its clients’ digital assets.

About HealthWare Systems

HealthWare Systems is a leading provider of fully integrated, customizable workflow solutions and Revenue Cycle Management software. We specialize in applying robotic process automation (RPA) to healthcare processes to improve both the patient experience and the revenue cycle. Our ActiveWARE suite of products manages pre-arrival, financial assistance, early out, collections, denial management, claims follow-up, and more, and is proven to maximize productivity and profitability so that healthcare teams have more time and resources to spend on quality care.

Medical Travel & Digital Health News (MTDHN): Can you describe your responsibilities and provide an overview of the company’s role?

Scott Fuller (SF): CyberPro is a subsidiary of Healthcare Systems, a longstanding provider of healthcare solutions. My involvement with the Company began by conducting a SOC 2 Type 2 audit, also known as a System and Organization Controls (SOC) report, an independent assessment of an organization’s systems for security, availability, processing integrity, confidentiality, and privacy.

This is a common practice by healthcare organizations to demonstrate cybersecurity compliance to the company’s clientele. It’s important to have third-party validation confirming that an organization is secure, especially in an era where cybersecurity concerns are escalating. It’s almost becoming mandatory.

I’ve been involved in healthcare for quite some time. I was the Assistant CIO for Doctor’s Health at Renaissance, a 500-bed physician owned facility in South Texas, where I launched an information security program. We were the last physician-owned facility under the current revision of the Stark Law. From there, I branched out into roles within software companies while maintaining my focus on security.

As cybersecurity increasingly becomes a concern for many companies, CyberPro focuses on the underserved market of smaller companies. Every company, small or large, has the same trouble of trying to remain safe with cybersecurity. However, larger organizations are able to afford dedicated cybersecurity teams to protect the company as best they can while smaller companies may not be able to afford this level of attention.

My specialization lies in assisting these smaller companies in a fractional way by giving directions and setting up security protocols to prevent them from becoming a target of cyber-attacks.

While CyberPro does work with larger clients with specialized needs, our biggest vision is addressing the needs of this underserved market and helping them effectively navigate the cybersecurity landscape. We offer frameworks, education and ongoing accountability where we meet weekly or monthly, depending upon the clients’ needs.

MTDHN: Do you primarily service hospitals and do you also meet the needs of self-insured organizations?

SF: We historically serviced hospitals with tertiary healthcare organizations to identify their vulnerabilities. We recommend all organizations do this monthly.

We are now expanding our service capabilities to help self-funded protect themselves against cyber criminals since plan sponsors have a fiduciary responsibility under HIPAA to guard against hacking of personal data and information.

MTDHN: For self-funded employers who contract with hospitals and vendors, do they need to get assurances from all of their vendors in addition to the data they’re storing themselves?

SF: Yes. If you look at all the breaches that have happened recently, the majority of them are happening from third-party vendors.

Within the last few years, third-party risk management has become a high priority for organizations. It evolves around the fact that you can do everything you can to secure yourself, but you’re only as strong as your weakest link. For a hospital or any other organization, your vendors are bringing vulnerabilities to the table. Across various industries, organizations are now starting to scrutinize third-party risk management.

There was a recent incident with a large payroll service organization that creates customer portals. They created a flaw where they inadvertently gave everybody in this organization administrative access to the portal, which contained private information such as home addresses and Social Security numbers. Although it was luckily caught very quickly by the Director of IT, anybody could have gone in and looked at this private information and it was an internal breach – a breach of trust. 

When an employee shares personal information with his/her employer, there’s an assurance that it will be handled correctly and appropriately. Most companies do an extraordinary job of this. But in this case, the software company that the organization used granted everybody this highest level of permission.

My remediation plan for the company included implementing stricter access controls where there must be a level of approval before anybody can access this information. In addition, I wasn’t entirely happy with their level of logging-in so we enhanced their logging mechanisms to ensure that, if this ever happens with any other customer portals, they must be able to show who looked at what to understand the level of damage and exposure.

MTDHN: How should these organizations identify their vulnerabilities?

SF: About five years ago, it was considered healthy to have a yearly penetration test done where a hired professional would come in and pose as a hacker to simulate a cyberattack which would expose the company’s vulnerabilities. This allowed for accountability and remediation efforts throughout the year.

Fast forward to today, hacking abilities are coming out so fast that if you’re not taking a proactive stance, you’re setting yourself up. Even if it isn’t a full penetration test, companies should have some sort of vulnerability testing done monthly that highlights their vulnerabilities and what needs to be done. This is crucial because cybercriminals are continuously attempting to exploit vulnerabilities.

For instance, three years ago, I advised an OBGYN clinic owner who fell victim to ransomware. Her clinic was small with just five employees, yet she was still targeted – a reminder that the size of the organization doesn’t shield them from cyber threats.

I’m not necessarily in favor of paying the ransom, although there may be some instances where that might be the thing to do. But generally speaking, once the cybercriminals know that you can pay, they will try to make you pay again. In the doctor’s situation, I saw that it was nothing more than about two days’ worth of effort to bring her system back.

In the post-incident analysis, we discussed the attackers’ rationale – why they would attack a small clinic as opposed to the larger hospital right down the street? To them, the clinic was merely an IP address with exploitable weaknesses. They gauged the ransom of $15k based upon what seemed attainable for the clinic after looking at the clinic’s database.

In the cyberspace, everyone is a potential target. Like street thugs seeking quick gains, cybercriminals exploit then move on swiftly. Whether it’s a small clinic or a major hospital, no organization is immune.

MTDHN: In the healthcare industry, there’s heavy reliance on third-party vendors for digital solutions such as remote patient monitoring, as well as technologies for tasks like weigh-ins. Since employers are increasingly partnering with these vendors to monitor their employees’ health, is there a risk?

SF: The rise of telehealth, particularly during COVID-19, has been remarkable. Even before the pandemic, the concept of telehealth held promise, especially for rural communities where physically getting to a doctor was difficult due to lack of transportation.

For some time, information technology was a roadblock because there wasn’t enough bandwidth to always to have a video conference like we do today — there were a lot of limitations. Now, there’s so much broadband everywhere and technology has gotten to the point where telehealth has become increasingly accessible and convenient.

I noticed that the pandemic prompted a surge in telehealth usage as healthcare facilities sought to limit in-person visits and the number of patients waiting in the lobbies. This spike not only addressed the needs of patients who had previously struggled to access healthcare but also appealed to those seeking convenience. It’s fantastic but it does decentralize and it’s important to be aware of potential cybersecurity concerns.

With telehealth, you don’t have a brick wall defense where all the devices and data are contained. There is a risk of data being spread out across your cell phone and broadband networks.

For instance, the recent breach involving Kaiser Permanente highlighted how browsers caching patient data could expose personal information. Certain browsers were caching certain aspects of each conversation. Tech vendors may have received IP addresses, names and other data.

It’s crucial to be aware of the amount of cyber warfare that is essentially going on right now and it is not slowing down. However, I’m encouraged to see organizations growing more aware.  Cyberattacks are so disruptive to good companies that provide innovative products or services that might change the way you live. If they overlook just one little aspect that can make them vulnerable, they can get exploited and get knocked off the tracks.

Every single person in the company has a role to play. Establishing a strong security culture and educating every employee, not just the IT team, is essential to mitigate risks and ensure the integrity of our healthcare systems in an increasingly digital age.