This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Interview In Action: Hospital Downtime and Better Recovery Planning with Michael Fredrickson

[00:00:00] Don't let cyber threats put your hospital at risk. The number of cybersecurity attacks on healthcare organizations is growing and patient care is on the line. At the Rubrik Healthcare Summit, you'll get actionable insights from thought leaders like John Regi. The National Advisor for Cybersecurity and Risk at the American Hospital Association on how to protect your organization from the latest threats.

Join the Rubrik Healthcare Summit on September 10th and learn how to prepare for, respond to and recover from cyber attacks. Register at events.rubrik.com/healthcare. That's events.rubrik.com/healthcare.

I'm Drex DeFord, a recovering healthcare CIO and longtime cyber advisor for some of the world's most innovative cybersecurity companies, and now I'm president of CyberRisk. At this week, health and the 229 project where [00:01:00] we're dedicated to transforming health care one connection at a time. Our interview and action series allows us to catch up with health care leaders throughout the industry and hear about the important work they've been focusing on lately.

Now onto the interview.

Drex DeFord: Hey everyone, it's Drex and I've got Mike from Rubrik with me. Thanks for being on the show today.

Michael Fredrickson: Awesome. Thanks for having me, Drex.

Drex DeFord: Tell me a little bit about your background. You have a interesting, I mean, everybody, it's Hey, when you were a little kid, did you think you would grow up to do this?

And the answer is always no. And then it's sort of the next question is the, so what was the route? How did you get it right? Tell me your story.

Michael Fredrickson: Yeah, great question. So just to level set on what I do now my day job is I run our healthcare vertical. Here at Rubrik started with Rubrik.

Fortunately in the early days in 2016 when we were just a small company and seen it grow about 18 months ago. Based off of where the market was going and based off of, the trends from our customers we said we needed to really build a program and focus solely on [00:02:00] healthcare.

As a kid, did I think that I was gonna be a healthcare go to market professional? No. I wanted to play for the Boston Bruins and I wanted to go play for the Red Sox in college. actually wanted to be like an invested banker and work on Wall Street. And graduating during the great financial crisis doesn't really lends itself to that type of career.

And found an opportunity to work for a really growing tech company. At the time, EMC, now Dell with my roots back to Massachusetts, which is for me, where I learned how to support and work with healthcare customers. That's what I focused on early in my career at EMC.

Drex DeFord: And you're in Boston now? I sure

Michael Fredrickson: am Die Boston sports fan too.

Drex DeFord: I know. And I'm just thinking to myself like, I can't believe the Bruins don't call you on draft day. You never get the call.

Michael Fredrickson: Every single year I cross my fingers and I just, I sit there waiting for the call and amazingly I don't get it, so I just go back to.

The Thursday night Beer League that I belong to. So

Drex DeFord: I'm with you. I'm, I keep waiting for, [00:03:00] somebody in the NBA to call me to, and it never happens. Tell me what you're focused on right now at Rubrik and what you're excited about. I mean, you just went public I don't know, a year ago.

Less than a year ago maybe? Yeah. Yep. It's just. You're on fire right now and I love to see it because you have great tech, you have great approaches to customers, but tell me what you're focused on and what you're excited about.

Michael Fredrickson: Sure. Maybe it would help to just give a quick kind of foundation of rubrik and who we are for those who don't know.

So. We were founded on the principle that it's not a matter of if but when an organization will be going through a cyber attack or have be compromised in some form or fashion and ultimately you're really kinda only as good as your last line of defense. And you've seen it probably in your career, like the amount of money spent on cybersecurity software has grown exponentially over the last 10 to 15 years.

Yet, cyber attacks are still on the rise. I mean, I think you referenced in a recent article that talked about, the rise in ransomware attacks just in the summer of 2025 alone with [00:04:00] groups like Interlock and Reida and Quillin. Right. And so, these bad actors are getting through.

And so you ability to go keep clinical systems online, recover quickly, really depends in large part to the backup environment and we were founded in a world where legacy architecture just wasn't built to answer the critical questions today, like, is the data even there when a ransomware attack happens?

Is the backup infrastructure survived? Understanding what data was compromised was there sensitive data in scope? Do you know where the malware is? And how do you know when to actually go recover that data and not reinfect the environment? Where do you recover to have you practiced?

Have you orchestrated? Right? And so this is why we see the proliferation of cyber resilience programs across our customers. And that's really what we are. We are a cyber resilience company. We're a software company. We combines zero trust data principles data protection with cyber recovery and identity resilience.

We apply that. Platform to workloads both on-prem [00:05:00] in the data center, think, large scale virtual environments, database environments. One of our specialties is Epic and EHR protection cloud SaaS. Large, unstructured, medical imaging, workloads, identity I mentioned. And so, we take that approach to that last line of defense to make sure that data's there, we give you the insights to be able to recover in a timely manner.

So that's, sort of rubrik in a nutshell. What we're focused on as we grow this healthcare vertical is thinking about. How do we minimize the amount of downtime associated with an attack?

The average downtime we see for a median sized hospital is about 18 days, 18.71 days, and that's for like a two to three hospital system.

Drex DeFord: I feel like you're really lucky if you're only down for 18 days right now, so many places that I know that are down for. 30, 40, still recovering at 40 days. So,

Michael Fredrickson: seeing potential proposed legislation to say, Hey, can you recover in 72 hours? And to get from what you're talking about to there, it's seems [00:06:00] like a near impossibility.

Right, right. And not to mention, just what happens in that period of time. Right. Like. We see a 30% increase in medical errors, if any HR is down. I mean, how many nurses do you know that have started in the last 15 years that know how to use pen and paper?

Drex DeFord: I can't tell you how many calls I get when there's an incident from friends of mine who are clinicians at those locations who call me sometimes like literally with tears in their eyes about.

I don't know what the heck I'm doing. All the way through school there was always an EHR and now I'm not sure what to do and I'm afraid for my license, right? Because I feel like I'm taking some personal risk here. So it has the massive effect, not only with patients and families, but obviously on staff and burnout's.

Another big issue.

Michael Fredrickson: It's pretty remarkable. Our youngest of four children is 18 months, and she was born, February of last year. And I remember sitting there at night, my wife was sleeping. I actually asked the nurse, she's inputting, information into Epic.

And I said like, Hey, [00:07:00] just curious. Like, what would you do if that went down? And she's like, well, she's like, I'm 39. Every single nurse that's younger than me. I don't think would know what to do in this situation. Like I'm probably the youngest person on this floor that knows the procedure and what to do.

And and I was just thinking in my head, I'm like that's alarming, right? And you think about how many things, like how reliant these systems are on, not just your EHR, but just everything along those lines. And so you asked earlier, kinda what are we focused on?

One of the things that we talk a lot about. Is this concept of minimal viable hospital, right? And what are the core set of critical, hospital operations and critical functions that need to be able to operate during these kind of adverse times and being able to operate them until you get back to normal state.

And so for us, we're spending a lot of time like focusing on what are those critical applications, right? Like EHR and EMR. That's an obvious one, but then you think about everything else that's connected, right? Like [00:08:00] facilities management. Yeah. Like is your HPAC operational, like employee management are your employees getting paid?

M 365? Like, do you use that from a communication perspective? I'm sure you do with teams and email. I mean, the list goes on. Identity and active directory being probably, oh, of course, one of the most, critical. And when that goes down, obviously we know losing access to just about everything.

And so, we partner a lot with organizations that, we facilitate this view of what are those critical applications and how do you build out that minimum viable hospital places like health think advisors or folks like CDW and Ahead or Accenture who we partner with really well to help build that out.

And that is a really

Drex DeFord: tough thing to go through. I mean, you've got. 400 or 600 applications. The people who use every one of those applications thinks their application is the most important application. So having other folks you can work with to help Right. Sort through and prioritize, that's critical to the whole MBH plan.

Michael Fredrickson: It is, and obviously we talk a [00:09:00] lot with folks from IT. But there's, a whole other, set of the organization that needs to be involved to talk about prioritization of those apps and quantifying the downtime with those apps and how do we group them together?

The last thing on what we're focused on is where do we recover to. There's a complete lack of trust. When an event's happening and if we think about being able to deliver the cyber RTO within, hours or days you need to be able to put it into a clean environment.

And so, we're talking a lot about that with our customers today, is to how do you do that? How do you build it out the right way? Whether that's in a large hyperscaler, like in AWS. Azure, GCP we have a great partnership with Rackspace, where we're building out this as a service almost.

And so being able to look at it, and we believe, we obviously have a foundational technology that allows you to not only make sure that data's there, but you know, surgically recover the data sets that are needed and know that what you're recovering is clean.

And that level of insight and having that insight within [00:10:00] seconds is the difference between, potentially being down for weeks or months as you mentioned before. So how do we, take our fundamental technology and build the MVH planning process around it?

And then how do we, look at that recovery process to get back to normal state. So

Drex DeFord: when you look down the road, say six months, or. Six months in two years. I know you can give you a couple of benchmarks there. When you look down the road, what's Rubrik look like? What do you think you're focused on over the curvature of the earth?

Michael Fredrickson: I wish I could tell that story right now. I mentioned before I was fortunate at the start of the company back in 2016. I've been able to see the evolution of the organization from disrupting backup and recovery to being a true cyber resilience platform.

Things that are right now the highest priority and I think within the next six months will continue to be. And then as I look out beyond the next six months, couple years where I think this is going, there's no doubt that identity recovery has been the [00:11:00] hottest topic that we've had, especially this year.

I think the stat is, 90% of organizations have had identity related events in the last 12 months. Yeah. 50% experience in the last two years. And you can imagine, I mean, with with the connected devices. I think it was a 240% increase in non-human identities that are Exactly that being so, IDPs like active directory onto id there are tier zero workload, right.

Drex DeFord: If you can't get the identities to work, you can't get anything else to work

Michael Fredrickson: Absolutely right. So, we started with saying, Hey, we can not only protect and back up and recover active directory and onto id. But then how do we then orchestrate a recovery and automate that recovery and do it in a really granular manner within our zero trust platform so that our recovery, or at least our platform we'll survive an attack itself so that not only, if they go after backup architecture for identity will still be there.

And certainly that's critical, especially to go support this minimum viable [00:12:00] hospital. What we are transitioning to is this concept of identity resilience. So instead of just responding, how do we look at being more proactive things like, forensic tracking for kinda high risk changes.

For example, like. You see GPO modifications could that be, a sign of an active cyber attack and how do we go in real time or as we're protecting that workload go alert the right folks and tools to do that.

Drex DeFord: So not only on the actions like A GPO change, but also on the individual too, who might be the

network administrator.

Michael Fredrickson: That's right. Yeah, that's right. And then you look at continuous, like kind of visibility and misconfiguration. So are there misconfigurations that happen? How do we remediate that quickly? And so, this is all brand new. I mean, I'll do a little shameless plug.

We've got a healthcare summit coming up September 10th. We've got a lot of really great speakers, including, I think, you're having a great conversation with Mac Marlowe from this. I'm, it's great. Yeah, no, it's awesome. We'll get [00:13:00] into detail our chief business officer, Mike Kartosa, who's really, one of the visionaries for this cyber recovery, cyber resilience space.

That's one. And then if I look even further out, like we wouldn't be a software company if we didn't talk about ai, right Drex? It couldn't be a

Drex DeFord: podcast

Michael Fredrickson: if we didn't. I know, right? the great thing about working for a modern software is that, we've been leveraging AI for years, right?

It's been embedded into how our kind of data threat engine and what we do and how we look at data on a daily basis. But I also think just larger scale. I'd love to get your opinion on this. I heard talk from the CEO of Inova Dr. Steven Jones, I believe it is a couple months ago talking about kind of the crisis that we may see here in the future with aging population turnover of

clinicians, not enough nurses and PCPs and just looking at this gap and how do we bridge that gap and AI being, and AI use cases being probably the most critical thing that's gonna help us grow through this challenging piece. And probably [00:14:00] the challenge with AI is that, especially in healthcare, is the lack of resources and maybe expertise, , the sensitivity of the data obviously, and who has access to it and what they're doing. And so, we've always thought about, Hey, this is backup. We have all the data in an organization. How can we go deliver more value outta that data?

So earlier this year, last year we announced this product called Anaperna.

And Anaperna is the concept of being able to access multiple data sources that are protected and already stored within Rubrik to deliver and accelerate, gen AI use cases. That concept of do we really need to move that data? Could we leverage this platform as a data lake itself?

Oh, interesting. With the security and the governance already baked in, across the lifecycle of that AI app. So thinking a little bit about that. We just acquired a company called Predibase which is in this space. Their platform is all about building tuning and customizing new AI models.

And then you tie those things together. Literally, today we [00:15:00] announced this concept of agent Rewind. Where if we can combine the visibility in looking at all these AI agents across an organization with the recovery capabilities of Rubrik can we help reverse actions that

may have had, unintended consequences. Ah, I love this. So

Drex DeFord: this is like change control Yeah. For AI agents. So if I was talking to somebody about this earlier today. Sorry. I'm all good. All good. You hit on something good here. It's exciting to think about we're replacing some capabilities in cybersecurity today.

Like lower level, boring, gotta go through a bunch of stuff. We're using agents to sort of replace some of that labor so that the people can go do the actual complicated, more hard stuff. But then there's the challenge of, at some point you want to give the agent the power to be able to actually take an action.

But everybody's scared about that because once you take an action, oh my gosh, it's done. What [00:16:00] if the agent makes a mistake? Right? You got a way around that Now.

Michael Fredrickson: This concept of agent rewind. And I think, it makes sense, especially with what we do and what we've been good at recovery for our existence as a company and, being able to be able to recover

especially if there's unintended consequences that come from changes or something that, that we didn't want that agent to do. So, a lot more to come on it. By no means am I an expert in this topic, but certainly a big part of what we'll talk about, in this upcoming summit.

And then, really around the roadmap of where we're bringing this organization.

Drex DeFord: That's exciting I wanna ask you one more question. Sure. And this is the one that is I don't think it's a gotcha question. It's just a really interesting question. I think we all struggle with.

So, every healthcare IT leader hates being sold to, right? Sure. But we're also in this world where nothing happens without partners. Nobody can do all this stuff on their own. You need to have these great partnerships to get the job done. Tell me about the culture you're building at [00:17:00] Rubrik that helps make that teamwork.

Don't feel like I'm being sold to all the time. Tell me about the culture you're building to make that a reality.

Michael Fredrickson: Yeah, that's a great question. Yeah, and part of my org is a team of, we've got 25 account executives across the US supporting, the largest health systems in the country.

Drex, have you heard the concept of seller's deficit disorder by chance? Tell me. So we talk about it a lot at Rubrik, not just in healthcare, but it's this notion that kind of most buyers have a really negative connotation of salespeople, and it's probably based off of

past experiences where they felt like you said, they're being sold to they don't understand their business. They don't listen to their needs, and there's all kinds of issues that come from it. Everything that we do is to try to make that a misconception, especially working with us.

And we try to from just what we require is we do a lot of homework. We try to understand the market. We try to understand the population that our health systems are serving and the financials, what's the payer mix? And so we understand sort of what are the [00:18:00] constraints that are going on the clinical services that are offered.

Like we try to really understand the business and what our customers are going through. And then you met, Josh Howell, who's our healthcare field, CPO. Yes.

Drex DeFord: Yeah.

Michael Fredrickson: He spends a lot of time educating our team on just, healthcare in general and the system and how it works.

The macro trends that are impacting kind of the stability of the system. Specific applications that are consistent, whether you're rural hospital or an AMC or a children's hospital for-profit, not-for-profit. You get it. Like we, we want to make sure that our team really understands the business.

And so it's really teaching empathy in a lot of ways. So to make sure they understand like the conundrum and the pain that most healthcare IT folks go through right now. Yeah. I start my team call with the same mission statement for my team and it's about we want to empower all health systems to quickly recover and safeguard patient data, deliver uninterrupted patient care and uphold resiliency in the face of cyber threats.

And that's like, that's what I want my team to think about. because it's customer first. It's not [00:19:00] about rubrik and our product and selling it. I think this manifests itself in a couple different ways, but one of them is like just recently we had to reeducate our team on a lot of the financial problems or trends that are negatively impacting all of our customers.

Everything from changes in payer mix to reimbursement rates to higher costs of care. Labor shortages regulatory impacts and So it's harder and harder for our customers to go justify, like, how do you go sell new software into that environment?

Like it's hard to do that. And if it's hard for us, it's really hard for our customers. And so, we try to partner with them and give them the tools to go justify, how do we go consolidate. Multiple different technologies into a single platform to drive cost savings.

Can we show a 25 to 30% lower TCO with this platform? Josh has built an impact calculator that I think is maybe the best and most detailed view of what the cost of a ransomware event would be and we can actually mirror [00:20:00] that with, Hey, what does this look like if Rubrik was in place?

Drex DeFord: He showed me that, and I'm in love with it.

I have a little crush on it actually.

Michael Fredrickson: It's incredible. And I think we've vetted that out with chief risk officers, chief financial officers who actually tell us that we're light.

Like, hey, this is, we're showing you $165 million. Impact both short term and long term to this potential event. And they say, Hey, our calculations, might be 10 to 15% more than that or whatever that might be. Mm-hmm. Mm-hmm. Um, We're not trying to oversell or anything like that.

We just wanna arm our partners within these organizations with the tools that they need to go stand up to the CFO or CEO or board of director. And so that's kinda the culture we're trying to build is put our team in the shoes of healthcare IT professionals.

And if that's ever not the case, if anyone's listening and that's ever not the case for my team, please call me, please send me a message. because that's how we wanna operate. So,

Drex DeFord: I like it. It's the starting the meeting with the mission statement. And the mission statement for you isn't about the tech, and it's not about selling the tech, [00:21:00] it's about solving the problem for the customer.

And you actually punch that mission statement all the way through to patients and families, which that is the deal that we're involved in.

Michael Fredrickson: Yeah. Yeah. Well, and we appreciate, partnering with folks like you and this week Health and being a part of these 229 events and the city dinners because we end up learning so much.

There's a lot of folks at rubrik that want to be involved and learn, and we bring a lot of those learnings back to our team, our product team our partnership teams to try to make sure

we're doing better for our customers. And I think that's what it's all about is to facilitate that learning and continue to get better. So,

Drex DeFord: yeah. Mike, thanks for, thanks for being on the show today. I really appreciate it. Hope our paths cross soon on the road somewhere.

Michael Fredrickson: I hope so as well. Thanks, Drex.

Thanks for listening to this Interview in Action episode. If you found value in it, share it with a peer. It's a great chance to discuss the issues and in some cases start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. If you can do that'd be great.

Thanks [00:22:00] for listening. That's all for now.