November 1: Today on TownHall, Aubrey King, Solutions Architect for F5 has a conversation with Gary Newe, Vice President of Product Management at F5 about security for what has become the standard form of web communication: APIs. What are his team's top priorities at the moment and looking into the future? Why are patient portals so important to the conversation on API security? What other emerging technology does he see becoming useful for security going forward?
Sign up for our webinar: Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care - Thursday November 3 2022: 1pm ET / 10am PT. https://thisweekhealth.com/cyber-insecurity-in-healthcare-the-cost-and-impact-on-patient-safety-and-care_cybersecurity/
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
Now APIs are, easier to deploy and easy to build. So now it's The difficulty is not, how do I secure my APIs? It's well, how do I know what APIs I.
have and how do I know what data is traversing those APIs?
So the problem just gets bigger and bigger.
Welcome to This Week Health Community. This is TownHall a show hosted by leaders on the front lines with interviews of people making things happen in healthcare with technology. My name is Bill Russell, the creator of This Week Health, a set of channels designed to amplify great thinking to propel healthcare forward. We want to thank our show sponsors Olive, Rubrik, Trellix, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. Now onto our show.
Hello and welcome. I'm Aubrey King with Dev Central F Five's community resource site. I'm here today with Gary, New Vice President of Product Management, and we're here to talk a little bit about our views on the healthcare operations perspectives today. Gary, how you doing today?
I'm well, Aubrey. How are you?
I'm doing fantastic. Thanks for. I'm gonna be watching some football tonight and really can't complain. ,
well, the Seahawks last yesterday, so I'm pretty upset about that.
Well, there will be other Sundays. So, uh, can you I guess for the, viewers, could you tell us a little bit about what it is?
You do day to day for F five?
Sure. Thank you. So I've been at F five for about 15 years, but I've worked in cyber security for well over 20 years. Starting from, back in the day, configuring firewalls all the way up to today where we're building security products for our customers. And that, that's my passion.
My passion has always been cybersecurity. I think from the moment I saw the movie Hackers I think it was 1995 or 96, I think it came. That was like, that's what I wanna be. Nevermind a rollerblading, nevermind the cool haircuts. Cuz obviously I have no, no hair. But that's what I wanted to be, I wanted to do something in computers and cybersecurity, so, and here we are.
Fantastic. What would you say your team's top priorities are at the moment?
Sure. Yeah. So, my team works in the distributed. Part of F five where we're kind building some new areas for our customers and expanding how they can become more secure but do it in an easy way and do it in a more effective way.
And one of the big initiatives we've worked on this year is we've called it one Whaf, which is actually taking our D. Web application firewall solutions and combining them into a more easily deployed, easily consumed service for our customers. And that's important because security
only works if it's deployed.
And there was a time if you wanted to deploy proper application security. You needed a degree in application security. And the last I checked, I don't think there's any schools offering degrees in application security. So it's quite difficult to build this effective security into your organization.
Nevermind then, now we have to deal with DevOps and containers and agile development and everything like that. It's becoming more and more complex. So we're trying to simplify that for all of our customers and everyone who, wants to look at F five product?
That makes great sense to me. I mean, if you, take a look at the long standing pedigree that F five has had with waf and then you take a look at some of the newer wafts that have found themselves in the portfolio via acquisition of late it really makes sense that we would bring our deployment mechanisms together , and work towards central management , and things of that nature.
What would you say would be kind of the, next things that, your team are looking for? What would you say is kind of the future for what you're, you're looking at here?
So be, before I answer that question, just you mentioned that we've been doing this for a long time, so we actually have been doing web application security for almost 20.
Okay. That's, that's, two decades. Like, that's a long time. That's almost as long as my oldest child has been on this planet for, so, so it, , it's nothing new for us. but the next step has to be focusing on API security. APIs as we know, are a huge part of life today.
We might not know it, but if you open up an app on your phone, you're using APIs to communicate with the back end of that, . Okay. So they are becoming the, well, not becoming, they're the standard for web communications now going forward. So it's not just a webpage that you use, it's a combination of APIs to deliver all that information to you.
So we need to build a way for our kind of following the, one wf mindset and simplification goals. We need to do something similar with aPIs.
When you say 20 years? Yes. Uh, I'm wondering. Could we clarify what that means? Is that going back to the Magnifi acquisition or do we go back even further and we talk about eye rules being used for zero day exploits in, http streams?
Well, you could go back even further to eye rules and everything like that as well, but it was about 20 years. It was actually 19 years ago, I think, when F five acquired magnifier, which was one of the first web application firewalls in, in the.
So a couple weeks back, I was talking with a couple of solution engineers here at F5 because some of my counterparts and I went to Black Hat.
And one of the things that we found there was that the hot topic by far the hottest topic at Black Hat this year was API security. Not even web app and API security, but API security. And it kind of boggled my mind seeing all these new companies that, you've never heard. Out in the forefront saying we're leaders in API security.
And it's interesting, we wanted to calculate how long F five has been in the API security business and what it came out to is 15 years. I mean, if you go back to, what was it Team TMOs 9 24 or something like that when we, I. An XML firewall To the world. That was really for me, when I feel we started going out to our customers explicitly saying API security is a thing.
It's something that we really need to take account of and to make sure that we are defending in the same ways that we're defending our websites. So since we're here talking about healthcare today, in. specific Would you say that API security is one of those hot topics for. healthcare today, one of the things that they should really be keeping an eye
Oh absolutely. So I mean if you think back to when we had that XML firewall, and it was a pretty simple matter to secure that you would upload your WSDL which is a web services. Descriptor language file that was spit out of your id, and you would put that on, the WAF and you would be protected.
It would only allow everything that was on that. But typically back then, APIs were really only used for either configuring things or for maybe data exchanges, small data exchanges between systems They weren't, as ubiquitous as they are now. Now, if you look at kind of. , any any environment could be healthcare, could be communications, could be cars, could be anything.
But you've got all of these different devices communicating to each other over APIs. So if you take a healthcare point, situation, you're probably gonna have your rpac systems for digital imagery communicating via APIs maybe to your. System to your patient information system. You may have other systems within the, environment communicating with it as well.
You could have doctors' offices communicating via APIs to the, maybe the hospital system that contains some patient tests or, things like that. You have got outsourced laboratories who are performing blood tests and things like that. So all of this data is transferred via APIs. So it is critically important to secure that.
And I don't think anyone listening today would deny that fact. I mean, it is absolutely critically important. But the issue is, is now APIs are, let's say, easier to deploy and easy to build. So now it's become, The difficulty is not, how do I secure my APIs? It's well, how do I know what APIs I.
have and how do I know what data is traversing those APIs? And that's become a big issue. We've seen the growth of shadow APIs in, customers. That's a term that we're starting to use to describe these APIs that may be functional, but they're not, may not be sanctioned. , they may be sanctioned, but maybe you just don't know what endpoints they're running on.
So the problem just gets bigger and bigger.
📍 📍 we'll return to our show in just a moment. I wanted to take a second to share our upcoming webinar. Cyber Insecurity in Healthcare, the cost and impact on patient safety and care. Cyber Criminals have shut down clinical trials and treatment studies cut off hospitals, access to patient records demanding. Multimillion dollar ransoms for their return. Our webinar will discuss it. Budgeting project priority, and in distress communication amongst other things. To serve our patients affected by cyber criminals. Join us on November 3rd for this critical conversation. You can register on our website this week, health.com. Click on the upcoming webinar section in the top right hand corner. I look forward to seeing you there.
I would think that kind of the average person watching this video would think. that Things like the patient portal would be the, the hotspot to watch to make sure that there are no breaches. Now is that, would you say that defense of patient portals is probably also still a hot topic in so far as, the healthcare industry is concerned today as well?
Absolutely. I think most people, myself included, when you think about protecting, applications, the first thing is the. portal What does the consumer use, or in this case, the patient, what does the patient see? But you've got multiple portals. You've got the portal for the patient, you've got the portal for the provider, you've got the portal for the contractor, you've got the portal for the equipment, maybe manufacturer.
So there's, lots of different areas where there could be potential and breaches or issues. But the portal is very important. And I think that the difference between portals before and portals now is that a lot of time, the portals now, Are made up of APIs as well.
So you've got a situation where if you, if you are, looking, you open your, let's say the one I'm familiar with is MyChart I open up MyChart on my phone in the app and it's pulling information from different systems. I can see it because I kind of have a view and I understand kind of how, these applications work.
but to the untrained, eye it just looks like a webpage in the application. Clearly it's not So you do have to provide protection on that because that is one place where the data can leak. But I think , the growth of these different data exchanges between different systems it's probably easier to steal data there than it would be to go through the portal.
It's like Back in the day when, , we were talking about web application firewalls versus firewalls. A lot of the attacks before everyone had firewalls were, at the firewall level, were at the port level. Were maybe trying to exploit telenet or trying to exploit maybe an open port TCP port that was open.
You put a firewall in, that's gone Well the next level of exploiting is the web application When you put security. in there that's locked down. Well, the next part is APIs. And if you look at any of the, you know, if you go to Substack or Medium or any kind of websites like that, you'll see how-tos and how to kind of profile and, bypass protections for applications.
But the first thing is try the website. If that doesn't work, right, Probe for an api. That's the next step, always. If that doesn't work, try the mobile application And that it's literally website, API, mobile application. And that's the order they will try to penetrate any websites or penetrate any applications with
well, okay. Anything else come to mind that might be pertinent for our healthcare discussion today? Gary?
Well, I, think to security in general, I think it's worth looking at the area of machine learning. And it's a buzzword and a lot of people will say machine learning, and it's like, Oh, I've got machine learning picture frames, I've got machine learning water filters.
I mean, come on like that. That's not real machine learning. But there is, Genuine value in putting machine learning to use in something, particularly around security because first of all, you can get rid of a lot of noise. Machines are much, much better at removing duplicates and getting rid of kind of, Unnecessary or just a barrage of maybe logs or analytics that you might not need to do, and then surfacing up the critical things that need human interactions straight away.
I don't think we'll ever get to a stage where everything will be machine learning only. I think that the best way we've seen it done, and we use it at F five as well, is that. We use machine learning but then we have a human touch on, top of it. So anything that the machine doesn't identify, we have humans come in and kind of look at.
And I think that's probably the way it's gonna be for most people out there. If they can take advantage of, something like machine learning just to make them more efficient. , we're not getting bigger security budgets. Security skills are very, very hard to find. So why not remove all the barriers and help your security.
Be more efficient and do the job that they want to do. I mean, people in security, they're passionate about it. They're not in it for the kudos or anything else. You're in it because you're passionate about it. Passionate about making the internet a safer place. So let's kind of adopt some of these tools to help them do a better
I would definitely have to agree with that sentiment. Gary. That's one of the things that we heard echoed at Black Hat as well. Had one of our partners. Machine learning is absolutely fantastic, but it just can't quite cut the mustard next to human learning.
That's the same. I mean, in medicine you hear about these machine learning algorithms that can scan images quicker than doctors and stuff like that to a point.
But you still need the decades of experience that our surgeons and specialists and doctors have to look at those images and, and kind of create the full diagnosis and see the whole patient rather than just a slice of an image at one particular point in time.
That is a fantastic way to put it, Gary. And with that, I'd like to thank you for your time today. It's always great to see you.
And thank you to the viewers as well. You've been watching Dev Central's interview with Gary New from F five regarding. Healthcare operations perspectives. Thank you for tuning in and have a great day.
I really love this show. I love hearing from people on the front lines. I love hearing from these leaders and we want to thank our hosts who continue to support the community by developing this great content. We also want to thank our show sponsors, olive rubric trellis. Mitigate and F five in partnership with serious healthcare for investing in our mission to develop the next generation of health leaders.
If you wanna support the show, let someone know about our shows. They all start with this week health and you can find them wherever you listen to podcasts. There's keynote town hall and newsroom. Check them out today. And thanks for listening. That's all for now.