In this episode of the HIPAA Vault Show we delve into the transformative power of digital technology in healthcare through effective API management. Discover how leading healthcare providers like Flex Digital Health and Rush University are leveraging platforms like Apigee to enhance patient outcomes and streamline administrative efficiency.
Do you have any remaining questions, requests, or just want to chat with us? Email us at podcast@hipaavault.com!
Transcript
Adam
Hello and welcome to the Hypervolt show, where we discuss all things HIPaa compliance and the cloud. My name is Adam Zenerdine, joined as always by Gil Vidal’s. Hey, Gil.
Gil
Hey. Happy bitcoin halving to you, and good to see you again, Adam.
Adam
Happy bitcoin halving and Happy Friday. We record this a week early, so hopefully all is well a week in the future. I’m sure it will be. Excited to get started on the topic for today. Gil, before we dive into the topic, I just want to mention that if you’re interested in our weekly breach of the week segment, we’re going to be reviewing it towards the end of the podcast. But a little bit of a teaser. It’s about a new ransomware attack one of Michigan’s or Michigan’s largest public health center. So stick around until the end for that. And our main topic for this week is embracing digital transformation in healthcare with API management. So we’re going to be talking a lot about APIs today. Gil, how would you like to get started? Should we maybe define what’s an API or.
Gil
Yeah, I can start with that. So the API stands for application programming interface. And the way I like to explain it to our audience is not all of our audience is technical. So the API is glue between software platforms. So you can have some software over here on the Internet and some other software, they’re not related, maybe they’re owned by different companies usually, and say, well, how do they talk? Well, that’s what an API does. It forms a tunnel, so to speak, between two software platforms, and they can send data and communicate with each other. So it’s a very powerful concept to have these APIs, and it can solve a lot of problems.
Adam
Yeah. And if you’re watching on YouTube, this is more for your benefits. I’m just pulling up a, again, a diagram of what an application looks like before APIs here.
Gil
So we’ve got a spiderweb.
Adam
Yes. Yeah. Obviously it depends on the number of connections, the number of different functionalities, how many applications that the customer is using. But you can see here on the left is the customer, and then on the right is all the applications and services that the medical center healthcare provider is hosting that is running. And then you’ve got a developer that is, you know, it says easy here, but it’s far from easy for the developer to keep up to date with the connections. But yeah, that’s just kind of like an overview of what it looks like without the API. And then we could probably run into what it looks like when you start implementing API gateways. So you got more of a streamlined setup here where you’ve got a gateway that allows for better management between the different services.
Gil
Yeah, it seems it’s more organized. And you’re talking about the lifecycle management of an API that from the concept of, hey, let’s create a tunnel between these two applications to managing that. And eventually that API is not needed anymore. So they talk about lifecycle management like you do for a fleet of cars or software. Everything typically has a lifecycle. Nothing lasts forever, as everybody knows. And so Apigee and APIs have a lifecycle too. So it’s really cradle to grave management. And this is a pretty diagram. It kind of just shows you from a high level how you can simplify things and make it more straightforward. And the buzzword that everybody in this industry loves to use is integration and interoperability. Interoperability is that buzzword. It’s really a big word. And technology came out like five years ago where everything can talk to everything else.
Adam
Yeah.
Gil
And that’s kind of what this diagram is showing. It’s like, let’s make it easy to talk to everything else. Let’s not make it complicated and convoluted.
Adam
When, let’s say I want to upload a file to Google Drive, take the file, drag it and drop it into Google Drive. That would be a very simple interaction between two applications, in a sense. My computer application, my local application, and then Google Drive. But then APIs are more complex, is that right?
Gil
Yeah, I like the way you’re describing that. So what you just described is really important, right? Because people want to manage their desktop easily. They don’t want to have to hit ten buttons to grab the mouse and drag a file and let it go. It’s like magic and you see the file up. But I still like doing that. That is a great optimization for productivity and everything, but that, if you notice, in that case, yes, it is. From your desktop to the application with APIs, it’s like what you just described, Adam, but it’s happening behind the scenes. There’s no human involved. It’s happening between one program and another program.
Adam
And there’s like if else kind of conditions as well that you can put in place. Right? So.
Gil
Yeah, yeah, right. So you could have, let’s say you have your, your cerner or your epic, you know, your favorite EMR and you’ve got some other payment system or some kind of billing application that needs to interface with your EMR. Well, those are two software applications. So when you go to your favorite EMR that you use, it probably uses an API to contact or your billing contacts. Your EMR, through this API, it makes a tunnel and it can go and retrieve the information, do it in a secure way, come back, feed that into the software, and that’s really what the APIs are all about, and that’s how they can be used to make things very efficient.
Adam
Yeah, it’s really interesting stuff. We’ve got a couple of case studies that we could look at maybe to explain the use cases for this a little bit more. I’ll pull up the first one, which.
Gil
Is.
Adam
From Google’s apogee and a large company called Flex. If you’re not familiar with Flex, there be the right health monitoring. Health device monitoring, Gil, or.
Gil
Yeah, I think so. Yeah. Because they sell sensors, I think, too, don’t they?
Adam
Yeah.
Gil
Yeah.
Adam
So they’re well known for their bands, which you can, you know, where to track your fitness and keep up to date with your fitness goals. And then they also do more enterprise level things, like for hospitals, they’ll create custom devices, like under the skin monitoring devices and things like that. And they use apogee. And this is an interview with the CEO, I believe. And they said, we know that Apigee can handle large amounts of transactions per second, and it’s able to do that in a secure and reliable manner. So it speaks a little bit to, I guess, their requirements when it comes to scale and security. And then the second one is Rush University Medical center. And they also use Apigee. 20,000 API calls per month in eight months since they launched.
Adam
And the main benefits that they found is they were able to encourage the adoption of a newly launched mobile app called my Rush. With the API enabled services, they use 250 analytics variables for enhanced customer experiences. They’re able to free up their it’s focus more to deliver apps rather than managing APIs, which is, I think, a common requirement that we see from customers that are looking to set this up. Right, Gil?
Gil
Yeah, and I think it’s interesting. You mentioned how many different calls they’re doing per month, and they have this app, you call it the myrush. So in this case, it could be. I don’t have all the details here, but it sounds to me like there was an opportunity to take this data that my rush had and then through the app, make it available to their constituents. I don’t know who those are. Medical professionals, patients, students, whoever it is, they were able to take this through the API, distribute it to all these smartphones. And essentially that could give them the opportunity to either monetize the data they had sitting there for years, and now they figured out a way to get it out there.
Gil
Or if they’re not charging for it, if it’s freely available, then it’s still leveraging all this rich data they had at my rush and being able to get it out very efficiently, very quickly and very securely using the Google’s Apigee API interface.
Adam
Yeah, I like this quote from Doctor Shafiq Rabb, who’s the senior VP and CIO. I love APIs because they put power in the hands of people who need information so they can act upon it anytime, anywhere, in any way. Patients, families, providers and students are getting and giving better care thanks to APIs. Let’s talk a little bit about the security aspects, because obviously we’re all about HIPAA and making sure that whatever’s hosted in the cloud, whether it’s servers, services, API management tools, they stay HIPAA compliant.
Gil
Yeah, the security is pretty good. I was just going to mention that for threat protection, Apigee includes protection against SQL injection attacks, cross site scripting. The API is well protected. And you can also define your security policies around your APIs. You can define to a certain extent what your security policies are going to be so that they’re robust and they fit your organization’s needs. So that’s a pretty good feature they have. For example, you could require that OAuth be used for authentication. When your API connects to the endpoint, wherever it’s going to, you have to use some kind of Oauth and you have API keys. The keys, are we talking about keys? We mean private, public keys where they sort of have to match. And so that makes it robust to have authentication that’s not password based. It’s not, oh, I got your password.
Gil
I’m going to type that in and then the API is compromised. The keys are something you have in your possession. It’s not just something you know. So that makes it secure as well.
Adam
And seeing data masking as well is also a cool feature. So it automatically allows you to mask sensitive data fields, which is something really important for HIPAA. Mask the sensitive data fields in API requests and Apigee will handle that for you.
Gil
Yeah, that seems very useful. Like you said, in the HIPAA context where you don’t want to reveal and have in plain text all that sensitive data, you can mask it. That seems very practical to me.
Adam
Yeah. And then the other one that stood out was bot detection. Confess, I don’t 100% understand this, but I have seen bot detection come up as something important when it comes to firewalls as well. So it seems like they’ve already incorporated that into the API to detect.
Gil
The bots are used a lot, Adam, by the bad actors, bad act. By bad actors, we mean the hackers. It’s another term for the hackers. So what they do is that the bad actors can launch bots to do their reconnaissance and their surveillance, and they’re out there pinging APIs, firewalls, laptops, camera, I mean, you name it, they’re out there just kind of trolling and scanning the Internet. So what they’re saying here is that if a bot comes around and starts to scan this API, it has some measures to counter that and thwart that bot scan. So that’s a good feature to have.
Adam
Yeah. I’m visualizing like someone knocking at my door and me not having a ring camera or something like that in front. Maybe if I’ve got the ring camera, I can just take a look and see.
Gil
Yeah. Yeah.
Adam
So you want to answer or is it someone unsavory?
Gil
Yeah, you’re not welcome, unfortunately. You know how it is, the Internet. Most of the traffic is unwanted, unfortunately. Right. It’s garbage and it’s evil traffic. And you need to get, you’re trying to really filter through and get to the good stuff, the good traffic that you do want.
Adam
The different API management solutions that Google has, I mean, they have quite a few different tools. And this diagram here is, it’s a decision tree. And the first question it asks is, where do you want to run your services? So if it’s Google Cloud, then it would be these options, and then if it’s hybrid on premise multi cloud, then it’d be on the right. And then it asks, so you’re in Google Cloud. Do you need a fully managed service to package serverless functions as rest APIs? If yes, then the API gateway is a product that you should choose if you want a customer managed service. So you’re managing the service yourself to run co located gateways or private networking.
Adam
Then cloud endpoints and then Apigee comes into play when you want to be able to build, manage and secure APIs for any use, case at any scale. So this seems like the big daddy for the large kind of applications where you got, like we saw before, hundreds and thousands of different APIs to manage Apigee. And then you’ve also got a hybrid approach to Apigee which allows for multi cloud and Google cloud applications, which is called Apigee hybrid. So there’s a lot of options developed by Google Cloud there.
Gil
Yeah, I would comment on the Apigee X. I think when they talk about scalability, certainly you can have a lot of APIs, but primarily I think what they’re referring to is if you have a lot of transactions going through your API. So let’s say you have like that one article you showed us a second ago, they have thousands per second or hundreds per second. That’s a lot of transactions flying through there. And if you try to create this on your own, using your own virtual machines in your favorite cloud, let’s say you’re an AWS guy and you’re going to use that, but you try to create all this on your own, you’re not going to scale as well as the infrastructure that’s built for this from the ground up. So in Google, this is a great way to scale.
Gil
So you don’t have to worry if your business grows or you have a popular application, you’re going to be able to handle the load here. So I think that’s pretty good. You also have data visualization where you could see in graphical format all the transactions that are going through the API. You’re going to be able to see the load. What time of the day did you get the most API traffic? What’s your load?
Adam
Yeah, here’s some like dashboard kind of features to back up what you’re saying.
Gil
Right.
Adam
Traffic error rate latency you can dig into. It gives you like that kind of high level console dashboard view.
Gil
Yep. And that’s important when you’re trying to optimize and figure out where’s your traffic coming from and where’s it going to. You need to have these kind of dashboards.
Adam
Okay, moving on to our breach of the week. So a breach of the week is ransomware attack on Michigan’s largest FQHC reported by the HIpaA journal. Sherry Street Services, Inc. Which operates as Sherry health services, fell victim to a ransomware attack in December 2023. We’re just finding out about it now. It’s the largest federally qualified. So that’s what FQ stands for in FQHC. Largest federally qualified health center in Michigan with 20 healthcare facilities in six counties in the state. The review of the affected files was completed on March 25 and confirmed that PHI was exposed in the attack, including names, addresses, phone numbers, date of births, health insurance information, health insurance id number, patient id number. Yep. Social Security numbers amongst many others. Too many to list. They’ve offered to the 184,000 individuals they’ve offered.
Adam
They always offer identity theft management and identity recovery services.
Gil
I think I saw you laughing when you said that. You’re right. They all offer the same thing. Like, we got to monitor your theft of identity. If someone stole your, if they stole this data and now they’re trying to apply for a credit card, let’s say, so they have your data, but that’s typically why they offer that. I guess someday it would be unique if we saw, hey, and they’re offering you a Mercedes Benz compensation for this. That would be kind of unique.
Adam
Yeah. I don’t know, I guess I should apologize for laughing, but you get a little bit jaded after you see so many of these breaches.
Gil
Yeah, we’re numb. I think I can speak for myself and people that I know that they’re kind of numb to this because it’s so frequent now that it’s a bar. Every week you have this major breach of the week. It’s crazy.
Adam
Yeah. Third party cybersecurity specialists were engaged to investigate the incident, and they determined that unauthorized individuals had access certain files on its network. Is that also, do you think. I mean, it’s difficult to tell, I suppose, but is that going to be something to do with, like, a remote connection or what do you think that means? Unauthorized individuals access files on its network?
Gil
I mean, normally when you wrong people. Yeah. It typically means that there’s somebody. It seems to indicate there was a hack. But it’s interesting because as we’ve talked about in other podcasts, it doesn’t necessarily mean there’s some guy with a hoodie on in the attic that hacked. And it could have been an employee. You never know. So it could be an employee, a disgruntled employee, for example. That’s a typical one where they’re mad, they got let go and they’re disgruntled. They have access still because the company forgot to let them go, forgot to remove their access. Or it could also be one department crossing over to the other department where the employees have access, but they’re not supposed to be accessing the data unless they’re doing work, filling out a report.
Gil
So it’s unauthorized because they’re not supposed to be in that data all the time, and they decided to take that data. So it doesn’t always have to be a shady character. It could be somebody who works for the organization, but we don’t have enough information to tell. But either way, somebody got a hold of the data, whether they were an internal rogue employee or whether they were from the outside. Either way, they got the data and they leaked it out. They leaked it out. They sold it, or somehow they posted it somewhere. And now that they did that, the data is out there. All that information that’s private is out.
Adam
There, but they’re offering identity monitoring.
Gil
There you go. There you go.
Adam
All right. I think. I think that’s it for this, for this episode of the Hippo Vault.
Gil
I think this is going to turn into the comedy. It’s going to be turned into, like, the hippo vault, bitcoin slash comedy show of the week.
Adam
Yeah, you heard it first, ladies and gentlemen. Okay, so, yeah, if there was anything in that content, whether it was on API management or the breach that you have any questions on, or you just like to reach out and give us some information about your experience with APIs, then do let us know. You can reach out to us by email at podcasthip. All please, like, share and subscribe. And until next time, thank you for stopping by.