Payatu > Can you tell us about your role at Medly and the journey so far?
Shirish > I joined Medly around a year and a half ago as a Principal Engineer. I was the first hire in the security domain. Before that we did not have anyone specializing or focused on security. As I happened to be the first security-focused person, my job was to build a security team, but with a different focus in mind.
Typically, you see that security teams are these smaller, isolated, siloed teams who will come in only when there’s something wrong. Since my experience was in development (as I was a developer for a long time), I knew about the problems that developers face when there is a separate security team.
So, we wanted to have this guardrail philosophy, where you have checks in place so that until you do not do anything too drastic that can put the security of the company in jeopardy, you’re free to move in any lanes. What this means is that you don’t have to come to the security team for every small thing. It’s only when you need guidance, you come to the security team.
This is the kind of culture we wanted to build at Medly. And that is also the reason we at Medly embrace the whole concept of DevSecOps and why we work well with the platform teams, product teams, infrastructure teams, identity teams, etc. We work with all these teams and embed ourselves into the core security delivery pipeline.
We do have some people that focus on penetration testing or end-to-end testing, but in our day-to-day work, we embed ourselves in the entire security delivery pipeline.
Starting with just me, now we are decently sized team consisting of cloud security specialists, application security specialists, and penetration testers. We are in the process of hiring people in the field of auditing and certification. And so far, it has been an amazing experience!
We’re getting some really good feedback from everybody. Product teams feel we are enablers of security, not the owners of security. Each team individually is the owner of the security, and we just provide tools, techniques, and some efforts to make them owners of security.
Payatu > Can you educate our community about the importance of cybersecurity?
Shirish > It has become much easier to convince people of the importance of security, especially now that mainstream media covers a lot of security incidents, such as governments, big companies like Facebook, Amazon. A lot of these companies spend billions of dollars on security and still get hacked. So, now people understand the importance of cybersecurity and executives understand the importance of security.
Having executives who already know the importance of security helps a lot. Especially at Medly we have a CTO, who really believes security is one of our top priorities. Every product needs to have security built in, because we handle a lot of patient and healthcare information.
Having an executive sponsor who already understands this is helpful, but, yes, mainstream media has helped a lot since they started covering these security incidents in bigger companies.
Payatu > Being a digital pharmacy, what are the security frameworks that Medly follows?
Shirish > Since we work in the healthcare domain and healthcare being a heavily regulated industry in the US, we need to be HIPAA compliant. One of the problems with HIPAA is it is just a collection of standards / controls. There is no certification that you can do, or there is no HIPAA stamp you can get for your applications.
There are a few other certifications you can get that will get you closer to HIPAA. One of the base level certifications is SOC 2, which we are aiming to achieve. There is also a more detailed certification called HiTRUST, and that is another thing we are looking at.
Payatu > What are the top 5 things that digital pharmacies should look for when deciding on an external security assessment provider?
Shirish > The only thing different about pharmacy companies is HIPAA.
So, the understanding of HIPAA is definitely one thing that such companies should look for in a security vendor.
The way you handle data, what is considered PHI (protected health information) and what is not, shows this understanding. If the vendor already knows about these things, they can specifically look for these things, so that’s one point specific for healthcare companies.
Having said that, for any security partner, being agile is really important. Considering the product stages you go through, there are changes being deployed in production every week. You need a partner who can cope with that.
If the vendor is going to say you will need to define all the requirements up front and then you cannot change it for three months, that is not going to work in this highly fast Industry. So, you need partners who are agile. They should not hold you back from going faster, right?
Next is that we want partners who are outcome-driven, not output-driven. The difference is that just having a report that lists down 10 vulnerabilities is not important. What is important is can you identify the impact of those vulnerabilities on our business?
I can just run a tool and then get that list, but what I’m looking for is somebody who can understand my domain, understand the vulnerability, and then make a connection.
It’s about the impact that they have on the business is what makes them stand out.
The next one is quality, and again this is important. One of the reasons we came to Payatu is because the previous vendor we used to work with would always share reports that were of really low quality. The reports would look like they were just developer’s notes or the pentester’s notes.
We used to get a report as an Excel sheet or a text file that wasn’t useful for security teams, and it wasn’t useful for developers as well. They wouldn’t know what to do with Excel sheets, or even how to exactly fix these things.
That’s why having the CVSS score written properly, having the attack vector metioned properly, and having the remediation written properly becomes of prime importance.
The next two are not necessarily must-haves but something I personally look at.
One is the range of services a partner can provide. For example, today I need to get a pen test service, but tomorrow I might need a cloud assessment, an IoT assessment, a compliance-related service, or a red teaming service.
If there is a wide range of services offered by a single provider, it just gets easier to do these from a logistic perspective. So, you have one vendor that can do a lot of these. That’s also why I like Payatu. It has this long range of services.
And finally, this is my personal favorite, community involvement. I mean, of course, I understand companies are there to make money but are they helping the community to grow? Are they contributing back to the community? Am I learning something from them?
And that’s another reason I like Payatu. It’s because they have been involved in this null community a lot. I personally have learned a lot from the leaders of this company.
The last two things, range of services and community involvement aren’t necessarily must-haves, but they just make life easier for you.
Payatu > Can you tell us about the significance of a robust security infrastructure for securing digital pharmacy platforms?
Shirish > As I mentioned earlier, we work in a highly regulated industry, so you need to follow the rules, otherwise one, obviously you lose the trust of customers of course, and second, there are legal penalties as well if you break the rules.
That’s why it’s important to have these regular assessments or have a security partner who can help you throughout different types of assessments. Be it pen testing, be it auditing, or be it compliance, having a partner that can help you build a robust security infrastructure is highly crucial when you’re in a regulated industry like healthcare or payments.
Payatu > Do you think there is a need to modify the security policies in the pharma industry? Can you comment on any specific policy?
Shirish > Oh, yes, definitely!
I’ll give some examples. Whenever we want to partner with a vendor, or they want to partner up with us we typically get a questionnaire with a list of questions from the IT team or security team. A lot of times we feel these questionnaires are outdated and I’ll explain why.
For example, we use cloud and serverless technologies. Now, most of these questions are still designed like you are a data center operation. They go like – Are you physically locking your servers? Are you patching your servers regularly?
These questions are totally irrelevant in context of serverless and cloud technologies. In serverless you don’t manage the server. AWS for example, manages operating system patching and everything for you, so that immediately goes out of scope. Hence, these questionnaires are not designed for the cloud world.
When we are working in the healthcare industry, when we are integrating with systems that have been designed in 80s or 90s and their age shows up right there, you can say that the protocols are outdated.
So, yes, many updates need to happen in the healthcare industry in general and in terms of security, now in the world of cloud and serverless computing, policies need to be updated.
Payatu > What is the significance of integrating security into the delivery pipeline for organizations in the pharmaceutical arena?
Shirish > I am a big proponent of or a promoter of DevSecOps. I have given talks about how to integrate the whole security thing into your CI/CD pipeline. The biggest help I see, especially in this regulated industry, is that you can codify your compliance.
For example, you have a compliance requirement that all the data should be encrypted at rest. Now if you integrate this into your CI/CD pipeline, if your tests pass, you are compliant, even if you have 100s of databases. The day the test breaks, you know you are not compliant.
You can now put those tests into the product pipeline and say, the day this test breaks you cannot deploy to production because you are not being compliant. And that is why it is important to have all security checks and security testing to be done as a part of your CICD pipeline.
Payatu > How does Medly bridge the skills gap between the existing in-house security team and industry best practices?
Shirish > There are a couple of things we do. One is external training or attending conferences. It is a good return on the investment.
The internal-facing thing is since we have people with different skill sets, we pair them up. For example, we have a person who specializes in pen tests, and we have another person who is a cloud security specialist. We ask them to pair with each other and they will learn from each other. So that is the cross-skill enablement of folks we do to keep up with the industry.
Payatu > What is one advice you would like to give to young security enthusiasts/professionals in the pharmaceutical technology industry?
Shirish > One is to keep an eye on compliance because it is a highly regulated industry. Before making any security decision, you need to understand whether it is going to have an impact on your compliance or not, which I think is missing from a lot of general pen testers, or general security specialists.
And second, is not just healthcare but in any industry, focus on outcomes, not on output. As I mentioned earlier, you need to ask yourself what value you are bringing to the company or to your customers, or to your vendors?
You cannot say, I wrote a 70-page report that is definitely better than a 30-page report. Because it doesn’t matter! How much value you are giving as part of that report as part of that assessment, that is what matters.
Payatu > What has helped you the most in your career as the Director of Engineering?
Shirish > Being a little more organized.
I started becoming more organized extremely late. I will give an example, whenever you are just talking to somebody and then they say we should do this. Now, if you don’t immediately act on that, most likely It will just slip away. You will meet after 2-3 months, and you will again say we should have done this.
So, now, anything that comes my way, goes to someplace, immediately.
Is it to-do?
Is it a card in your backlog?
Or is it an email to be sent to someone immediately?
I have a diary that I write in every day about the things I did. If you are an individual contributor, it is much easier to justify your value, you wrote 10 lines of code or you generated a report, quantified. But when you are in the Director of Engineering position, the value you bring to an organization gets difficult to quantify.
So, what are the things you are working on every day is something that goes into the journal. And it’s not just the everyday summary, it’s also whatever I achieved in a month. That is the monthly summary. It helps me keep a check of and map my achievements to my career goals.
The second thing that has helped me is focusing on the value, could be the business value and the value you bring to the people.