Are Aptible customers affected by Cloudbleed?
No, not by virtue of using Aptible. Aptible does not use Cloudflare, and as such, our services and customer environments were not affected by the Cloudbleed vulnerability disclosed yesterday.
That said, if you use or used Cloudflare, you may be affected. You can read Cloudflare’s official description of Cloudbleed here.
If I used Cloudflare to cache PHI, what should I do?
Activate your incident response plan and talk to your lawyer immediately, unfortunately. You may be required to conduct mitigation, and breach and/or security incident notifications, by HIPAA or your business associate contracts.
Cloudbleed is one issue. Another issue is that if you were using Cloudflare to cache PHI though their CDN without a BAA, you may have been in breach of the HIPAA rules before this.
Some have suggested that Cloudflare might not be a HIPAA business associate because of an exception to the definition of business associate known as the “conduit” exception. Cloudflare is almost certainly not a conduit. HHS’s recent guidance on cloud computing takes a very narrow view:
The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.
OCR hasn’t clarified what “temporary” means or whether a CDN would qualify, but again, almost certainly not, as data storage is a critical, non-incidental component of CDN functionality.
What if I used Cloudflare to cache PII?
Again, activate your incident response plan and talk to your lawyer. HIPAA is just one of many data privacy regulations. Many states require companies to report breaches of personally identifiable information belonging to residents of that state.
What if I used Cloudflare for data aside from PHI or PII?
We encourage you to be safe and rotate all credentials that might have passed through Cloudflare from your app, such as session cookies, API keys, and user passwords.
What else should I do?
We encourage you to rotate your passwords for any service that used Cloudflare between September 22, 2016, and February 18, 2017. Cloudflare has not released a list of services affected. You can find one security researcher’s list of Cloudflare DNS customers (which is likely overinclusive) here.
The Aptible Update Webinar Series is a new quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products.
We hosted the first Update Webinar on October 25. In it, we covered:
- Deploying from Private Docker Registries: How to configure a private container deployment pipeline
- Advanced Memory Management: How to plan for and easily manage container memory issues
- New ALB Endpoints: More resilient zero-downtime deployments
- HTTP Health Checks: Smart, safe app container routing
- Platform Events: How to get more from the Enclave API and your logging
- Container Metrics: Live telemetry and dashboards for monitoring
- Working with Database Backups: On-demand backups and restoration
- Two-factor Authentication: Securing your Aptible accounts
The next Aptible Update Webinar will be on January 25, 2017, at 11am PST/2pm EST.
Webinars are recorded and made available for viewing if you cannot attend the live session.
How does a major open-source framework approach upgrades? Find out in Robert’s talk at the Ember.js NYC meetup last month.
If you find this interesting, join us!
Frank spoke at AWS re:Invent last week, in a session about architecting for HIPAA compliance. The entire panel is worth watching.
Having just come through Y Combinator, we frequently get asked whether it was worth it. The answer is absolutely yes, no hesitation. While the experience is still fresh, I want to encourage you to apply for the next cycle and give some advice for getting in.
You have a early-stage startup, or at least an idea for one. You know Y Combinator is fantastic: the network is legendary, the terms are fair, the other founders are incredible, and it provides an amazing lift for customer acquisition, fundraising, and recruiting.
The catch is that acceptance rates are brutal. Somewhere below 3% of applicants get an offer.
Should you skip this application cycle and apply later, when your company is more mature?
You should apply now, even if you don’t think you are ready.
There are two main reasons for this:
The application process itself is valuable. Preparing the application requires you to think carefully about your idea, your company, your market, your team, and the obstacles in your way. Forcing yourself to reflect honestly is painful, but extremely beneficial. Seize the opportunity to do it now.
You have a better chance than you think. The traits YC looks for in companies and founders are well-known and addressable. By “well-known,” I mean go read PG and Sam’s essays. By “addressable,” I mean you can improve your chances with focused work and practice. If your company doesn’t have the ideal characteristics, you can acquire the important ones. If you have the right ingredients, you can learn to convey that clearly and concisely.
That’s why you should apply now.
Here’s how to get in:
Step 0: Make something people want.
I’m kidding but not really.
“Make something people want” is YC’s motto. It’s also what they look for in companies. It’s not always sufficient, but it is necessary. If you do it, the rest can fall into place. If you don’t do it, you’re toast. Or Clinkle.
Others have written about how to find something to make that people want. I won’t get into that here, but I will add that most of the YC application process reduces to proving you’ve made something people want.
How do you prove it? Having paying customers is convincing. Having a lot of users is also convincing.
Showing that people want something similar to what you made or that you could make something people want are not convincing.
Sign contracts, take preorders, get LOIs, fill a waitlist, collect emails from customers saying how they can’t wait to pay you. Stop reading this and go do whatever you can to prove people want what you make. Now!
Step 1: Apply
Now, armed with proof that you make something people want, you are ready to apply.
Spend time thinking carefully about the questions. Don’t spend any time trying to game the application.
- Be honest with yourself. You know what your weaknesses are. Don’t shy away from them, but don’t waste too much time worrying if you can’t change them. For example, when we submitted our application, Aptible had no paying customers. We work in a regulated industry (healthcare) where getting security and stability right is critical, and we were confident that waiting was the right choice.
- Use every question to show that people want what you make. We made sure to explain what our waitlist looked like and how many customers had signed contracts to pay soon.
- One or two sentences is fine for most answers. Be clear and direct, then move on.
- Don’t overthink the video. Introduce yourselves, briefly explain what you’re working on, and spend the rest of your time explaining how you know people want what you make. Follow the instructions. Here’s our video.
Step 2: Interview
The application questions are a subset of the questions you may be asked at an interview.
Before our interview, Frank and I:
- Collected all of the known Y Combinator interview questions we could find
- Wrote out 1-2 sentence answers
- Agreed on which founder would lead on the answer, and
- Practiced with flash cards until we could answer every question fluently
Writing your answers out will help you formulate concise, consistent responses.
To test our fluency, we did mock interviews with each other, with our startup/tech friends, and with YC alums.
Mock interviews are the best way to practice. You will be shocked and disappointed by how incompetent you sound at first. Don’t worry, you’ll improve dramatically with repetition.
As one of our investors puts it, “You’re going to be telling people what you do eight times a day for the rest of the company’s life. Get good at it.”
Below are the questions we used to prepare. I don’t remember where we found each one, so apologies to the original sources. I’ve grouped them into categories by how important I think they are. The groups are my own and do not reflect YC’s views.
Remember: One or two sentences each. If you prepare longer answers, you’ll be flustered when the YC partners cut you off to ask another question. James Cunningham and Colin Hayhurst (GoScale, S12) built a fun app with a timer to help you practice concise answers.
These are the most important questions. They are all different ways of determining if you make something people want. You need to have a good answer, or an excellent reason for not having an answer. Many of these are in the application itself.
- What are you working on?
- Who would use your product?
- How do you know customers need what you’re making? How do you know people want this?
- How will you make money?
- How much money could you make per year?
- Why isn’t someone already doing this?
- Why will you succeed over others? What do you understand that others don’t?
- What have you learned so far from working on your product?
- How much does customer acquisition cost?
- How many users do you have?
- Where do new users come from? How do users find out about you?
- How are you meeting customers?
- What is your distribution strategy? How will you grow?
- What makes new users try you?
- Why do the reluctant users hold back?
- What is your growth like?
- What is your user growth rate?
- What’s the conversion rate?
- How many users are paying?
- Who is going to be your first paying customer?
- What resistance will users have to trying you and how will you overcome it?
- How are you understanding customer needs?
- What are the top things your users want?
- What has surprised you about user behavior?
- What’s new about what you make?
- What problems and hurdles are you anticipating? How will you overcome them?
- Six months from now, what’s going to be your biggest problem?
These questions concern narrative, team, and tactics. They are important, but only if you make something people want first.
- Why did you choose this idea? Why did you pick this idea to work on?
- Where is the rocket science here?
- How does your product work in more detail?
- What do you understand about your users? What domain expertise do you have?
- What are the key things about your field that outsiders don’t understand?
- What’s an impressive thing you have done?
- How did your team meet?
- Why did your team get together?
- Who in your team does what?
- Who would you hire or how would you add to your team? Who would be your next hire?
- What part of your project are you going to build first? What are you going to do next? What is the next step with the product evolution?
- If your startup succeeds, what additional areas might you be able to expand into?
- Who are your competitors?
- Who might become competitors?
- What competition do you fear most?
- What is your burn rate?
- How long can you go before funding?
- Have you raised funding?
These are questions that have a correct answer.
- What will you do if we don’t fund you? Keep working on this, because it’s a good idea that we can execute.
- Would you relocate to Silicon Valley during YC? Yes.
- Who is “the boss”? (Agree on one founder.)
If you get asked these in an interview, either you’re not doing well or you’re being tested. Try to preempt them with good answers to the more critical questions.
- How do we know your team will stick together? Will your team stick at this?
- What else have you created together?
- Are you open to changing your idea?
- Someone just showed us an idea like this right before you guys. I don’t like it. What else do you have?
Have answers, but don’t stress about these questions.
- What systems have you hacked?
- Tell us about a tough problem you solved?
- In what ways are you resourceful?
- What is something surprising you have done?
- What’s the funniest thing that has happened to you?
- What’s the worst thing that has happened? What’s the biggest mistake you have made?
Step 3: Start Now
Step 3 might be “Accept”, but if you interview, you should have already decided. You give up ~7% of the company for $120k in funding. YC will increase the value of your company by much more than 7%, without question. You will not get a better deal from fairer, more transparent partners anywhere.
You will only have about 100 days between getting accepted and Demo Day to make the most convincing case possible to investors. If you don’t get in, you have about 200 days to prove you can make something people want before you can apply again. Start now.
Good job on making it to the end! Feel free to ping me on Twitter or with the contact link above if you have questions. After interview invitations go out, I’ll volunteer a limited number of mock interview spots on Twitter.
You can find the Hacker News discussion for this post here.
Update - October 29, 2016: Formatting edits.
YES! Finally! The Aptible team and I are very happy to announce our public launch.
Frank and I started Aptible because we saw how difficult it was for technology companies to navigate the regulatory environment in healthcare. We believe that many of the most intractable problems in healthcare can be addressed with great technology, and we are working to empower smart, dedicated people to tackle them.
For the last few months, we have been working closely with a group of companies that represent the future of digital health. We are looking forward to telling you their stories in the coming weeks.
We are also excited to announce our relationships with three fantastic organizations:
Aptible is proud to be part of Y Combinator’s S14 batch. All of the partners have been amazing - YC is one of those rare organizations that is every bit as great on the inside as you hope it would be from the outside. Thanks especially to Justin, Garry, Kat, Jon, and Aaron for helping us prepare for this launch.
Today is the beginning of something very special. With an incredible team and the support of our customers and partners, we are going to rapidly accelerate the adoption of technology in healthcare, and help a lot of people on the way. If you want to be part of this, let us know, or email me at email@example.com.