Aetna CISO on risk-based approach to info security

BOSTON—“I take risks to manage risk more effectively,” said Jim Routh, Aetna’s chief information security officer, speaking at HIMSS’ Privacy and Security Forum on Sept. 8.

Routh said he uses a risk-based approach as opposed to a compliance-based approach for his organization’s information security. “It’s a fundamentally different model.” He also said information security is different from privacy. Although the two are interdependent, privacy programs need to be compliance-based while information security must be based on analysis of threats.

Routh recommended that those responsible for the security of healthcare information acquire cyberspace intelligence from third-party sources, become part of an information-sharing mechanism and work with state and federal entities. The changing threat landscape requires all three layers.

Aetna recently changed its information classification which Routh recommends for others as well. He created a restricted data category for Social Security numbers, credit card information and usernames and passwords. He added new controls to these data and two-factor authentication, and increased auditing and monitoring of this category. The new category doesn’t scale to all of the company’s protected health information but you have to pick and choose, he said.

Technology is another big focus for Aetna, Routh said. “I’m applying a portfolio management approach and looking at overlapping technologies.” There has been significant growth in SMAC--social media, mobile apps, analytics and cloud-based services—but “conventional controls don’t work well” with those. “We are forced to consider new technologies to create new controls.”

To do that, Routh has made a point of investing in newer technologies early, sometimes helping with testing and then having the latest technology already on hand. “I invest early to get in at a lower cost.”

He shared his experience reviewing all the mobile apps published by Aetna and found one he didn’t recognize that offered advice on how to choose health insurance. He wasn’t sure why Aetna would have an app that might direct consumers to other payers. He did some investigating and learned that the creator of the app was in India. The app was called Aetna++ and the creators added malware and redistributed email to Aetna members. Unfortunately, the app had been downloaded 175,000 times.

The consumer chooses the Aetna brand name and then has a bad experience and thinks the company is spying on them. The app stole credentials and monitored accounts. It was “a parasite capitalizing on Aetna’s brand equity to make money. This happens all the time,” he said.

Because of his investment in software in its early stages, Routh was able to find out about this app, act early and put the creators out of business. A team of dozens spends time every week reviewing new technology. “We are looking at the landscape and then placing our bets.”

Routh also bought early into four different newer technologies in one space and the “overlapping controls enables Aetna to invest in emerging technologies with game-changing capabilities.”

This approach lets Routh deliver a security trifecta to Aetna—reduce risk to consumer, decrease operating costs and increase revenue. “That’s something you don’t get too often.”

For smaller organizations with fewer resources, Routh recommended that they have forum to tap the available resources. “Access to information helps you make better trade-offs with scarce resources.”