Skip to main content Skip to Footer



Aetna Chief Security Officer Jim Routh shares best practices


Describe some of the new security challenges that are keeping CSOs up at night.

The number one risk is third party governance—the potential breach of a third party leading to the material disclosure of consumer information. I’d say the second most important challenge is vulnerability management, given the challenges of Meltdown and Spectre. It has become significantly more complex by the vulnerabilities in chip design creating the need for balancing options for patch management, firmware updates and IT asset refresh cycles. The third challenge is phishing as a threat vector. Conventional controls of teaching employees to recognize phishing emails are not sustainable, and the tactics used by threat actors continue to evolve.

Aetna implemented DMARC in 2015, which eliminates the possibility of using the Aetna domain as a sending domain of phishing emails for our members. Aetna also implemented several other unconventional controls that eliminate the tactic of sending fraudulent email from a “lookalike” domain. We are developing a machine learning algorithm that provides identity matching through behavioral-based analysis to recognize fraudulent email coming from compromised email accounts. Finally, enterprises today have to worry about threat actors sponsored by nation states. Four or five years ago, nation state attacks focused on data and intellectual capital. Now, their political objectives may cause implications for collateral damage to the IT assets of enterprises in the private sector. When you think about the potential impact for a healthcare organization—including healthcare providers and hospitals—you’re talking about something as dramatic as the possibility of loss of life, if it hinders the care delivered to a patient.

What do you think health plans struggle with most when it comes to data security?

The use of social security numbers as a unique identifier and authenticator increases the attack surface in healthcare, far higher than any other industry. The financial services industry stopped using SSNs about 15 years ago. Healthcare organizations still rely on social security numbers, which are the single most sought after attribute or data element by criminals looking to commit identity theft. Every time you go to the doctor or get an x-ray or a blood test, your information is tracked within the healthcare ecosystem by your SSN. This usage of the SSN increases the risk of exposure given the many intermediaries with access to it.

How is Aetna handling this security weakness?

Aetna has eliminated 10 billion instances of social security numbers in our core processing capabilities in the past three years. We made a commitment to consumers and encourage changes with our plan sponsors and our service providers to change their processes and eliminate the use of SSNs. Now, we are having a material positive impact on shrinking the attack surface. Government agencies, like Medicare, have committed to reducing the use of social security numbers as unique identifiers and authenticators. Substantial progress has been made, but there is a lot more work to do.

Passwords have become obsolete due to the massive amount of credential data (log in IDs and passwords) that have been compromised and harvested by criminals in recent years. Conventional control policy recommends multi-factor authentication. Aetna decided to take a more comprehensive approach and implement continuous behavior-based authentication that offers real-time authentication using many behavioral attributes available through web and mobile applications. This approach does not require the consumer to remember passwords. It embeds authentication into electronic interactions on a continual basis. Aetna uses between 30-60 attributes that feed a risk engine used to calculate a risk score. That score is fed to the mobile or web application in real time, and the application determines how much access to provide to the consumer.

What are some of the new types of breaches that companies need to have on their radar?

Compromised credentials and demographic information are being used to bypass conventional password reset functions impacting enterprises. Data destruction software—ransomware—is growing in frequency. Aetna implemented a change to the back-up and recovery processes that were highly efficient, but also a potential risk for data destruction malware. The change enables Aetna to use recent data from the top 50 most critical systems to recover in the event of a data destruction malware incident. Very few companies have that in place today.

As healthcare organizations become more “connected,” e.g., BYOD, what new security measures must be put into place?

First, companies must educate employees that they may use products that make them feel like consumers, but they are actually the product; more specifically, their information is the product. To protect the enterprise today, we need to educate consumers to shift their thinking; they are the product and they have choices they can make on how the product is used.

Our job is to figure out the security controls for any device. For instance, we have one of the most mature mobile security capabilities in the enterprise market today. It supports all mobile devices and offers protection against WiFi mis-configuration and malicious apps. That capability is offered to all employees.

How can health plans build digital trust with consumers?

Three years ago, we implemented DMARC. It is the industry standard for authenticating all email that goes outbound from a domain. Aetna publishes a DMARC policy to ISPs. Email that purports to be from Aetna is blocked and not delivered to the consumer. Forty percent of email traffic was actually fraudulent from other sources and therefore blocked when we first implemented DMARC in 2015. The number one sender by volume was a Russian criminal syndicate that sends pharmacy spam. Now, every year, we see a 10 percent improvement in click through rates from consumers for Aetna email campaigns designed to promote healthy practices. Consumers know it is a trusted email coming from Aetna. This helps drives good outcomes for the health consumer and the health plan.

We need to shrink the attack surface in healthcare by eliminating the use of social security numbers. This will have a bigger impact on the size of the threat surface than anything else in healthcare.

What can healthcare learn from other industries, such as financial services, to improve its security posture?

We need to shrink the attack surface in healthcare by eliminating the use of SSNs. This will have a bigger impact on the size of the threat surface than anything else in healthcare. Every healthcare entity needs to implement DMARC to make sure emails sent to consumers are legitimate.

The diversity of IT in a hospital setting is increasing, but there are scarce technical resources and limited IT security resources. This is a combination that leads to security challenges. Medical devices connecting to a network have to be identified and controlled. Techniques and technology tools can help, but resource constraints remain a significant risk.

Healthcare providers buy a lot of products to help improve the quality of care that require software. Third party manufacturers don’t have a strong enough incentive to create software that doesn’t have security defects. The end user license agreement makes it clear that the software provider is not responsible for product defects, the end-user is. So when a hospital acquires advanced medical devices, there are limitations to determine if the software has security defects that may potentially impact the patient’s treatment. Third party governance controls for device manufacturers are essential and core to vulnerability management, and healthcare providers need to improve their third party governance capabilities.

What types of security talent should health plans be looking for?

We have one criterion for selecting talent: Candidates must demonstrate intellectual curiosity. We can teach them anything else. Threat actors change tactics all the time. We have to study the behavior and design controls to mitigate these changes in tactics. It’s a cat and mouse game that is never going to change.

A common perception in the market is the lack of cyber talent available to fulfill hiring needs and the difficulty in finding qualified talent. We don’t agree with this as a significant constraint. Aetna has demonstrated the ability to attract and retain top security talent by offering employees opportunities to learn advanced techniques and improve their marketability. We are proud of the fact that 40 percent of our security staff are women, 23 percent are people of color and 17 percent are US veterans. I have never used a cybersecurity recruitment agency in 15 years and see no need to change this approach. Aetna allows experienced hires to work where they live, and learn what they want to learn. Our cybersecurity talent love to learn techniques and have an insatiable appetite for knowledge of techniques. We have over 300 models in production that use machine learning to drive real-time security controls.

What do you like most about your job?

What I like most is the fact that every day is new and things change. I like studying, learning about the evolution of threat tactics. I like dealing with government agencies, sharing information about what works and what doesn’t. I was an IT professional for 15 years and moved into security. I will never go back to just IT. There is something about the allure and challenge of security.

I chair the Information Sharing and Analysis Center for healthcare. Aetna is a committed member and we share information and help the entire industry improve resilience. No other healthcare entity in the world has as mature a security program. Our security is on par with the top global banks and in some cases, more advanced, and we share all of our practices with our industry colleagues.

Do you have any special hobbies or interests?

My son plays lacrosse at the collegiate level, so we travel all over New England most spring weekends, watching him play. I coached all three of my boys when they were young and all of them played through college.