Jim Routh and Georgia Reid at NYIT. PHOTO: Cybercrime Magazine.

Protecting The Crown Jewels of Healthcare Data With Aetna’s CSO

Ask The CISO: Cybersecurity Q&A with Jim Routh, CSO at Aetna.  Sponsored by Fortinet

– Georgia Reid

Northport, N.Y. – Nov. 6, 2018

Data, as everyone knows, is money. Data is not just your Social Security number and bank account numbers. It is who you are, where you were born, what you like to do, who you follow on social media, where you shop, what digital ads you click, and how much of a risk you are on the internet. Data is worth its weight in gold. Or maybe bitcoin. 

In order to process the exponential growth of digital data in the world today — and in order to protect this data from malicious actors — cybersecurity is enlisting the help of artificial intelligence. Companies that deal with the data of millions — or even just thousands — of human beings are moving quickly in the direction of machine learning to assist in this Herculean task. 

Last week, Cybercrime Magazine took our studio on the road to the New York Institute of Technology. We sat down with Jim Routh, CSO at Aetna and chair of the National Health ISAC, to discuss the protection of data, as well as machine learning, nation-state sponsored cybercriminal activity, criminal syndicates, hacktivist groups, threat actors, and marketing. 

Routh is a cybersecurity expert with over thirty-five years of experience in information technology, the last twenty of which are in cybersecurity. This is our second “Ask the CISO” interview in a series in which we interview top CISOs and CSOs from Fortune 500 and Global 2000 companies.  

Watch the video below to see the interview in its entirety:

The following is an edited excerpt from the full interview:

CM:  What is it like managing all of the security and cybersecurity operations for a company as large as Aetna, and as important as Aetna, in this day and age with cybersecurity the way it is, and the number of consumers and customers that you have? Let’s start with how you started out in cybersecurity.   

JR: After working in IT at American Express in Minneapolis, I started running consumer data analytics. It was all behavioral based. That actually is a foundational component for cybersecurity today. I was then the first CISO at American Express and that is where I got my introduction into security.

CM: When it comes to data science, how does that help you understand ransomware, hacking, and breaches?

JR: Today we have about 300 machine learning models running frontline security controls across eight platforms in the enterprise, and we will have about 500 next year; that gives you an indication of scale. So using models to actually influence frontline security controls is becoming more prevalent … you can use vendor models or create bespoke models … and this is going to continue. The reason it’s going to continue is that if you can identify behavioral patterns and compare them with past behavioral patterns you can create a risk score, or specifically a deviation score, between the normal pattern and what is actually happening. That is really useful information to determine that the end user is the end user and not someone else. Behavior doesn’t lie — online behavior across multiple attributes makes it easy to determine whether it’s the actual person at the other end, or someone else pretending to be that person.

CM: You headed up security for American Express and JPMorgan Chase. What are some of the similarities and differences between banking/finance and healthcare/insurance when it comes to heading cybersecurity as a CISO?

JR: It is interesting because the first observation I made — actually the first assumption I made — was that the diversity of threat actors in financial services are significantly higher than in health care. This was about five years ago when I entered health care. It turns out I was wrong. Threat actors in health care are just as diverse as in financial services. The difference is in the volume. The volume in financial services is higher but the diversity is the same. Nation-states have massive cyber espionage and cybercriminal enterprises that impact all industries today and all consumers in some form or fashion.  Five years ago, nation-states were not as brazen in their attacks on private infrastructure and consumers. Today, that is fundamentally changed. The anonymity of the internet has shielded nation-state sponsored cybercriminal activity, and so all of us have to deal with nation-states, criminal syndicates, hacktivists. The diversity of threat actors is just as significant across industries today. 

The other learning is that in financial services the crown jewels of data represent about 10 percent of all the data in the enterprise. You can wrap your arms around protecting the crown jewels being 10 percent of data in financial services because you can put your best controls on them.

In health care, the crown jewels make up about 80 percent of the data in the enterprise, in terms of the consumer patient health information. It is hard to scale the best controls across this enterprise. You could end up going with the lowest common denominator, and that’s not necessarily a good thing from a control standpoint. So that is an indication of the attack surface in health care being exponentially greater than in financial services.

CM: What are some of the biggest challenges for a CISO or a CSO such as yourself at a company like Aetna?

JR: So mostly my job — and this is true of any cybersecurity professional —  is to determine how to allocate scarce resources to the highest risk.

CM: Do you triage it?

JR: Yeah, it is a triage. You never have enough resources to do everything, so you have to pick and choose where you want to make investments in terms of the allocation of resources.

Georgia Reid

Ask The CISO Archives


From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control–while providing easier administration.

Our flagship enterprise firewall platform, FortiGate, is available in a wide range of sizes and form factors to fit any environment and provides a broad array of next-generation security and networking functions.

The Fortinet corporate brochure explains how we deliver comprehensive network, endpoint, application, and access security.

Learn more at Fortinet.com.