Quality health plans & benefits Healthier living Financial well-being Intelligent solutions

Jim Routh September, 2014

Climate Change: It's about Managing Risk, Not Just Compliance

Aetna Inc.

Objectives

2

1. Present a model for risk-driven information security

2. Suggest an alternative approach to managing risk in your security technology portfolio

3. Encourage you to consider changes in your approach to information security

Aetna Inc.

The Evolving Role of the CISO

Chief information security officer A Chief Information Security Officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing and

maintaining processes across the organization to reduce information and information technology (IT) risks

Aetna Inc.

The Opportunity Awaits Us

4

• Medical/health fraud is $80 billion annually Institute of Medicine report, The Healthcare Imperative

• An example of fraud is medical identity theft, which is growing at close to 20% annually (500k cases) Poneman

• # of devices connected to the Internet in 2020 will be 50 billion Cisco

$500 $25

FULZ • Insurance card • Bank account • SSN • Email address

SSN Aug. 1st Aug. 8th

$1.00 $.48

Aetna Inc.

Compliance-Driven Info Sec

Event Awareness Committee Legislative Law Rules Enforcement Regulatory

Aetna Inc. 6

HiTech Act

HIPAA Event Awareness Committee Legislative Law Rules Enforcement

Regulatory

HIPAA

1996

Kennedy-Kassebaum

Bill

1993-94

+3

HIPAA Privacy Rule

1999

+6

HIPAA Privacy Rule -Final

2002

+9

Final Rule Security on security standards

2003

+10 2005

+12 2003

+10

Privacy Compliance date

Security Compliance date

Final Rule on HIPAA

Enforcement

2006

+13 2009 +16

HiTech Act Rule

2010

+17

Aetna Inc.

Risk-Driven Information Security

Event Awareness Committee Legislative Law Rules Enforcement Regulatory

Threat

Aetna Inc.

Separate Privacy Program from Information Security Program

8

Info Sec Privacy

Federal

State

Local

External Threat

Internal Threat

Vulnerability Assessment

Aetna Inc.

Consume Cyber Security Intelligence

9

3rd Party

Information Sharing

Public Domain National Cyber Security and Communications Center

Aetna Inc.

The Threat Landscape

10

Organized cyber criminals

Mobile Devices

Geo Political

Aetna Inc.

New Information Classification Model

11

Confidential Information • Protected Health Information (PHI)

• Medical Records • Diagnosis & Procedure Codes • Lab Results • Claim Data • Etc.

• Personally Identifiable Information (PII) • Name, Address

• Street, City, State, Zip Code • Member ID • DOB • Telephone & Fax Numbers • Email Addresses • Etc.

• Company Financial Data • Merger & Acquisition Data

• Controls Meet All HIPAA & Other Regulatory Requirements

- Nothing changes

New Controls: • Encryption or

Tokenization • 2 Factor Authentication • Increased Auditing &

Monitoring

Restricted Data: •Credit Card Data •SSN •Credentials

• User IDs & Passwords

Aetna Inc.

Changing Business Practices

12

Consumer Provider Payer

SSN

Aetna Inc.

A Security Technology Portfolio

13

Legacy Technology Mature Meets basic requirements

Legacy to Replace

Needs replacement No longer mitigates risk

New Technology Solutions

Emerging technology controls

65%

10% 25%

Aetna Inc.

Apply Portfolio Management Theory

14

Angel/Early Stage VC Backed IPO Private Equity Round 1 Round 2 Round 3 Product/Service

0

2

4

6

8

1 2 3 4 5

Market SharePrice

• Product/Service market value increases with maturity • Price follows market value • More investors means higher pricing, more market share

means higher pricing • Select technology early and apply rigorous testing while

sharing feedback

Buy Here

Aetna Inc.

Let’s Talk SMAC!

15

SMAC

Social Mobile

Analytics Cloud

Aetna Inc.

Cloud Consumption

16

Total # Cloud Services Identified

1,180

Average # Cloud Services Used

2,365

Healthcare

Aetna Inc.

Majority of the 2,365 Services Used Lack Basic Security Features

Provide Multi-Factor

Authentication

16%

Encrypt Data at Rest

11%

Are ISO 27001 Certified

4%

Controls

Cloud Usage benchmark data

17

Aetna Inc.

Security Ranking of File Sharing Services 178 TOTAL FILE SHARING

SERVICES Top 10 File Sharing Services

A B C D E F G H I J

1

10

9

8

7

6

5

4

3

2

High Risk

Medium Risk

Risk Distribution

18

4

5

6

9

1 2

3 7 8

10

Aetna Inc.

Mobile Ecosystem Controls?

19

Aetna Inc.

Developer for Aetna Insurance++

20

Aetna Inc.

The Mobile App Uses Permissions…

22 of the apps are requesting the GET_ACCOUNTS permission

GET_ACCOUNTS lets you see various accounts on a phone via account manager, including Google, Facebook, Twitter, etc.

In this app, it is used by ad library called "com.edealya", seemingly for ad tracking and targeting, quote: “eDealya enables marketers to respond to social intent with an in-context, on-time, and relevant mobile advertisement.”

21

Aetna Inc.

eDealya

22

Reference: eDealya Website - https://www.e-dealya.com/wp-content/uploads/2013/07/eDealya-One-Pager-v4.3.1.pdf

Aetna Inc.

New Authentication Models Are Needed

23

Decision Data Input for RISK SCORING

Measurements-See Key Below

Read/Transmit

Build Data Accelerometer Data H,MF, P,S R,T Apt Folder data H,N R Battery Usage H R,T Blacklist Device ID H R,T Bluetooth settings H,T R,T Call Settings H R,T Customer ID H R,T Device ID H R,T Fonts installed H,MF,N, R,T Last Power up F,H,N,T,TB,TD R,T Manufacture build data H R,T Network F,H,MF,N,T,TD R,T Preference settings H R,T Processing Power H R,T Random number [inauth] H R,T Security H,MF,N,S,V R,T Sound H R,T Storage/memory H R,T Su Library data H R Super User data H R Test-Release data H R Time Zone Setting F,H,MF,N,TB R,T Transmission settings H R,T Unique ID H R,T Wi-Fi settings F,H,N,S,T,TB,TD,V R,T Call Data Call Country Codes F,H,MF,N,S,T,TB,TD,

V R,T

Call Data H R,T Call Duration H,MF,T, R,T

Aetna Inc.

Using Technical Innovation to Improve Controls

• Overlapping controls enables Aetna to invest in emerging technologies with game-changing capabilities

Micro-virtualization

Host-based intrusion detection 1

White listing processes

Host-based intrusion detection 2

0

2

4

6

8

1 2 3 4 5

Market Share

PriceAetna Purchased here

24

Aetna Inc.

Trusted Email Lifecycle Summary

25

Aetna Inc.

Benefit Summary

26

On July 14 2014 #1 Targeted Domain for malicious email American Healthholding.com supported DMARC enforcement:

Total malicious email removed from delivery (7/14- 8/30): 10,276,150

Aetna Inc.

Questions ?

27

routhj@aetna.com