Skip to main content

Cyber security in the International Private Medical Insurance market

Facing data security challenges head on  

Many in the International Private Medical Insurance sector consider both internal and external data breaches to be among the greatest challenges the industry faces. Alan Payne, Chief Information Officer (CIO) at Aetna International, explains how one of the largest insurers in the international space is approaching this complex problem.

Close attention is paid to the issue of data and cyber security at Aetna International, from the CEO down through all employee layers. This is a mandatory discussion item at every monthly board meeting, where Aetna International’s threat assessment is examined in detail and proactive improvement measures are agreed and authorised.

Aetna’s Global Chief Security Officer (CSO), James Routh, has implemented a risk-driven and highly innovative security program where controls are adjusted consistently based on changes in the cyber threat landscape. Aetna does this by designing and implementing unconventional controls that help improve risk management while offering consumers choices in how they interact with mobile and web applications.

As an industry, we face both internal and external challenges.

External Threats

Aetna uses extensive resources to study threat actor tactics from private and public sources. We also share information extensively through the National Health Information Sharing and Analysis Center (NH-ISAC) and the Financial Services Information Sharing and Analysis Center (FH-ISAC) and currently serve on the boards for both organisations. Aetna’s security engineers lead the NH-ISAC Threat Intelligence Committee, collaborating with industry partners to reverse engineer malware samples to determine effective controls that are then shared with the entire industry.

This type of activity helps ensure our business processes are resilient and greatly improves our ability to help protect member information.

Internal Threats

Aetna uses an innovative philosophy to monitor and help prevent internal threats. We use a model-driven privilege user monitoring capability that operates in real-time, comparing on-line behaviour for all registered network users to mathematical models representing past behavioural patterns. Any irregular patters or anomalistic events are shared with cybersecurity leaders within the enterprise. Aetna was the first organisation to deploy this capability at scale across the enterprise.

Role-based activity

All of our staff members are subject to stringent role-based activity control. This limits permissions to networks, data, activities and locations unless access is necessary for the employee to perform their roles.

An employee might be granted rights to undertake particular functions such as processing claims or making payments to a member. The employee will only be able to access the systems relevant to their tasks. Employee access to customer information will be restricted too, often down to small groups of customers or even to an individual level if necessary. The staff member can’t view member details outside of their particular division, department or location.

Segmenting roles to this level restricts access to raw data and creates a governance framework around what employees can do with the data. For example, the ability to transfer data is very strictly controlled. All on-line user behaviour is compared to models for potential cases of misuse of privilege using multiple layers of controls.

This strategy is highly effective in preventing employees from accessing and manipulating large amounts of customer data inappropriately.

SPEAR Programme

SPEAR is Aetna International’s security protection, elimination and reduction programme. This allows us to track outgoing emails from employee accounts for patterns of codes. A 4-4-4-4 numeric pattern, for example, indicates a credit card number, while a 3-3-4 pattern might be a social security number from the U.S.

The process scans outgoing traffic for code patterns. As an example, any email leaving our protected domain with a recognised pattern will be caught, flagged and assessed by a security officer in that country before being released.

Looking to the future

Aetna International’s thinking doesn’t end with traditional controls. Information was recently published about Aetna’s next generation security architecture that involves replacing passwords with member choices for biometric controls fed into a risk engine that provides continuous authentication capability. We believe this is the first time the customer journey has been improved without adding friction to the customer experience while also significantly improving security risk management.

For more information on the health care and insurance support and services expats and clients can expect from Aetna International, please contact one of our expert consultants. Alternatively, for media enquiries, visit our ‘News’ page. 

Aetna® is a trademark of Aetna Inc. and is protected throughout the world by trademark registrations and treaties.