BOSTON — Aetna chief information security officer Jim Routh said that smart healthcare executives should be looking to invest in early-stage technology companies.

It’s a matter of taking risks — putting aside traditional technology purchasing practices such as buying market share leaders — to manage risk. 

“The CISO’s job is to manage risk, not reduce risk and we have to take some risks in how we manage technology,” Routh said here at the Privacy & Security Forum on Monday. “It’s not for the feint of heart.”

The goal is to create friction, Routh said, of the sort that makes it harder for attackers by turning yourself into a less attractive target. And that is hard because adversaries only have to find one way into a healthcare organization’s network, while CISOs have to protect against hundreds of thousands of ways into the network.

[Roundup: Here's what happening at the Privacy & Security Forum right now]

While risk control and risk management frameworks are worthwhile investments, Routh said they’re simply not enough.

Routh breaks his technology portfolio into three pieces: The largest category at 65 percent is legacy hardware and software; systems ripe for replacement are 25 percent of the portfolio while the remaining 10 percent are the technologies that need to be replaced.

Routh’s philosophy is to focus on that 35 percent by investing in early-stage startups because the costs, even if you lose out, are small and the potential for payoff is large.

“Most innovation comes from early stage development companies,” Routh said. “What I’m suggesting is buy earlier in the lifecycle. Before the company has investors, before it gets market share, you can get really compelling technologies.”

Indeed, at Aetna Routh has invested in e-mail authentication, microvirtualization, containers, among others. In one instance, Routh bought in before the technology was even actually a product; in another he invested prior to the upstart buying a competitor and ended up getting two tools for the initial prices.

Changing the procurement process, however, brings inherent risk. Another startup Routh worked with was bought by Microsoft and their partnership ceased. 

Routh said he looks to Silicon Valley for early-stage companies and also said that Tel-Aviv is another place to consider.

“This is a bit of a white knuckle ride from an engineering standpoint but if you’ve got the talent you can do it,” Routh said. “If you lose, its nickels and dimes, but if you win it’s a homerun.” 

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com

 The Privacy & Security Forum is happening in Boston, Dec. 5-7, 2016. 
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet

Like Healthcare IT News on Facebook and LinkedIn