Company Nurse: Our Path to Superior Data Privacy
How one company addressed the need for modern data security while reducing business risk.
- By Henry Svendblad
- March 26, 2021
As the CTO of Company Nurse, a leading provider of workers' compensation services, I've seen first-hand how the industry still relies on fax and email for documents and data from our customers and partners.
In 2019, I led our organization in modernizing our data distribution capabilities to lessen our reliance on fax and email in favor of modern, cloud-based APIs for the records our company manages and distributes. By blending these new data distribution capabilities with AI-based approaches to client data protection, my team and I reinforced Company Nurse's reputation as a leader in data privacy in our industry.
As part of managing these records, every recent customer conversation has included a discussion about security and data privacy. Even though workers' compensation isn't regulated by HIPAA, that regulation has raised awareness and set the privacy bar for any enterprise handling patient information. Even so, absent a regulatory mandate to invest, most competitors in our industry haven't focused on data security. My vision combined a cloud-based approach to data collection with AI-powered data security capabilities that would satisfy our customers while positioning us as the industry security leader.
Every company in our sector faces the risk of data loss. We know that a successful breach could result in thousands of records, each containing personally identifiable information (PII) and protected health information (PHI), becoming public or being used for identity theft or other cybercrimes. Beyond the direct impact on individuals, a breach also raises the possibility of brand damage and costly remediation.
The workers' compensation process can move slowly and documentation is legally required to be archived for years, so simply deleting older documents isn't always an option for reducing data loss. I wanted a solution that would secure data no matter where it was stored or how it was collected.
We set out to build the industry's first secure, cloud-based API for workers' compensation injury reporting (as well as triage), including safeguards for the forms and claims data entrusted to us by our clients.
Modern Tools to Tackle Project Goals
From a security standpoint, we had three major goals. First, we wanted to know where everything was. That might sound like a simple task, but after years of end users processing and managing files, it's not. Second, we wanted to get to a true least-privileges model, where we control access to each specific file based on need, not folder membership. Finally, we wanted to avoid duplicate data, to avoid higher storage costs and simplify security.
The API element of the initiative was straightforward and quickly fell into place. However, meeting our three data security goals for the faxes, reports, and documents in our archives proved to be difficult. The data is hard to find and even harder to categorize, assess for risk, and protect.
Although this would have been considered a nearly insurmountable challenge a few years ago, a new generation of data security tools based on artificial intelligence (AI) and natural language processing (NLP) address these issues with relative ease. These new tools are cloud-based, which simplifies implementation and lowers our ongoing operational costs. NLP-based data discovery autonomously groups unstructured files into thematic clusters. At Company Nurse, those clusters are how we identify specific form types or documents that contain PHI/PII or other care information.
After our evaluation, we chose Concentric's Semantic Intelligence solution to mitigate our unstructured data risk exposure. Structured data does not have the same data discovery and risk assessment issues as unstructured data, and our problem was almost exclusively one of unstructured data. In fact, our API effort has had the effect of "structuring" our unstructured forms and client input data -- making security much easier for new data.
In a matter of days, the program completed a deep-learning process that discovered and categorized our business-critical data. Concentric's risk assessment uses AI to derive a security baseline for each cluster. Once clustered, files have a consistent, common, and identifiable set of security practices that can be used to establish a meaningful security baseline. That baseline reflects how files in the cluster are shared, where they're typically located, and how they're configured for group access (e.g., whether the accounting team or IT organization can access files in a specific cluster). When an individual file's security settings differ from the security baseline, that file is deemed to be at risk.
Automating risk assessment is a big win. It means we don't need a human to develop data governance policies that would, for example, explicitly define which teams can access a specific type of form or whether it's appropriate to share injury reports outside Company Nurse. AI does that work accurately, autonomously, and for a fraction of the cost.
The solution spotted areas for improvement right away, such as a number of old reports on an out-of-the-way server. These weren't data breaches, but by deleting the reports and tightening access permissions, we substantially lowered our risk exposure. Alternatives that rely on human-developed search rules and policies would have taken months to implement and placed substantial long-term maintenance burdens on my team.
With our secure, cloud-based API solution, Company Nurse has strengthened its data security. We've dramatically simplified claims and injury report submissions and reduced the need for fax and email. Customer confidence has skyrocketed, and our sales team has been an unexpected beneficiary of our new capabilities. They now routinely use security as a competitive differentiator, and it shows in our business results.
Of course, security is a journey, not a destination, and we're always looking for ways to improve. I'm convinced AI will play an outsized role as we look for ways to improve access control, prevent data breaches, and ensure business continuity.
Henry Svendblad is the chief technology officer of Company Nurse. Henry draws upon over 25 years of experience leading technology teams across multiple verticals including healthcare, retail, marketing, and education. He has held positions as a CTO, VP of technology, and group director of technology solutions. Henry’s focus always has been helping organizations align business strategy with technology investments to ensure growth, productivity, security, and competitiveness. He can be reached via email, @hsvendblad on Twitter, and LinkedIn.