A few years back, I was playing in a recreational basketball league (risky after age 20!) when a personal disaster struck… I’m not very tall – roughly elbow height some may say – and sure enough, a taller player grabbed a rebound, swung his elbows and caught my nose. My eyes began to water, but luckily there was no blood so I didn’t think too much of it. However, when I got home my wife screamed when I walked in the door, I realized there might be a problem. A quick trip to the mirror confirmed my nose was crooked like the number 7, so we immediately went to the ER where they confirmed I had broken my nose – ouch!
A few weeks later, having mostly recovered, I received a letter in the mail from a company I hadn’t heard of with questions about the ER visit and injury. Did I know the person who hit me? Was it intentional? Was there a police repor
t? I threw it out and a few days later I received a phone call from someone who was asking the same questions from the letter. Being the security/privacy practitioner that I am, I was wary to share any information so I asked some questions and this is what I learned:
This 3rd party was acting on behalf of my health insurance and was given my case because my health insurance wanted to determine if someone else was at fault for my injury and bills. The at-fault insurer, known as the Third-Party Carrier, would have to pay the bill if this was as a result of an intentional action where a report may have been filed holding the person who elbowed me responsible. This practice – where my insurer was trying to protect me and their business from paying for something that potentially wasn’t my fault – is called Subrogation. In my case, no one was at fault so we had to pay, but lesson learned – no more basketball for me unless everyone is my height!
From a risk perspective, subrogation can be tricky for any insurance organization. Sensitive data, including PHI, is being sent outside the controlled environment of the source organization to 3rd parties who are certified to
hold the data, but this is still an exfiltration of sensitive data. As a security, risk, or privacy leader in an insurance company, how can you know what data is being sent? Can you verify that ONLY relevant, business-needed data is being shared?
These are tough questions that require a strong data foundation and hygiene in order to answer. In a perfect world, there would be a single data inventory that is automatically updated to remain current.This approach allows the CISO’s organization to have full visibility into what specific data elements are leaving the environment while setting clear rules in terms of how that data will be used as well as pushing notifications once the data officially changes hands. Similarly, there’d also be rules and validations that stipulate that the data must be destroyed after X days and a receipt will be sent back to the source organization.
In reality, this level of sensitive data intel can be challenging to achieve as it requires the ability to discover, classify, and catalog all data in structured and unstructured formats. It would also require the ability to automatically update the catalog as new data enters or leaves the environment, which is challenging with today’s static tools. Finally, data intel is not just about what’s in the repository, but also about vi
sibility. Knowing how data flows across the network and where the exit-points of the environment ar
e essential for the additional validation of what data elements are potentially leaving the organization or coming in.
1touch.io is here to be your partner in tackling Subrogation 3rd-party data sharing challenges, especially when it comes to your need to know what data is involved. As the ONLY best-of-breed, dedicated discovery and classification solution in the market, 1touch.io’s Inventa can provide the required level of sensitive data intel for any data in any repository while it’s at rest or in motion across the network.
Contact us to learn more about how we can help with Subrogation or other challenges.