A worker's compensation claim has many complexities behind it, and underneath all of that complexity is a series of data points (pixels). The risk management companies hold all of these data as they connect to and communicate with the healthcare providers, insurance companies, employers, and regulatory authorities.

Risk management firms have been moving toward a more data-driven approach to workplace safety. They are starting to use centralized digital platforms that allow them to track injuries, claims, and compliance efficiently and accurately, but also allow them to aggregate this information, which could lead to consequences for the worker outside of their workplace due to the potential exposure of this data.

The Cove Risk Services Data Breach demonstrates that although a risk management provider may not be as well-known as an insurance company, it can also hold some of the most sensitive data. That data includes names, medical history, social security numbers, and driver's licenses, which are stored in databases primarily for operational management, not protection against cyber intrusions.

Risk management organizations must manage multiple stakeholders that have competing expectations. Employers want to limit costs, insurers want accuracy, regulators want compliance, and injured workers want timely access to care. To manage these competing demands, access to information must be instantaneous for people across a multitude of geographies; on various teams, and at multiple suppliers (vendors).

Unlike other medical facilities, Risk Management Organizations (RMO) do not fit neatly into established healthcare regulations and guidelines such as HIPAA, even though they often manage medical information. Consequently, gaps exist in both regulatory oversight and funding/technology investments.

Another vulnerability that presents challenges is the scale of the data. RMOs often represent thousands of small business entities. Each business contributes small amounts of employee data about employees. When all the small amounts of data are aggregated into a single user account, that data can be used to create a very detailed view of an individual (employee) work history and health status. That information is very dangerous when it is used by bad actors.

Cybersecurity for PMOs is typically reactive, rather than proactive. Cybersecurity technology and solutions are generally bought and deployed after a cyber-incident, rather than developed ahead of time, and anticipated as a need. However, as the process of claim processing has increased in automation and reliance on data analytics, the threats associated with the underlying data have also increased.

Protecting workplace information should not be just about compliance, but understanding that modern RMO function as custodians of an individual's identity. The evolution of digital transformation will require that security change from a back-office function to a central operation priority.