Intentional loss is the deliberate act of disclosing information for reasons that often align with personal gain or other malicious intent. This is an especially dangerous form of data loss to healthcare organizations, where the discovery of lax policies resulting in patient data loss can result in a HIPAA violation.
What is intentional data loss?
Intentional data loss is the deliberate destruction, alteration, or unauthorized data exposure for malicious intent or personal gain. It occurs through data theft or sabotage, where individuals or groups purposely manipulate information.
A Journal of Cybersecurity and Privacy study provides the reasons behind intentional data loss, “Some of the reasons for this type of threat are negligence in sharing data, a lack of data monitoring, a lack of access limitations to sensitive data, and a lack of awareness.” It differs from accidental data losses which result from human error or system failure, intentional data loss is planned and executed with clear objectives.
How does intentional data loss occur in email?
Intentional data loss in email commonly occurs when an individual deliberately alters, deletes, or shares protected health information (PHI) in unauthorized ways. Examples of how it occurs include sending emails to the wrong recipient, failing to securely store or encrypt messages purposely, or leaking data within email chains. This form of data loss often comes from an internal threat that causes the bypass of established internal security protocols.
Best practices to avoid intentional data loss through email
- HIPAA compliant email systems are designed to secure PHI throughout transmission and storage while platforms like Paubox also allow for the easy tracking of email account access. Using platforms offering this feature allows organizations to identify suspicious activity from staff.
- Data loss prevention is created with monitoring and prevention in mind allowing organizations to easily block, flag, and quarantine emails that contain specific types of information or raise concerns.
- Internally organizations can limit access to PHI by implementing the concept of least privilege. Not every employee needs access to PHI or other sensitive information.
- Setting up email retention policies reduces the chances of PHI lingering in inboxes where it can be accessed or leaked. Keeping strict schedules according to HIPAA regulations helps maintain necessary compliance.
FAQs
Is consent necessary to email patients?
Patient consent is generally necessary to email patients.
What is the Security Rule?
The Security Rule is a HIPAA regulation that sets standards to protect electronic PHI (ePHI).
What are the common causes of human error?
Common causes include:
- Lack of training
- Distraction
- Fatigue
- Misunderstanding instructions
Kirsten Peremore
