The vast majority of phishing attacks against the healthcare sector go unreported to security teams, leaving organizations unable to fully learn from their mistakes.
In a survey of 150 US-based healthcare IT leaders for secure email firm Paubox, six-in-ten said they had experienced at least one email security breach last year, and three-quarters that they expected even more security challenges this year.
The top risks were phishing, man-in-the-middle attacks, and password guessing, often through personal information revealed on social media.
However, IT leaders said 95% of phishing attacks went unreported to security teams, along with 96% of known email violations of the 1996 Health Insurance Portability and Accountability Act (HIPAA), aimed at protecting sensitive health information from disclosure without patient's consent.
As a result, these incidents weren't investigated, meaning that systems weren’t patched, staff weren’t alerted, and patients weren’t warned that their data may be at risk.
"We encountered a significant case where an outdated email system directly impacted patient care due to a cybersecurity breach," said Matt Murren, CEO of healthcare IT support firm True North ITG.
"The phishing attack compromised user credentials and eventually deployed ransomware across the network. It shut systems down for two weeks. Appointments were delayed. Test results were inaccessible. Urgent care cases were diverted elsewhere. Patients lost trust. This isn’t just an IT failure — it’s a patient safety crisis."
The problem doesn't seem to be a lack of awareness amongst staff. Nine-in-ten said they carried out staff training.
Ryan Winchester, CareM director of information technology, said "no amount of training can completely eliminate human error, so businesses must have safeguards in place."
The report found that healthcare organizations currently allocate only 11–20% of their IT budgets to email security, despite email being their top risk area. One persistent problem is poor infrastructure, with 83% of healthcare IT leaders saying that legacy systems disrupt day-to-day operations.
"I’ve seen first-hand how legacy email platforms can quietly — but critically — undermine operational stability and efficiency across healthcare organizations" said Murren.
In larger healthcare networks, the most common challenges include high maintenance costs that drain IT resources, persistent security vulnerabilities, outdated and complex user interfaces, system performance bottlenecks, and limited support for mobile and remote working.
The result is reactive firefighting, with about 37% of healthcare IT leaders spending between 11 and 20 hours per week just resolving secure email tickets.
"Healthcare doesn’t need more patchwork fixes — it needs a mindset shift. Patients expect secure, convenient communication, and it’s on us to meet that standard," said CEO of Paubox Hoala Greevy.
MORE FROM ITPRO
- Are phishing tests a waste of time?
- 10 quick tips for identifying phishing emails
- Phishing tactics: The top attack trends
-
How the UK is leading Europe at AI-driven manufacturingIn-depth A new report puts the country on top of the charts in adopting machine learning on the factory floor in several critical measures
-
US data center power demand forecast to hit 106GW by 2035, report warnsNews BloombergNEF research reveals a sharp 36% jump in energy forecasts as "hyperscale" projects reshape the American grid
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
