The vast majority of phishing attacks against the healthcare sector go unreported to security teams, leaving organizations unable to fully learn from their mistakes.
In a survey of 150 US-based healthcare IT leaders for secure email firm Paubox, six-in-ten said they had experienced at least one email security breach last year, and three-quarters that they expected even more security challenges this year.
The top risks were phishing, man-in-the-middle attacks, and password guessing, often through personal information revealed on social media.
However, IT leaders said 95% of phishing attacks went unreported to security teams, along with 96% of known email violations of the 1996 Health Insurance Portability and Accountability Act (HIPAA), aimed at protecting sensitive health information from disclosure without patient's consent.
As a result, these incidents weren't investigated, meaning that systems weren’t patched, staff weren’t alerted, and patients weren’t warned that their data may be at risk.
"We encountered a significant case where an outdated email system directly impacted patient care due to a cybersecurity breach," said Matt Murren, CEO of healthcare IT support firm True North ITG.
"The phishing attack compromised user credentials and eventually deployed ransomware across the network. It shut systems down for two weeks. Appointments were delayed. Test results were inaccessible. Urgent care cases were diverted elsewhere. Patients lost trust. This isn’t just an IT failure — it’s a patient safety crisis."
The problem doesn't seem to be a lack of awareness amongst staff. Nine-in-ten said they carried out staff training.
Ryan Winchester, CareM director of information technology, said "no amount of training can completely eliminate human error, so businesses must have safeguards in place."
The report found that healthcare organizations currently allocate only 11–20% of their IT budgets to email security, despite email being their top risk area. One persistent problem is poor infrastructure, with 83% of healthcare IT leaders saying that legacy systems disrupt day-to-day operations.
"I’ve seen first-hand how legacy email platforms can quietly — but critically — undermine operational stability and efficiency across healthcare organizations" said Murren.
In larger healthcare networks, the most common challenges include high maintenance costs that drain IT resources, persistent security vulnerabilities, outdated and complex user interfaces, system performance bottlenecks, and limited support for mobile and remote working.
The result is reactive firefighting, with about 37% of healthcare IT leaders spending between 11 and 20 hours per week just resolving secure email tickets.
"Healthcare doesn’t need more patchwork fixes — it needs a mindset shift. Patients expect secure, convenient communication, and it’s on us to meet that standard," said CEO of Paubox Hoala Greevy.
MORE FROM ITPRO
- Are phishing tests a waste of time?
- 10 quick tips for identifying phishing emails
- Phishing tactics: The top attack trends
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
US healthcare firm postponed procedures after cyber attack knocked systems offlineNews The incident at Kettering Health disrupted procedures for patients
-
US healthcare data breaches are out of control – over 400 million patient records have been exposed in the last two yearsNews There's been a huge surge in the number of healthcare data breaches in recent years
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
More than 5 million Americans just had their personal information exposed in the Yale New Haven Health data breach – and lawsuits are already rolling inNews A data breach at Yale New Haven Health has exposed data belonging to millions of people – and lawsuits have already been filed.
