Healthcare organizations need to shake up email security practices
Healthcare firms are failing to implement fundamental email security protocols, leaving them open to breaches
Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
According to Paubox’s 2025 Healthcare Email Security Report, email is the main attack vector in the sector, with Microsoft 365 accounting for 43% of all breaches.
Proofpoint was next, at 13%, followed by Barracuda Networks and Mimecast at 7%, and Google Workspace at 3.%.
The report found that many healthcare organizations are failing to implement fundamental email security protocols, with virtually all breached organizations lacking Mail Transfer Agent Strict Transport Security (MTA-STS) protections and exposing email communications to interception.
More than a third of Microsoft 365 users had Domain-based Message Authentication, Reporting, and Conformance (DMARC) in monitor-only mode, meaning a concerning volume of phishing attempts went undetected.
Notably, researchers found three-in-ten lacked any DMARC records at all. Meanwhile, 12% lacked Sender Policy Framework (SPF) records and four-in-ten had weak configurations, making it easier for attackers to spoof emails.
“HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA rules, and not wait for OCR to reveal long-standing HIPAA deficiencies," warned HHS Office for Civil Rights (OCR) director Melanie Fontes Rainer.
According to the report, there's been a 264% increase in ransomware attacks on healthcare organizations since 2018, with email acting as the main attack method.
Shockingly, though, only 1% of the analyzed healthcare organizations had a low-risk email security posture. Three-in-ten were categorized as high risk, meaning they had multiple security gaps that exposed them to major cybersecurity threats.
According to IBM, the average cost of a healthcare email breach is $9.8 million - and that's before you take into account HIPAA fines, which amounted to more than $9 million last year.
These include a $9.76 million settlement by Solara Medical Supplies, after a phishing attack gave hackers access to eight employee email accounts. More than 114,000 patient records were compromised.
RELATED WHITEPAPER
LA Cares was also hit with a $1.3 million fine over systemic security lapses that led to a breach.
"The increasing frequency and sophistication of cyber attacks in the health care sector pose a direct and significant threat to patient safety," said HHS deputy secretary Andrea Palm.
"These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures."
Email attacks show no sign of slowing down
Looking ahead, Paubox said it expects to see more attacks on cloud-based email systems, with attackers developing more sophisticated techniques to exploit misconfigurations and bypass existing security measures.
The use of AI in phishing attacks will also rise, it said.
As a result, organizations will have to work harder, with more healthcare firms required to move from optional security measures to mandatory enforcement of DMARC and SPF.
"The data shows that even the most established email security tools are just a starting point in protecting patient data," said Paubox chief compliance officer Rick Kuwahara.
"To stay compliant, organizations must continuously evaluate their implementations. That can mean adding in additional layers of defense."
MORE FROM ITPRO
-
What is Microsoft Maia?Explainer Microsoft's in-house chip is planned to a core aspect of Microsoft Copilot and future Azure AI offerings
-
If Satya Nadella wants us to take AI seriously, let’s forget about mass adoption and start with a return on investment for those already using itOpinion If Satya Nadella wants us to take AI seriously, let's start with ROI for businesses
-
Microsoft warns of rising AitM phishing attacks on energy sectorNews The campaign abused SharePoint file sharing services to deliver phishing payloads and altered inbox rules to maintain persistence
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
Hacked London council warns 100,000 households at risk of follow-up scamsNews The council is warning residents they may be at increased risk of phishing scams in the wake of the cyber attack.
-
Warning issued as surge in OAuth device code phishing leads to M365 account takeoversNews Successful attacks enable full M365 account access, opening the door to data theft, lateral movement, and persistent compromise
-
Complacent Gen Z and Millennial workers are more likely to be duped by social engineering attacksNews Overconfidence and a lack of security training are putting organizations at risk
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
