5 steps to protect your organization's email system

According to the Paubox 2026 Healthcare Email Security Report, 170 email-related breaches were reported to the HHS Office for Civil Rights in 2025. While the total number of incidents declined compared to the previous year, the organizations still experiencing breaches had weaker security postures than before; 41% fell into a high-risk category based on their email configuration, up from 31% in 2024. The same report found that the presence of multiple security tools did not consistently correlate with reduced breach risk. While breaches are running rampant, organizations can take steps, like using a HIPAA compliant platform, setting up authentication, training staff, and more, to prevent breaches.

Step 1: Switch to a HIPAA compliant email platform

Standard consumer or business email services are often not designed to meet the security and compliance requirements set out by HIPAA. Under §164.306(a), covered entities and business associates must "ensure the confidentiality, integrity, and availability of all electronic protected health information" they create, receive, maintain, or transmit, and must "protect against any reasonably anticipated threats or hazards" to that information.

On the technical side, §164.312(e)(1) requires organisations to "implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network" which includes email. The associated implementation specification at §164.312(e)(2)(ii) calls for encryption of ePHI whenever deemed appropriate, and §164.312(a)(2)(iv) addresses encryption and decryption as part of access control.

Besides encryption, any vendor handling ePHI on behalf of a covered entity must be covered by a business associate agreement (BAA). Under §164.308(b)(1), a covered entity may permit a business associate to create, receive, maintain, or transmit ePHI "only if the covered entity obtains satisfactory assurances… that the business associate will appropriately safeguard the information," and §164.308(b)(3) requires this to be documented through a written contract or arrangement. An email provider without a BAA in place is a compliance liability.

Organizations should take the following steps:

• Audit the current email platform to confirm whether a BAA is in place with the provider.
• Confirm whether the platform encrypts emails containing PHI both in transit and at rest, in line with §164.312(e)(1) and §164.312(e)(2)(ii).
• Evaluate HIPAA compliant alternatives such as Paubox.
• Ensure any platform transition includes staff training on the new system.

Step 2: Set up email authentication protocols

There are three technical standards, namely SPF, DKIM, and DMARC, that verify emails originating from the organization's domain. Without them, criminals can send fraudulent emails that appear to come from a legitimate healthcare address.

In their large-scale analysis of email spoofing attacks researchers tested 30 popular email services and found that all of them were vulnerable to some form of spoofing, including platforms such as Gmail and Outlook. The researchers describe email authenticity as depending on "the weakest link in the authentication chain," meaning that a failure in any single protocol can disarm the protections provided by the others. Furthermore, their findings showed that attackers can combine multiple techniques in what the authors call a "cocktail" joint attack, bypassing SPF, DKIM, and DMARC simultaneously.

The consequences of misconfiguration in real healthcare settings are equally stark. According to the 2025 Healthcare Email Security Report by Paubox, SPF was missing entirely from 12.2% of healthcare organisations surveyed, and of those that did have it in place, 40% used a weaker configuration that still allows spoofing attempts to succeed. DMARC was absent in 30.6% of cases, and more than a third had it set to a passive monitoring mode. Among organisations that experienced breaches, 37.2% had DMARC set to monitor-only, meaning spoofed emails were still being delivered to inboxes. As the report warns, a false sense of security persists among organisations that have invested in premium platforms but have not ensured those tools are correctly set up. Having these protocols in place is not enough; they must be properly configured and actively maintained.

Step 3: Train all staff to spot phishing emails

A qualitative study by Khan and Muntaha, which examined the experiences of employees across multiple sectors who had undergone cybersecurity awareness programs, found that participants developed a heightened ability to recognize phishing attempts after completing structured training. Simulated phishing exercises were identified as being effective because they exposed staff to realistic scenarios in a controlled setting, participants became more adept at spotting subtle warning signs.

The same study also documented meaningful behavioral change. Participants reported adopting more deliberate habits when handling email, scrutinizing sender addresses, verifying requests through alternative channels, and proactively reporting suspicious activity to IT teams.

However, Khan and Muntaha's findings also showed that the effects of training diminish over time. Participants noted that their vigilance decreased several months after completing a course. The authors recommend continuous reinforcement through periodic refresher sessions, updated content, and ongoing phishing simulations. A further challenge identified was the "one-size-fits-all" nature of many training modules, with the generic quality of content being the single most commonly reported complaint among participants. Scenario-based content tailored to the specific roles and risk profiles of different staff groups outperformed generic approaches in both engagement and retention.

Step 4: Control who has access

Under §164.312(a)(1), covered entities are required to implement technical policies and procedures that allow access to electronic protected health information "only to those persons or software programs that have been granted access rights," this means that access that is no longer justified must be revoked. Reinforcing this, §164.312(a)(2)(i) requires organisations to assign a unique identifier to each user for the purposes of tracking user identity, which makes it easier to detect accounts that have become inactive or compromised.

In A New Robust Lightweight Scheme for Mutual Users Authentication in Healthcare Applications, the authors identify the privileged insider as a distinct and serious attack category, noting that a legitimate user can exploit their network access to carry out attacks that external threats cannot. Their proposed authentication model includes a dedicated revocation protocol designed to immediately terminate access when a user finishes a contracted role, resigns, or moves to a different institution. The authors explicitly flag that such revocation must be prompt and that any delay leaves the system exposed to access that is technically valid but no longer authorised.

Step 5: Use email filtering and keep software updated

Outdated software contains known vulnerabilities that cybercriminals actively exploit, and in healthcare settings where devices may run legacy systems or go long periods without updates, this risk is more.

The February 2024 ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group and one of the largest healthcare payment processors in the United States, displays the necessity of updated software. Attackers from the BlackCat/ALPHV ransomware group gained entry through a legacy server that lacked basic protections, ultimately compromising the personal and health information of an estimated 192.7 million individuals and disrupting billing and payment operations across hospitals and pharmacies nationwide. UnitedHealth Group estimated the cost of the attack at $2.87 billion in 2024 alone, with further costs anticipated.

NIST Interagency Report 8011, Volume 4 notes that known vulnerabilities are the most cost-effective targets for attackers and that even well-funded, sophisticated threat actors frequently prefer exploiting them over deploying more valuable unknown attack methods. As the report puts it, when software is protected against known vulnerabilities, it raises the cost for attackers to succeed.

FAQs

Does encrypted email guarantee HIPAA compliance?

Full compliance also requires a signed business associate agreement, access controls, audit logs, and staff training.

What should an organization do if it has already experienced an email breach?

Logs should be preserved, exposed PHI assessed, and HHS notified within 60 days if 500 or more individuals were affected.

How can an organization confirm its email provider is HIPAA compliant?

The provider should be willing to sign a business associate agreement and confirm that messages containing PHI are encrypted.