Balancing user experience and security in inbound email handling 

Research published in BMJ Journals found that during a single month at one NHS trust, over 858,000 emails were received, of which approximately 2% were identified as potential threats, a volume that translates to more than 100,000 suspicious emails annually at a single institution. In her 2021 analysis, Healthcare's Email Problem: Insider Threats, Data Retention, Phishing, Jessica Davis reported that nearly three-quarters of healthcare providers experienced an email-based cyberattack in 2019 alone. Davis further noted that of all breach investigations open with the Department of Health and Human Services, at least 40 percent have ties to email. While security has to be a priority for healthcare providers, given the number of attacks occurring regularly, it must be carefully balanced with the user experience to prevent burn-out and frustration.

The technology risk

According to the IOM report Health IT and Patient Safety: Building Safer Systems for Better Care, "Safety is an emergent property of a larger system" one that takes into account not just the technology itself, but the people using it, the processes surrounding it, and the organizational environment in which it operates. The report identifies poor user-interface design, inadequate attention to workflow, and complex data interactions as genuine threats to safety.

The IOM report also makes a pointed observation that applies directly to the email security context, that is, harm from health IT frequently originates not from coding errors or technical failures, but from the gap between how a system is designed and how it is actually used in practice. When security tools are deployed without adequate understanding of clinical and administrative workflows, they create the conditions for staff to develop workarounds that undermine the security.

Furthermore, the IOM report emphasises on shared responsibility. Neither vendors nor healthcare organizations can treat security and safety as the other party's problem. The report calls for vendors to adopt user-centered design principles and human factors expertise in their development processes. It further argues that contractual arrangements which prevent users from sharing information about failures and risks are actively harmful to the broader safety systems.

A 2024 national survey of family physicians published in JAMA Network Open found that only around one in four physicians were very satisfied with their EHR, while a comparable proportion reported dissatisfaction. The study found that physicians who were very satisfied with their EHR reported meaningfully lower rates of burnout, and critically, that efficiency strategies improved satisfaction for those already working with highly usable systems. As the authors put it, addressing EHR burden "requires a targeted approach to address the EHR needs of the specific physician." The implication for email security is that using tools alongside poorly fitted systems does not fix the overall problem.

What providers are getting wrong

According to Davis a number of providers continue to rely on aging, on-premises mail servers, this is infrastructure that carries known vulnerabilities and limits the security controls that can be applied. Barracuda Networks CTO Fleming Shi, quoted in Davis's analysis, recommends that organizations still running legacy email platforms migrate to SaaS-based alternatives, which offer more API-driven security integrations. Alongside this, password policies remain a weak point. Shi and Barracuda Networks Senior Security Researcher Jonathan Tanner both argue that complexity rules alone are insufficient, and that multi-factor authentication should be enforced across email, network access, VPNs, and SaaS applications as a baseline control.

According to Fortified Health Security CEO Dan Dodson, "Email shouldn't be considered a data repository." Dodson advises that organizations begin by asking whether each employee actually needs a company email address, and whether remote access to that account is genuinely required by their role. Reducing the number of active, remotely accessible email accounts is one of the most straightforward ways to limit an organization's attack surface and, as Davis notes, one that doesn't require capital investment.

Getting the balance right

The IOM's Health IT and Patient Safety report recommends that health IT vendors build human factors expertise and user-centered design principles into their development processes from the beginning and that security tools be tested in actual or simulated clinical environments before deployment.

• Context-aware filtering: Not all inbound emails carry the same risk profile.
• Transparent and actionable communication: When a message is quarantined or a link is blocked, staff deserve a clear, plain-language explanation of why.
• Proportionate friction: Security interventions should be to the actual level of risk involved.
• User feedback loops: Build mechanisms for employees to report suspected phishing and flag false positives which gives security teams real-world data to refine detection models.

The role of training and organizational culture

BMJ Journals research found that in a US study of approximately 5,000 healthcare employees, nearly two-thirds clicked on at least two suspicious emails and mandatory training alone did not meaningfully reduce this rate. Those who had previously fallen for a simulated phishing attempt remained more likely to click again, suggesting that broad compliance-based programs are insufficient on their own. However, repeated simulation campaigns across multiple healthcare institutions were associated with a measurably reduced likelihood of staff clicking on subsequent phishing emails, pointing to the value of ongoing, experience-based learning.

Davis reinforces this finding from an operational standpoint, citing Dodson's recommendation that providers conduct monthly internal phishing simulations at a minimum, paired with an enforcement component that supports rather than penalizes staff learning. Davis also echoes the broader point that reducing the attack surface and investing in continuous awareness training are among the most cost-effective measures available, approaches that, as Dodson notes, don't require significant capital outlay to implement effectively.

BMJ Journals research also notes that as technical defenses grow more sophisticated, the human element becomes the more consequential variable. Social engineering and behavioral manipulation become more important as encryption and perimeter controls improve.

Paubox Inbound Email Security

Paubox's inbound email security is built for healthcare organisations where compliance and workflow cannot conflict. Paubox detects suspicious messages based on how they behave, not just what they contain. Analysing sender behaviour, message composition, tone, and metadata to identify anomalies before they reach the inbox. This means legitimate messages arrive cleanly and staff are not conditioned to ignore alerts through constant exposure.

Unlike traditional filters that operate as black boxes, Paubox's inbound email security provides transparency into its decision-making process, allowing security teams to review confidence scores and clear explanations for every threat detected.

On the quarantine experience specifically, administrators can choose how to manage quarantine with scheduled reports sent directly to admins and users to review and act on quarantined messages. Gray mail is routed directly to spam rather than quarantine, keeping the quarantine queue focused on genuinely suspicious content rather than newsletters and low-priority bulk mail that clutter conventional systems.

The platform also addresses the display name spoofing problem, through its patented ExecProtect feature, which protects against ransomware, malware, phishing, and display name spoofing attacks, in addition to filtering out unwanted spam.

From a deployment and maintenance perspective, Paubox's inbound security is built to be "set it and forget it," with the AI continuously improving as it sees more data, requiring less time fine-tuning rules, reviewing quarantined emails, and chasing down false positives.

Paubox integrates with Microsoft 365, Google Workspace, and other email providers, and works with mobile email clients, meaning staff continue using familiar tools without requiring new portals, password exchanges, or workflow changes.

FAQs

How much does implementing inbound email security cost for a mid-sized healthcare organisation?

Costs vary depending on organisation size, existing infrastructure, and chosen solution, but cloud-based SaaS security platforms generally offer lower total cost of ownership than maintaining on-premises alternatives.

Are smaller private practices and clinics held to the same email security compliance standards as large hospital networks?

Yes, HIPAA email security obligations apply to all covered entities regardless of size.

What should a healthcare organisation do immediately after discovering a successful phishing attack?

Incident response should include isolating affected accounts, notifying relevant stakeholders, preserving logs for forensic review, and reporting to HHS if protected health information was compromised.

How do email security requirements differ for healthcare organisations operating across multiple countries?

Organisations operating internationally must navigate overlapping regulatory frameworks, such as HIPAA in the US and GDPR in Europe, which can impose conflicting requirements around data retention and breach notification timelines.