Blind spots in security methods

According to the 2024 HIMSS Healthcare Cybersecurity Survey, organizations are dedicating increasing resources to cybersecurity, with 55% anticipating budget increases in 2025. Yet despite these investments, breaches continue to escalate. The 2025 IBM Cost of a Data Breach Report found that healthcare remained the most expensive industry for breaches for the 12th consecutive year, with an average cost of $7.42 million, a decrease from $9.77 million in 2024 but still significantly higher than other sectors. Between 2014 and 2016, 90% of hospitals and clinics experienced at least one data breach, and 45% experienced at least five, according to research published in Frontiers in Digital Health.

The problem isn’t insufficient spending or lack of controls. Organizations have deployed multifactor authentication, implemented encryption, layered firewalls, and monitor networks around the clock. The problem is that organizations deploy these controls without understanding what they actually protect against. This gap between perceived security and real security is a blind spot, and these blind spots exist in nearly every security method organizations rely on. As the IBM report notes, 97% of organizations that experienced an AI-related breach lacked proper AI access controls, suggesting that the controls existed but didn’t actually stop the attack they were supposed to stop. The real issue, according to Wasserman & Wasserman (2022), is that “many hospitals presently fail to address” serious vulnerabilities within their technologies, and “efforts are largely misdirected, with external — often governmental — efforts negligible.” 

How security actually works

Modern security operates as a layered defense system. Each layer is designed to stop a specific threat. Authentication verifies identity. Encryption protects data in transit. Email filtering blocks known threats. Network segmentation limits access. Endpoint detection catches malware. Monitoring identifies suspicious activity.

The assumption is that if you deploy enough layers, then you’re protected. When in fact, the reality is that each layer stops specific attacks while leaving others untouched. When organizations don’t understand what each control actually prevents, they create the illusion of security without the substance, and attackers exploit this gap. Simranjit Kaur, an assistant Professor in Computer Science at Khalsa College (ASR) of Technology & Business Studies, recognizes this challenge in his published research about cybersecurity in healthcare, “IT security in healthcare constantly deals with evolving cyber threats that could endanger patient safety,” yet many organizations continue to view cybersecurity as a “purely technical issue that only their IT departments can tackle” rather than a strategic priority integrated into enterprise risk management and business continuity structures.

Common blind spots in security methods 

Multifactor authentication stops unauthorized access

The assumption: If we deploy MFA, compromised passwords become irrelevant.

The reality: Not all MFA is equally secure. In September 2022, attackers affiliated with the Lapsus$ group breached Uber, exploiting this exact blind spot. They purchased an Uber contractor’s credentials on the dark web, then repeatedly sent push notifications requesting login approval. After dozens of identical requests triggered notification fatigue, the contractor accidentally approved one. A single tap granted the attacker access to Uber’s entire environment. 

According to CISA’s analysis of MFA vulnerability rankings, standard mobile push notifications without additional protections are “vulnerable to push bombing attacks as well as user error.” The control existed. The organization deployed it, but it didn’t actually stop the attack it was supposed to stop.

What to do: Understand the MFA hierarchy. Phishing-resistant alternatives like FIDO2/WebAuthn eliminate push notifications, making them resistant to push bombing, phishing, and SIM swap attacks.

Encryption means data is safe

The assumption: If data is encrypted, attackers cannot access it.

The reality: Encryption protects data in transit and at rest, but attackers rarely decrypt data anymore. Instead, they exploit vulnerabilities that let them access files before encryption applies or while data is in use. In the 2023 MOVEit Transfer breach, attackers leveraged a zero-day SQL injection vulnerability (CVE‑2023‑34362) to gain initial access. Once inside, they deployed web shells and exfiltrated sensitive files directly from MOVEit servers. The encryption existed. The data remained protected in theory, but attackers never needed to break the encryption; they accessed it before it was secured.

What to do: Combine encryption with access controls and monitoring.

Advanced email filtering stops phishing 

The assumption: AI-powered email security catches sophisticated attacks.

The reality: 89% of healthcare data breaches originate from phishing, yet organizations deploy filters believing they’ve solved the problem. Wasserman & Wasserman (2022) found that “even in organizations considered to have strong cybersecurity, 30% of phishing attacks are successful,” often due to staff not recognizing messages as suspicious. A documented attack targeting Google users created a legitimate Google OAuth application, then sent emails through Google's own infrastructure that passed SPK, DKIM, and DMARC checks, all while directing users to fake Google support pages.

What to do: Combine email filtering with authentication protocols and user training. Each layer stops different attacks, none stop all of them.

Network segmentation prevents lateral movement

The assumption: Limiting access stops attackers from moving deeper into systems 

The reality: The Uber breach demonstrates how a single compromised account can bypass segmentation. After the contractor approved the push notification, the attacker accessed multiple employee accounts and obtained elevated permissions to G-Suite, Slack, and internal tools. 

According to Wasserman & Wasserman (2022), hospitals are particularly vulnerable because “73% of healthcare organizations are incapable of managing cyber incidents,”

and “most IT departments do not run complete risk evaluations of the networks.” 

What to do: Combine network segmentation with privilege management and continuous verification.

Endpoint detection prevents malware

The assumption: EDR (Endpoint detection and response) tools catch threats before they execute.

The reality: Zero-day exploits, living-off-the-land techniques that abuse legitimate system tools, and supply chain attacks sidestep endpoint detection. Wasserman & Wasserman (2022) note that malware “accounts for 41% of cyberattacks in healthcare” and that “infection usually requires deceiving the computer’s user into accepting malware onto the computer, usually via phishing.”

What to do: Combine EDR tools with threat hunting, patch management, and supply chain hunting. 

SIEM and logging catch breaches

The assumption: If we monitor everything, we’ll detect attacks.

The reality: Volume can be overwhelming. The 2025 IBM Cost of a Data Breach Report found that organizations using AI and automation shortened breach times by 80 days and lowered costs by $1.9 million compared to organizations that didn’t use these solutions. Yet only 32% of organizations use these tools. The average time an attacker remains in systems undetected is still over 200 days, despite monitoring.

According to the HIMSS survey, organizations report significant gaps in detection, where only 50% of breaches were identified by the organization’s own security teams and tools, while 31% were identified by third parties, and 19% were disclosed by attackers themselves.

What to do: Logging combined with behavioral analytics and incident response playbooks.

What actually works

No single control solves the problem. Organizations that reduce breach risk layer controls intelligently, not by adding more tools, but by understanding what each tool actually stops and ensuring coverage across attack types.

Paubox illustrates how blind spots can be closed. Their Email Suite enforces HIPAA compliant encryption automatically, eliminating the risk of human error, while inbound AI-based phishing detection and ExecProtect+ block impersonating attacks that bypass traditional filters. Data Loss Prevention scans outgoing emails and attachments to stop accidental protected health information (PHI) leaks, and Archiving ensures secure, searchable retention for compliance audits. Finally, the Paubox Email API integrates secure communication directly into healthcare applications and workflows, ensuring developers don’t introduce compliance gaps. 

FAQs

What is privilege escalation?

Privilege escalation occurs when an attacker gains access to a standard user account, then exploits vulnerabilities or misconfigurations to obtain higher level administrative permissions.

What is threat hunting?

Threat hunting is the proactive process of searching through networks and systems for signs of attackers or malicious activity.

What is push bombing?

Push bombing occurs when attackers repeatedly send push notification approval requests to a victim’s phone, bombarding them until notification fatigue causes the user to accidently approve one.