Building a layered defense against healthcare phishing attacks in 2025

The 2025 Paubox security report has shed light on the current state of email security in the healthcare industry, with 180 healthcare organizations reporting email-related security breaches to the HHS Office for Civil Rights (OCR) between 2024 and January 2025. The report's findings, combined with the IBM 2024 cost of a data breach report, prove the consequences of phishing attacks, including disruptions to care, compromised patient trust, and financial strain on organizations.

To combat these growing threats and mitigate such consequences, healthcare organizations must adopt a proactive and layered approach to defense.

Learn more: What the 2025 Paubox security report reveals about industry risks

The first line of defense

Technical controls are the foundation of a strong email security strategy. According to the Paubox report, 31.1% of breached organizations were classified as High Risk, with multiple critical security gaps. To mitigate this risk, healthcare organizations should implement advanced email filtering solutions, such as those powered by Artificial Intelligence (AI) and real-time threat intelligence. These solutions can detect and block sophisticated phishing attempts, including spear phishing and Business Email Compromise (BEC) attacks.

In addition to email filtering, healthcare organizations should prioritize encryption, email authentication, and strong access controls. A study examining healthcare professionals' perceptions of security threats in digital health technologies revealed that encryption was rated as the most effective security measure in preventing data breaches, with a mean score of 4.36 out of 5 among healthcare professionals.

Go deeper: How AI has successfully stopped email breaches: Real-world case studies

How AI and automation are changing the face of HIPAA compliance

Empowering the human firewall

Security awareness training is an important component of a comprehensive defense strategy. The Paubox report found that only 5% of known phishing attacks are reported by employees, creating dangerous blind spots in organizational defenses. To address this issue, healthcare organizations should provide regular, engaging, and healthcare-specific security awareness training that includes realistic examples of phishing emails and teaches staff to identify red flags.

David Chou, Founder of Chou Group Healthcare Technology Advisory Services, emphasizes the importance of ongoing education to protect staff from phishing and social engineering, which continue to be the most effective tactics used by attackers. "Healthcare organizations must move to modern, cloud-hosted email systems as a baseline for security," Chou notes. "Equally important is ongoing education to protect staff from phishing and social engineering, which continue to be the most effective tactics used by attackers."

Related: 

• The role of cloud technology in HIPAA compliance
• The importance of training for email security
• Building healthcare security awareness programs
• The importance of firewalls in healthcare security

Preparing for the inevitable

Despite the best efforts of healthcare organizations, security incidents can still occur. A well-defined and regularly tested incident response plan helps healthcare organizations minimize the impact of a breach. The plan should outline procedures for containing the incident, eradicating the threat, recovering affected systems and data, and conducting a thorough post-incident analysis.

Matt Murren, CEO of True North ITG, stresses the importance of incident response planning in preventing operational downtime and ensuring patient care. "We encountered a significant case where an outdated email system directly impacted patient care due to a cybersecurity breach," Murren notes. "The consequences were severe, including operational downtime, limited clinical functions, delayed patient services, and compromised patient trust."

The impact of legacy email systems

Legacy email systems can quietly undermine operational stability and efficiency across healthcare organizations. Outdated systems often lack the security frameworks, integration capabilities, and scalability that modern healthcare environments demand. This translates into a number of recurring issues, including frequent downtime, inefficient workflows, security vulnerabilities, and compliance risks.

Murren emphasizes that "HIPAA compliance is non-negotiable. Legacy email systems often lack features like end-to-end encryption, audit logging, or robust access controls—putting both patient data and institutional reputations at risk." Instead, healthcare organizations should choose technology partners and platforms that prioritize HIPAA compliance and hold a HITRUST certification, as recommended by Leonard Hamer, CEO of Physician Select Management.

The importance of HITRUST certification

HITRUST certification provides assurance that an organization has implemented security controls and procedures that comply with healthcare regulations and industry standards to protect sensitive data, including patient information, from breaches and cyberattacks. Leonard Hamer, CEO of Physician Select Management, notes that 'choosing technology partners and platforms that prioritize HIPAA compliance and hold a HITRUST certification is vital in healthcare.

The importance of Multi-Factor Authentication (MFA)

MFA is a necessary security control that can help prevent unauthorized access to sensitive data. MFA requires users to provide two or more verification factors, such as a password, fingerprint, or one-time passcode, to access a system or application. This makes it more difficult for attackers to gain access to sensitive data, as they would need to compromise multiple factors.

However, MFA is not foolproof, and attackers have developed ways to bypass it. MFA bypass kits are tools that allow attackers to bypass MFA controls and gain access to sensitive data. These kits are often readily available on the dark web and can be used to capture credentials and session tokens, which can then be used to gain access to sensitive data.

Amy Larson DeCarlo, Principal Analyst, Security and Data Center Services at GlobalData, notes that "MFA bypass kits are readily accessible and cost-effective for threat actors to use. The danger for HIPAA-compliant organizations is that cybercriminals can use these kits to capture credentials and session tokens, which in turn can be used to gain access to Personally Identifiable Information of patients and employees." To combat this issue, DeCarlo recommends that organizations "move away from easily exploited factors, including passwords, one-time passcodes, security questions, and push notifications. Instead, they should implement digital signatures or passkeys." This approach can help prevent MFA bypass kits from being used to gain access to sensitive data.

The use of passkeys, a modern passwordless authentication method, has been gaining traction as a secure alternative to traditional passwords. According to the research from the University of Southern California, passkeys have been up to 75% faster than entering passwords, with a success rate approximately 20% higher. Additionally, passkeys leverage public-key cryptography, which eliminates the need for shared secrets and significantly reduces the risk of theft or interception. The FIDO2 standard, which outlines the technical specifications for integrating passkeys into modern-day authentication systems, provides a foundation for passwordless authentication and has been adopted by major companies such as Amazon, Google, and Apple. Furthermore, passkeys can be integrated with biometrics, such as facial or fingerprint recognition, to add an extra layer of security and convenience. With the increasing threat of phishing and credential theft, passkeys offer a more reliable and secure authentication base, and their adoption is expected to grow as technology advances.

Moreover, the research published in the Partners Universal Innovative Research Publication (PUIRP) states that passkeys strengthen privacy for users by eliminating plaintext password transmission and centralized stores that expose credentials to systems and staff. Passkeys keep secret authentication factors isolated on personal devices to limit visibility. This provides stronger assurances around user privacy in the authentication process. Additionally, passkeys enhance security by using decentralized key management, where private keys are never gathered or kept in a centralized location, and public keys are stored on servers without any intrinsic value for accessing accounts without the matching private keys. The use of passkeys also reduces the risk of password database breaches, as there is no central password database that can be compromised. Overall, passkeys offer a more secure, convenient, and private alternative to traditional password-based authentication, and their adoption is expected to grow as technology advances.

Read more: Why MFA bypass tactics often start with email

The role of HISAA in healthcare cybersecurity

The proposed Healthcare Information Security and Accountability Act (HISAA) aims to improve healthcare cybersecurity by establishing minimum security standards for healthcare organizations. Brent Hoard, partner at Troutman Pepper, notes that "the proposed legislation would include more prescriptive technology requirements, annual independent audit and testing requirements, additional vendor oversight, and enhanced penalties that could even include criminal charges."

While the intention of HISAA is to improve healthcare cybersecurity, there are concerns about the potential impact on smaller healthcare organizations. Hoard notes that "the requirements would be costly, but likely manageable, for larger, more resource-rich organizations. However, similar to the proposed revamp of HIPAA’s Security Rule, the administrative, assessment/audit, and testing requirements could pose significant challenges, especially for smaller health care entities."

Learn more: The latest HIPAA updates and what's coming in 2025

FAQs

What is the FIDO2 standard?

A set of specs for passwordless authentication developed by the FIDO Alliance.

What is spear phishing?

A targeted phishing attack that tricks individuals into revealing sensitive info.

What are BEC attacks?

Business Email Compromise attacks that trick employees into transferring money or sensitive information.

Is Paubox HITRUST certified?

Yes, Paubox holds a HITRUST certification, demonstrating its commitment to protecting sensitive healthcare information.