CC vs. BCC isn’t enough for healthcare email security training

Email-related vulnerabilities extend beyond field selection errors, encompassing interactions between human behavior, technology limitations, organizational culture, and evolving cyber threats.

Recent data from the 2025 Paubox Report shows that email remains the single largest vector for cyberattacks in the healthcare sector, yet most healthcare organizations allocate less than 6% of their IT budgets to cybersecurity. This disconnect between risk and investment creates vulnerabilities that attackers are exploiting. Building effective email security requires moving beyond basic CC/BCC training to implement strategies that address the full spectrum of email-related risks.

Technical vulnerabilities and human error

While technology provides the tools for secure communication, human error remains a vulnerability in email security. Healthcare workers, often operating under time pressure and managing heavy workloads, may not always pay careful attention to email field selection. The similarity in appearance between CC and BCC fields in many email clients compounds this risk, as does the auto-complete functionality that can populate recipient fields with unintended addresses.

Recent analysis by Briana Contreras in Managed Healthcare Executive, found that Microsoft 365, the most commonly used platform in healthcare, was responsible for 43.3% of email-related breaches in 2024. Many email clients default to showing recent contacts or frequently used distribution lists, making it easy for users to select the wrong recipients or use the wrong field type. In high-stress healthcare environments where quick communication can be critical to patient care, these small interface details can have major consequences.

The Paubox report further shows this challenge, revealing that "86% of IT leaders say their current tools cause workflow friction." This friction creates a cycle where well-intentioned security measures become obstacles that users find ways to circumvent. As Ryan Winchester, Director of IT at CareM, notes in the report: "Our company is as strong as the weakest employee link. HIPAA compliance depends on awareness and proper training—but also the right systems."

Technology solutions can provide additional layers of protection. Some healthcare organizations have implemented email clients with enhanced security features that require explicit confirmation before sending messages with multiple recipients, or that automatically default to BCC for messages containing more than a specified number of recipients.

The reality of human error

The concerning reality, as highlighted in the Paubox report, is that only 27% of IT leaders are confident in their ability to prevent breaches in 2025. This lack of confidence stems from an understanding of how human behavior interacts with security systems in unpredictable ways.

The report reveals common misconceptions that undermine effective security strategies. Many organizations operate under the false belief that "More training will solve our readiness against phishing attacks," when in reality, "Training helps, but 95% of phishing still goes unreported. You need better detection." Similarly, organizations often assume that "Our staff are well-trained, so we're secure," but the evidence shows that "Human error is inevitable. You need tools that compensate, not just train."

This insight represents a shift in how healthcare organizations should approach email security. Rather than relying primarily on human vigilance and training, effective security strategies must assume that mistakes will happen and build systems that can prevent, detect, and mitigate the consequences of those mistakes.

Read also: HIPAA compliant email

Technology solutions and safeguards

Modern email security solutions offer various features designed to prevent accidental PHI disclosure beyond simple CC/BCC mistakes. Delay-send functions allow users to review and modify emails before they are actually transmitted, providing a final opportunity to catch and correct potential errors. Some systems can be configured to automatically prompt users when they attempt to send emails with multiple recipients, asking them to confirm their choice of CC versus BCC.

Data loss prevention (DLP) tools can scan outgoing emails for PHI and flag potentially problematic communications before they are sent. These systems can be configured to detect patterns associated with patient information and either block suspicious emails or route them through additional approval processes. Advanced DLP solutions can identify not just obvious PHI like social security numbers and medical record numbers, but also contextual clues that suggest healthcare-related content.

Research cited in the report from Shahan Ahmed at Montclair State University shows that "Organizations that adopt risk-based budgeting frameworks demonstrate greater cybersecurity resilience, with structured investment strategies leading to a 40% reduction in security incidents."

Advanced protection strategies

Some healthcare organizations have moved beyond traditional email entirely, implementing secure messaging platforms designed specifically for healthcare communications. These platforms often include built-in safeguards that make it more difficult to accidentally expose recipient information and provide better audit trails for compliance purposes.

However, as Paubox Chief Compliance Officer Rick Kuwahara noted in Managed Healthcare Executive, "The data shows that even the most established email security tools are just a starting point in protecting patient data." Organizations must continuously evaluate their implementations and consider adding additional layers of defense to maintain effective protection.

Advanced email security solutions now incorporate artificial intelligence and machine learning to identify suspicious patterns and potential security violations before they occur. These systems can learn from historical incidents to better predict and prevent future problems, including CC/BCC misuse, unauthorized recipient additions, and content that may violate HIPAA requirements.

Zero-trust security models are being applied to email communications, requiring verification of every recipient and transaction regardless of the sender's authorization level or past behavior. This approach recognizes that internal threats—whether malicious or accidental—represent the majority of security incidents in healthcare organizations.

Training and organizational culture

Regular training sessions should include practical exercises that help staff recognize common email security pitfalls and practice proper procedures. Role-playing scenarios can help staff understand the consequences of mistakes and reinforce the importance of careful attention to email practices. However, training must be designed with the understanding that human error is inevitable and cannot be completely eliminated through education alone.

The effectiveness of cybersecurity training programs is tied to organizational culture. As noted by Michael Willie in The Role of Organizational Culture in Cybersecurity: Building a Security-First Culture, research demonstrates that "an organization's culture significantly influences the effectiveness of security training programs." This finding shows why many healthcare organizations struggle with security training initiatives despite investments in educational programs.

Building effective training requires more than just curriculum development—it demands cultural transformation. Willie emphasizes that "a culture that values continuous learning and knowledge sharing creates an environment conducive to effective cybersecurity training initiatives." In healthcare settings where time pressures and competing priorities often overshadow security concerns, creating this type of learning culture becomes challenging yet essential.

The integration of training within organizational culture cannot be treated as an afterthought. As Willie points out, "the importance of embedding security awareness and training within the organizational culture to enhance cybersecurity practices" is crucial for long-term success. This means moving beyond traditional one-time training sessions to create ongoing learning environments where cybersecurity awareness becomes part of daily operations.

Willie notes that "security leaders play a crucial role in implementing and enhancing training and awareness programs to improve security-related behaviour among users. While these programs cannot guarantee absolute security-related behaviours, they do contribute positively to the overall security posture." This balanced perspective acknowledges both the value and limitations of training programs, reinforcing the need for approaches that combine education with technological safeguards.

The ultimate goal is cultural change that empowers employees rather than simply educating them. As Willie explains, "the role of organizational culture in cybersecurity is paramount, as building a security-first culture empowers employees, enhances their awareness, and promotes a proactive approach to cybersecurity." This empowerment approach transforms employees from passive recipients of training to active participants in organizational security.

Organizations should also establish clear reporting procedures for potential email security incidents, encouraging staff to report mistakes quickly so that appropriate remediation steps can be taken. Creating an environment where staff feel comfortable reporting errors without fear of punitive action can help prevent small mistakes from becoming major violations.

The investment gap and its consequences

Organizations that have adopted more strategic approaches to cybersecurity investment have seen measurable improvements. Research cited in the Paubox report shows that "Organizations that adopt risk-based budgeting frameworks demonstrate greater cybersecurity resilience, with structured investment strategies leading to a 40% reduction in security incidents."

However, the healthcare sector continues to struggle with funding challenges. As noted in Holes in the Armor: Addressing the Gaps in Health Care Cybersecurity in the Philippines and Beyond, healthcare systems face "insufficient funding, hindering the establishment of robust security measures and leaving health care systems susceptible to attacks." This funding gap creates a cycle where inadequate investment leads to successful attacks, which then require even greater resources to address.

The cost of inadequate investment

The financial impact of inadequate email security investment extends beyond the direct costs of breach response and regulatory penalties. Organizations must also consider the hidden costs of security incidents, including:

• Lost productivity during incident response and system remediation
• Increased insurance premiums following security incidents
• Legal costs associated with patient litigation and regulatory proceedings
• Long-term reputational damage that affects patient acquisition and retention
• Increased regulatory scrutiny and associated compliance costs
• Staff turnover and recruitment costs if security incidents damage organizational reputation

According to Holes in the Armor, "the ramifications of data breaches are far-reaching and multifaceted. First, they entail the exposure of personal information, such as medical records and financial data, leaving individuals vulnerable to the perils of identity theft and fraud. Apart from affecting individuals, these breaches exact a hefty cost on health care institutions, which extend beyond mere recovery and remediation efforts but also potential legal liabilities."

Moving forward

The challenge of CC versus BCC in HIPAA compliant email represents a microcosm of broader issues in healthcare cybersecurity. It highlights the intersection of human behavior, technology limitations, regulatory requirements, and organizational culture. Addressing this challenge effectively requires a multi-faceted approach that combines clear policies, appropriate technology, ongoing training, and a commitment to continuous improvement.

Holes in the Armor emphasize that "trust is the bedrock of the health care industry, and any breach of patient data chips away at that foundation, sowing seeds of doubt and hesitancy among patients to share their medical information with health care providers. The erosion of trust can cast a long shadow over patient-provider relationships, ultimately affecting the broader landscape of health care outcomes."

This reality demands a shift in how healthcare organizations view cybersecurity investments. Rather than treating security as an optional expense, Holes in the Armor argues that "it is crucial to acknowledge information technology as a strategic enabler, and financial commitments to cybersecurity should be viewed as essentials for realizing the organization's long-term goals."

The Paubox report offers five key recommendations that directly address these challenges:

1. Audit your secure email configurations — don't assume they're working correctly
2. Stop making users choose encryption — make it automatic to reduce friction and human error
3. Upgrade detection systems to keep up with AI-powered threats
4. Fund email security in proportion to its risk profile
5. Choose tools that disappear into the workflow rather than disrupting it

The reality is that protecting patient information in the digital age requires more than good intentions and basic training. It demands an understanding of both technology and human behavior, alongside organizational commitment to invest appropriately in tools and processes that can prevent costly mistakes.

FAQs

Why is email still the largest attack vector in healthcare?

Email remains the top target because it is widely used, often unencrypted, and vulnerable to phishing, misdirected messages, and human error.

What role does organizational culture play in email security?

A culture that values continuous learning and security awareness makes staff more proactive and less likely to circumvent security measures.

Why is training alone not enough to prevent email-related breaches?

Human error is inevitable, and effective security requires tools and automated safeguards that reduce reliance on staff vigilance alone.