A peer-reviewed systematic review published in Technology and Health Care in 2017 concluded that the healthcare industry lags behind other sectors in security, that cyberattacks targeting medical information grow at approximately 22% per year, and that healthcare organizations are vulnerable because the sector hasn’t kept pace with threats. The review's conclusion was plain about what needed to happen, noting that "the healthcare industry as a whole needs significant improvement in its security posture and culture."

Eight years on, ransomware attacks on healthcare have surged 264% since 2018, according to HHS OCR data cited in Paubox's 2025 Healthcare Email Security Report. Healthcare finished as the most targeted critical infrastructure sector in the United States for the second consecutive year, according to the FBI's 2025 Internet Crime Report, and IBM's Cost of a Data Breach Report puts the average cost of a healthcare breach at $9.8 million, the highest of any sector tracked. OCR Director Melanie Fontes Rainer has been direct about what the data means for organizations that have not acted, stating that "HIPAA-regulated entities need to be proactive and not wait for OCR to reveal long-standing HIPAA deficiencies." What Kruse and colleagues identified as emerging vulnerabilities in 2016 are now the documented conditions behind thousands of confirmed breaches.

 

Why healthcare became the sector criminals chose

Medical records carry more actionable value on criminal markets than almost any other stolen data type. A credit card can be cancelled. A medical record containing a Social Security number, insurance details, date of birth, diagnosis history, and prescription data cannot be invalidated, and it enables identity theft, insurance fraud, and medical fraud simultaneously. A 2026 scoping review published in MDPI Applied Sciences, which synthesized research published between 2021 and 2025, found that healthcare IT systems' reliance on interconnected electronic health records, telemedicine platforms, cloud infrastructure, and connected medical devices has expanded the available attack surface far beyond what it was when the Kruse review was published.

The structural pressure that drove healthcare toward that expanded digital footprint was regulatory. The HITECH Act pushed providers to adopt electronic health records through the Meaningful Use program, offering financial incentives for adoption. As Kruse et al. noted in their 2017 review, legislation like the ACA and HITECH encouraged network integration and digital adoption, but the security architecture did not advance at the same pace as the technology it was meant to protect. The result is a sector that digitized quickly under regulatory pressure and then found itself managing clinical systems, billing platforms, patient portals, medical devices, and email infrastructure simultaneously, with security investment and expertise that have consistently lagged what those systems require.

Read more: What is ransomware? | What is phishing?

 

Ransomware, phishing, and the email problem

Ransomware has become the dominant threat by both frequency and financial impact. A 2024 JMIR systematic review on vulnerability to cyberattacks in health systems found that outdated legacy systems and unsupported operating systems are among the most consistently exploited attack surfaces, precisely because they cannot receive the security patches that would close known vulnerabilities. Healthcare's tolerance for legacy infrastructure, driven by cost, operational continuity requirements, and the complexity of replacing systems that clinical workflows depend on, creates persistent exposure that ransomware operators specifically seek out.

The 2017 WannaCry attack demonstrated this dynamic at a national scale, crippling NHS trusts running Windows XP nearly a decade after Microsoft had ended support for it. The JMIR review found the same conditions persisting in 2024, with legacy systems in intensive care units, operating rooms, and recovery wards lacking secure communication protocols, and healthcare organizations underinvesting in the infrastructure upgrades that would address them.

Phishing and email-based attacks also remain a dominant initial access vector across virtually every threat category in healthcare. The Cybersecurity in healthcare review identified email-based attacks as a primary concern in its 2016 literature review. Even recently, Paubox's Top 3 Healthcare Email Attacks in 2025 report found that phishing-driven mailbox takeovers exposed 630,000 individuals in 2025 alone, making them the most damaging email attack type by patient data impact, while Paubox's 2025 Healthcare Email Security Report puts the employee reporting rate at just 5% of known phishing attacks, meaning the detection layer organizations depend on is catching less than one in twenty delivery attempts.

 

Medical devices, insiders, and third-party risk

Medical device and IoMT vulnerabilities represent a growing dimension of healthcare's attack surface. A Comprehensive Survey of Cybersecurity Threats and Data Privacy Issues in Healthcare Systems found that connected medical devices, including infusion pumps, patient monitors, imaging systems, and diagnostic tools, are embedded in clinical workflows while frequently running firmware that was never designed with network security in mind and cannot easily receive updates. Unlike a workstation that can be reimaged or isolated, a compromised infusion pump or patient monitor may not have equivalent containment options without disrupting the care it supports.

Insider threats also contribute a dimension of risk that technical controls alone cannot address. The systematic review of modern threats and trends identified internal threats as one of the main recurring findings in its literature analysis, alongside external attacks and identity theft. Carnegie Mellon University Software Engineering Institute data, cited in Paubox's 2025 Healthcare Email Security Report, found that more than half of insider fraud incidents in healthcare involve the theft of customer data, and healthcare employees with legitimate clinical access to patient information represent the access path that is hardest to distinguish from malicious use.

Even third-party and supply chain risk has grown considerably as healthcare has outsourced billing, IT management, diagnostic services, and clinical support to vendors who handle PHI on behalf of covered entities. The Change Healthcare breach in 2024, which compromised 193 million individuals through a single reimbursement processor, proves how a single vendor compromise can propagate across an entire sector. Paubox's 2026 Healthcare Email Security Report found that 28% of email-related healthcare breaches in 2025 involved a vendor or business associate, and the JMIR systematic review specifically identifies interconnected third-party networks as creating vulnerabilities that extend beyond any single organization's control.

 

Why healthcare keeps falling behind

The structural reasons healthcare lags in security are well-documented in both the Kruse et al. review and in subsequent research. Budget constraints prioritize clinical spending over security investment. Operational continuity requirements make it difficult to take systems offline for patching or upgrades. Clinical staff are trained in patient care rather than security threat recognition, and the regulatory compliance framework, which focuses primarily on data confidentiality through HIPAA, has not historically driven investment in the system resilience and availability protections that ransomware attacks directly target.

The 2024 JMIR review found that studies consistently identify the healthcare sector as unequipped and lacking in investment, recommending that healthcare organizations partner with educational institutions to develop cybersecurity curricula for clinical environments and that HHS provide clearer guidance on applying NIST frameworks with incentives for phasing out legacy systems. Those are the same categories of recommendation Kruse and colleagues made in 2016, which says something about how much has changed in the intervening years.

A 2024 PMC systematic review on sociotechnical cybersecurity in healthcare found that human behavior, organizational processes, and technology interact in ways that cannot be secured through technical controls alone. Clinical staff operating under time pressure in environments where urgency is the norm make different decisions about email links and authentication prompts than the same individuals would in lower-stakes settings. Security controls that depend on human judgment to function correctly inherit that judgment's limitations at precisely the moments when the stakes are highest.

 

How Paubox can help

Across the academic literature from Kruse et al. through the 2026 MDPI scoping review, the consistent finding is that effective healthcare cybersecurity requires removing human judgment from the most critical protection decisions rather than simply trying to improve it. Pre-delivery email filtering that removes phishing and malicious messages before they reach inboxes is where that principle has the most direct application, since email is the dominant initial access vector for ransomware, credential theft, and mailbox takeover attacks alike. Paubox's 2026 Healthcare Email Security Report found that attacks avoiding native email defenses rose 47% in 2025, pointing to the inadequacy of signature-based filtering against modern campaigns. Paubox Inbound Email Security uses AI to analyze sender behavior, message intent, and contextual signals, catching phishing attempts that bypass signature-based systems before they reach clinical staff.

Automatic outbound encryption addresses the same principle from the other direction, removing the judgment call about whether a particular message contains PHI that needs protection. Every Paubox outbound message is encrypted by default with no subject line keywords, no manual steps, and no staff training required to function correctly. As Hoala Greevy, CEO of Paubox, has put it, "Too many vendors still treat HIPAA as optional. If you're handling PHI without encryption or a BAA in place, you're creating liability." Paubox's report on what healthcare gets wrong about HIPAA and email security found that organizations relying on user judgment for encryption decisions cannot demonstrate the consistent, provable application that OCR looks for when investigating email-related breaches.

 

FAQs

Why is healthcare consistently the most expensive sector for data breaches?

Medical records combine identity, financial, insurance, and clinical details in a single file that enables multiple fraud categories simultaneously. Healthcare organizations also face higher regulatory notification costs and operational disruption than most sectors, which drives remediation expenses well beyond what the breach itself costs to contain.

 

How do medical devices create cybersecurity risk beyond what standard IT controls address?

Connected medical devices often run firmware that cannot be patched and cannot be taken offline without disrupting patient care. Network segmentation that separates device traffic from general hospital IT is the most practical mitigation, but it requires architecture investment that many organizations have not made.

 

What does the research say about why security awareness training has limited effectiveness in healthcare?

Clinical environments create time pressure that consistently reduces the effectiveness of trained security behaviors, with staff making different decisions under urgency than they would in lower-stakes settings. The academic literature consistently recommends removing human judgment from critical security decisions through automation rather than trying to improve it through training alone.

 

What is the single structural gap that accounts for the most healthcare breaches?

Email remains the dominant initial access vector across ransomware, credential theft, and mailbox takeover attacks, and the controls most organizations rely on, employee reporting and signature-based filtering, are insufficient against modern campaigns. Pre-delivery filtering that removes phishing before it reaches inboxes addresses the problem at the source.

 

How does HIPAA compliance relate to cybersecurity investment in healthcare?

Many organizations have interpreted compliance primarily as a data confidentiality requirement, investing in encryption while underinvesting in the resilience protections that ransomware directly targets. OCR's recent enforcement pattern, consistently citing absent risk analyses as the primary violation across ransomware settlements, shows an agency trying to close that gap through post-breach accountability.