Handling legacy or non-TLS mail systems in email workflows

Healthcare remains a high-value target for cybercriminals, and legacy infrastructure only increases that exposure. Older systems typically cannot support multifactor authentication or widely adopted email authentication standards such as DMARC, SPF, and DKIM. These standards are necessary for preventing spoofing, phishing, and impersonation attacks. 

A Computer Methods and Programs in Biomedicine study notes, “Many institutions still operate systems that 'do not profit from recent advances in Information and Communication Technologies (ICT)' and were built for 'static organizations' rather than modern, interoperable communication needs. 

These limitations make it difficult to apply newer authentication models or security protocols that rely on updated architectures. Another concern is the lack of visibility and traceability within legacy environments. 

Many outdated platforms do not provide detailed audit logging or monitoring capabilities, making it difficult to detect, investigate, or respond to potential incidents. Those platforms pose a direct compliance concern; the HIPAA Security Rule requires covered entities to protect electronic protected health information (ePHI) during transmission and maintain audit controls to track access and activity.

The need to preserve existing investments while improving security is not new; as one study emphasizes, modernization efforts must “overcome the weaknesses typically found in legacy healthcare systems” while adding secure and interoperable features. Without replacing or extending these systems to support secure transmission and accountability, organizations remain at elevated risk of both cyber incidents and regulatory violations.

The legacy email landscape 

Legacy systems are typically long-standing platforms built on outdated software and protocols that don’t integrate well with modern technologies. They often continue to function for basic communication needs, but they fall short when it comes to requirements like encryption, multifactor authentication, auditing, and compliance with today’s cybersecurity standards. 

As one study, ‘The need for cybersecurity self-evaluation in healthcare’ noted, healthcare environments often rely on “old, legacy systems, lack of funding, lack of cybersecurity personnel, and health staff using workarounds” that bypass security altogether. These systems may run on older versions of SMTP without enforced transport layer security (TLS) encryption or depend on clients and servers that no longer receive patches or security updates. 

Many organizations maintain them because upgrading is expensive, risky to clinical workflows, and often met with resistance from staff who are comfortable with familiar tools. As one participant observed, “The natural inclination of most people...is to use an old system and keep using it.”

Healthcare organizations are especially vulnerable because they handle large volumes of sensitive PHI and operate in environments where downtime is unacceptable. Outdated infrastructure increases exposure. Australian healthcare stakeholders described the sector as a “complex mix” of providers and systems, where protecting data is challenging and “legacy systems…are a major vulnerability point.” When organizations continue to rely on outdated systems, they undermine their ability to prevent and contain cyber threats.

Security gaps created by non-TLS email systems 

A major security problem with non-TLS email systems is the risk of interception through man-in-the-middle attacks. When messages aren’t encrypted, anyone with access to the network path, whether a cybercriminal on public Wi-Fi, an ISP, or even a malicious insider, can capture and read the contents in transit. 

As a Frontiers in Digital Health study explains, attackers can “insert themselves into the middle of communication transmission,” allowing them to “eavesdrop, steal, or modify information being exchanged before it reaches the receiving end.” This puts both the confidentiality and integrity of health information at risk.

Once positioned in the communication stream, attackers can quietly steal login credentials, impersonate senders, or tamper with email content in ways that support fraud, misinformation, or unauthorized disclosure. The same body of research notes that infiltrating healthcare systems allows attackers to “access mounds of information and manipulate, steal, ransom, or otherwise compromise the records.” Unencrypted email often contains sensitive clinical and personal data, which makes legacy systems especially attractive to threat actors seeking easy points of entry.

Another major issue is the lack of secure server authentication. Without TLS, it becomes far easier for attackers to spoof legitimate email addresses and pose as healthcare providers, billing departments, or administrative staff. Phishing is repeatedly identified as one of the most common and successful attack vectors in healthcare—“89% of cybercrimes” were found to begin with phishing emails in one analysis. These attacks exploit the trust users place in familiar-looking communications and capitalize on gaps in verification.

Why TLS is the standard but not the guarantee 

TLS does not secure emails at rest, which means the content is decrypted on the recipient’s server or device. If that environment lacks strong encryption, access controls, or patching, sensitive information can still be exposed. Many healthcare providers also rely on third-party email services, where the strength of stored data protection varies. 

Research from Chiropractic & Manual Therapies on digital communication in healthcare illustrates how uneven adoption of secure technologies creates risk. Only 60% of Swiss chiropractors reported using encrypted email, despite national efforts to promote secure transmission. 

As the authors note, “better implementation of electronic health information technologies…is possible and encouraged,” underscoring the persistent vulnerability created when data protection stops at transmission. Even when TLS is in place, the lack of protections at rest can leave room for insider threats, accidental disclosures, and breaches via compromised servers.

TLS also encrypts traffic, but doesn’t stop attackers from spoofing trusted domains or impersonating healthcare staff. Phishing remains one of the most common attack methods in the sector, and TLS alone does not filter out fraudulent emails. 

That gap is typically addressed with authentication standards like DMARC, SPF, and DKIM, which must be layered on top of TLS to verify sender legitimacy and block spoofed messages. Without those controls, encrypted delivery does little to stop attackers from gaining a foothold through email.

The technical solution that helps balance business reliability and security 

HIPAA compliant email tools built for secure email and messaging help in reducing cyber risk without interrupting how healthcare teams communicate. This balance is difficult to achieve, and research has repeatedly shown that legacy email systems fall short. Phishing remains one of the biggest threats. It relies on deception, often through impersonation, to steal credentials or deliver malware, and healthcare organizations receive an outsized share of these attacks. 

Staff are frequently targeted because many lack specialized cybersecurity training, making email an easy entry point for attackers. Effective security solutions like Paubox email suite address this risk with layered protections such as DMARC, TLS, malware filtering, and sender authentication to identify and block threats before they reach inboxes. Just as necessary, pairing these technologies with regular cybersecurity training strengthens frontline awareness and reduces the likelihood that a convincing phishing email will succeed.

FAQs

What is TLS in email, and why does it matter?

TLS encrypts emails while they travel between mail servers. Without it, messages can be intercepted or read in transit. 

What’s the difference between opportunistic and forced TLS?

Opportunistic TLS: Tries encryption but falls back to unencrypted delivery if TLS isn’t available. Forced (or mandatory) TLS: Blocks delivery unless encryption is in place. More secure, but can cause delivery failures with outdated systems.

Can TLS prevent phishing or spoofing?

No. TLS protects the message in transit, not the sender’s identity. Tools like SPF, DKIM, and DMARC are needed to verify authenticity.