How to secure healthcare email against malware

Phishing remains a primary threat, with attackers impersonating trusted entities to trick employees into revealing credentials or downloading malware. For example, a Digital Health collaborative study on the advancement of digital health technology and the risks to its security notes ransomware attacks—often delivered via malicious email attachments —that encrypt data, disrupting care, and incurring average breach costs of $9.8 million. 

The study also extends the risks to email security: “These security flaws encompass unauthorized access, data violations, and security breaches that carry substantial implications to the integrity of delicate information for healthcare.” To build resilience, healthcare organizations must adopt multi-layered strategies. In this regard, specialized HIPAA compliant email tools like Paubox exemplify solutions that automate encryption, filter inbound threats, and ensure HIPAA compliance.

Common email-borne threats in healthcare

Scammers impersonating trusted entities to deliver malware

Scammers use digital imposter scams to deliver malware, leveraging psychological manipulation and technical deception. By spoofing email addresses, domains, or logos, attackers mimic trusted organizations (e.g., hospitals, insurers) to trick recipients into clicking malicious links or attachments. 

A phishing email might appear to originate from a colleague or healthcare provider, urging immediate action to view a patient report or invoice. These emails often direct users to fake login pages designed to harvest credentials or trigger malware downloads.

Ransomware attacks frequently begin this way, with attackers exploiting trust to install malware that encrypts data. A 2022 study, ‘Who Can You Trust? Assessing Vulnerability to Digital Imposter Scams’ by the Journal of Consumer Policy noted, “Recent years have seen significant growth in the area of digital imposter scams, in which the scammer uses digital means to impersonate a trusted organization or person.” Such scams rely on urgency and authority, often impersonating regulatory bodies or IT departments to bypass skepticism. 

Encryption of patient data for extortion

Threat actors encrypt patient data primarily to extort ransom payments, a tactic central to ransomware attacks. By rendering protected health information (PHI) inaccessible, attackers cripple healthcare operations, forcing organizations to pay for decryption keys. This form of cyberattack exploits vulnerabilities in email systems, often initiated through phishing or unpatched software.

Ransomware disrupts care while it violates patient privacy, as stolen data may be sold on dark web markets. The previously mentioned Digital Health study links these attacks to poor email security practices, emphasizing the need for proactive measures like encryption, backups, and employee education to mitigate risks.

Spam & malware-laden attachments

Spam and malware-laden attachments pose risks to healthcare email systems by serving as primary vectors for cyberattacks. According to a BMJ Health & Care Informatics journal article ‘Phishing in healthcare organisations: threats, mitigation and approaches’, 2 to 3% of all email traffic in healthcare organizations is flagged as suspicious, often containing malicious links or attachments disguised as legitimate files (e.g., invoices, patient reports). 

These attachments may deploy ransomware, spyware, or remote-access trojans (RATs) when opened, enabling threat actors to encrypt sensitive data, steal credentials, or infiltrate networks. For example, malware like Kwampirs, a remote-access trojan targeting healthcare supply chains, exploits email vulnerabilities to compromise connected devices and exfiltrate PHI. 

A Journal of Medical Internet Research study on the cybersecurity challenges that rose to prominence during the COVID-19 pandemic noted, “Cybercrime adapts to changes in the world situation very quickly. At the beginning of an escalation in the COVID-19 pandemic, malware cyberattackers identified common vulnerabilities and adapted their attacks to exploit these vulnerabilities.”

Even a single successful download can disrupt clinical operations, as seen in ransomware attacks that halt access to electronic health records (EHRs) until ransom demands are met. Additionally, spam emails often bypass basic filters, relying on social engineering to trick employees into disabling security protocols (e.g., enabling macros in documents).

The technical safeguards to protect against malware

Under the HIPAA Security Rule, technical safeguards are defined as "the technology and the policy and procedures for its use that protect electronic protected health information and control access to it." Key technical safeguards include:​

• Access control: Implementing mechanisms to allow only authorized individuals to access ePHI.​
• Audit controls: Using hardware, software, and procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.​
• Integrity controls: Implementing policies and procedures to protect ePHI from improper alteration or destruction.​
• Authentication: Verifying that a person or entity seeking access to ePHI is the one claimed.​
• Transmission security: Protecting ePHI against unauthorized access during transmission over an electronic communications network.​
  
  

Policy measures that benefit email security 

A Springer journal article on the security of electronic health records provides, “There is no magic combination of security controls and habits that will repel all boarders from key business data.

Security professionals balance their security programs with physical, technical, and administrative security controls along with an ever-present eye on the security landscape to observe breaches experienced by others.”

Policy measures are a necessary part of enforcing consistent security practices. Access control policies restrict email system permissions to authorized personnel, minimizing insider threats. Regular risk assessments identify vulnerabilities in email configurations, such as misapplied DMARC or SPF protocols, which are common in breaches. 

Incident response plans outline steps to isolate compromised accounts, notify regulators, and restore data post-breach. Email retention policies mandate secure deletion of outdated PHI to reduce data exposure.

Human-centric strategies

A Frontiers study, ‘Hospital cybersecurity risks and gaps: Review (for the non-cyber professional)’ notes, “At the same time, some vulnerabilities simply cannot be prevented. For instance, attackers can gather data from employees to then infiltrate networks or extort the employees. One piece of information that must be clearly distinguished is employees' ID tags, as identifying members of the medical team is key to patient care. 

However, an experiment showed that gathering employee information simply by seeing their IDs allowed the researchers to search the internet and target them online. Such employee information cannot practically be kept confidential. There must be a balance between cybersecurity measures and realistic prevention.”

Human-centric strategies focus on reducing employee susceptibility to social engineering. Security awareness training teaches staff to recognize phishing tactics, such as urgency-driven requests or spoofed sender addresses, lowering click rates by up to 66% after repeated simulations. Encouraging the reporting of suspicious emails enables IT teams to analyze threats and update defenses proactively. 

Behavior-based metrics, like tracking phishing exercise performance, identify high-risk departments for targeted training. Cultivating a security-first culture through regular reminders and incentives reinforces vigilance, while clear protocols for handling PHI reduce accidental leaks.

FAQs

What is malware?

Malware (short for "malicious software") is any software designed to harm, exploit, or otherwise compromise computers, networks, or devices. Examples include viruses, ransomware, spyware, and trojans.

How does malware infect my device?

Malware can infect devices through malicious email attachments, fake websites, drive-by downloads, compromised software, phishing links, USB drives, and outdated systems without security patches.

What are common signs of a malware infection?

Symptoms include slow system performance, frequent crashes, pop-up ads, new programs you didn’t install, altered browser settings, and unusual data usage.

Is antivirus software enough to stop malware?

Antivirus software helps, but it's not foolproof. Safe browsing habits, regular updates, and layered security (e.g., firewalls, anti-malware tools) are also necessary.

Should healthcare organizations pay a ransom if files are locked by ransomware?

No. Paying doesn't guarantee you'll get your data back and encourages more attacks.