Inbound email security best practices to protect sensitive information

According to the FBI’s Internet Crime Complaint Center, phishing is the single most frequently reported cybercrime category in the US, making up more than one-fifth of all reported cyber incidents. With protected health information (PHI) at stake and strict HIPAA compliance requirements, healthcare practices need inbound email security strategies that go beyond basic spam filters.

Understanding inbound email threats in healthcare

Forbes Technology Council member Jeff Bell notes in Tips For Improving Your Email Privacy And Security, "there is no such thing as perfect security." While email providers implement encryption and secure data centers, email accounts and networks remain vulnerable to compromise. This shows why healthcare organizations need multiple layers of protection rather than relying on any single security measure.

Current Threats

The 2025 Healthcare Email Security Report from Paubox reveals that between January 1, 2024, and January 31, 2025, 180 healthcare organizations reported email-related security breaches to the HHS Office for Civil Rights. A study published in Sustainability, "Cyber Risk in Health Facilities: A Systematic Literature Review" by Sardi, Rizzi, Sorano, and Guerrieri, examined the scope of cyber risk in healthcare and found that healthcare experiences more ransomware attacks than any other sector, with email serving as the initial entry point in the majority of cases. The systematic literature review noted that from 2005 to 2019, approximately 249 million individuals were affected by healthcare data breaches, with over ninety percent of breached records in recent years compromised through hacking attacks.

Phishing attacks have become sophisticated, with threat actors using social engineering tactics that exploit the trust relationships and hierarchical structures within healthcare settings. An INTERPOL report notes that criminals are "continuously refining their tactics, utilizing social engineering, artificial intelligence, and instant messaging platforms to launch increasingly sophisticated attacks." Business email compromise (BEC) schemes impersonate executives or vendors to trick employees into transferring funds or sharing sensitive information. Malware disguised in attachments can infiltrate entire networks, while credential harvesting attempts steal login information to access patient records and internal systems.

Learn more: Types of email platform attacks targeting organizations in 2025

The ROI of inbound email security

According to IBM's 2025 Cost of a Data Breach Report, healthcare recorded "the highest average breach cost among industries for the 12th consecutive year" at $7.42 million. The systematic literature review found that breaches in the healthcare sector averaged approximately $6.45 million, with the cost per breached healthcare record reaching $429 in 2019, which is higher than the $150 average across other industries.

IBM's research reveals that breach costs extend across four categories:

• Detection and escalation costs, including forensic investigations, crisis management, and communications to executives.
• Notification costs for informing patients and regulators. 
• Post-breach response activities such as credit monitoring services, legal expenditures, and regulatory fines. 
• Lost business costs, including system downtime, customer attrition, and reputational damage.

Investing in inbound email security delivers returns by preventing these costly incidents. IBM's research shows that organizations using AI and automation in their security operations achieved average breach costs of $3.62 million, a savings of $1.9 million compared to organizations not using these technologies. These organizations also identified and contained breaches 80 days faster than those without AI-powered defenses. The time savings for IT teams, reduced incident response costs, and avoided downtime shows positive ROI within the first year.

Regulatory and compliance context

HIPAA regulations establish requirements for protecting electronic protected health information (ePHI). According to the Summary of the HIPAA Security Rule published by the HHS, covered entities and business associates must implement reasonable and appropriate administrative, physical, and technical safeguards. The Security Rule requires organizations to ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit, while protecting against reasonably anticipated threats and ensuring workforce compliance.

Note that email security and email privacy serve different but complementary functions. According to Forbes, email security focuses on protecting account data from unauthorized access, while email privacy relates to how personal information is gathered, shared, stored, or transmitted. Healthcare organizations must address both to maintain protection of patient information and comply with HIPAA requirements.

According to the HIPAA Security Rule, organizations must consider multiple factors when selecting security measures, including their size and complexity, technical infrastructure capabilities, implementation costs, and the probability and criticality of potential risks to ePHI. This scalability allows healthcare practices of all sizes to implement appropriate protections.

Email communication requirements under HIPAA

According to Kim Stanger in E-mailing and Texting PHI: Beware HIPAA, the HIPAA Privacy Rule actually requires covered entities to communicate with patients via email or text when patients request it, though appropriate safeguards must be in place. Stanger notes a distinction in HIPAA requirements, while covered entities must secure their outbound communications to patients through either encryption or patient warnings about risks, the Security Rule doesn't apply to incoming messages from patients. When patients initiate unsecured email or text communications, that information becomes protected under HIPAA once the provider receives it.

However, Stanger states that this flexibility doesn't extend to communications with other providers, employees, or third parties. For these communications, simply warning recipients about security risks isn't sufficient, organizations must generally ensure their emails and texts comply with Security Rule standards through encryption or other appropriate technical safeguards.

Inbound email security directly addresses several HIPAA Security Rule requirements. It helps prevent unauthorized access to ePHI, maintains the integrity of patient data, and supports audit capabilities that track and monitor security incidents. Organizations that fail to implement adequate email security measures risk not only data breaches but also HIPAA violations that can result in penalties.

Learn more: Best practices for patient communication using HIPAA compliant email

Types of inbound email security software

Understanding the different approaches to email security helps organizations choose the right solution for their needs.

Integrated Cloud Email Security (ICES)

Integrated Cloud Email Security solutions work within your existing email platform, normally through API connections to cloud email services like Microsoft 365 or Google Workspace. These solutions analyze emails after they've already been delivered to your email environment.

ICES offers advantages in terms of deployment speed and integration with collaboration tools. However, the after-delivery approach creates a vulnerability window. Even if a malicious email is detected and remediated within seconds, that brief exposure creates risk.

Secure email gateway (SEG)

Why Paubox utilizes a secure email gateway approach

Paubox uses a secure email gateway because it provides the strongest protection for healthcare organizations. The before-delivery model ensures that malicious emails never reach user inboxes, eliminating any possibility of accidental exposure. This approach aligns with the healthcare principle of prevention over remediation.

The SEG approach also provides better visibility and control for IT teams. Administrators can review, quarantine, and release messages before they reach users, rather than scrambling to remove threats from thousands of mailboxes. This proactive approach is good for organizations handling sensitive patient data where a single security lapse can have consequences.

Learn more: SEG vs. ICES and which email security approach protects healthcare

Building an inbound email security strategy

Research from the Association for Intelligent Information Management shows that fewer than half of organizations have established email policies in place, regardless of the majority considering email essential for both internal and external communications.

Effective inbound email security requires defenses that relate to human, process, and technology. This approach aligns with the HIPAA Security Rule's requirement for administrative, physical, and technical safeguards to protect ePHI.

Empowering your team

Forbes notes the importance of being intentional with email habits, noting that the volume of messages people send makes it impossible to track where information ends up once you click send. Recipients can forward, copy, screenshot messages, or share them in unexpected ways. This makes it crucial for healthcare employees to consider how they use email and where sensitive information may be vulnerable.

The HIPAA Security Rule requires that organizations train their workforce members on security policies and procedures. This training requirement recognizes that human factors are important to maintaining the security of ePHI. However, the systematic literature review found that approximately 95% of organizations reported inadequate, inconsistent, or donor-dependent training in cybersecurity. The research also noted that most breaches result from employee carelessness and failure to comply with information security policies and procedures, though external hackers remain a threat.

Targeted phishing simulations

Phishing simulations use realistic scenarios that mirror actual attack patterns targeting healthcare. These might include fake patient portal alerts, vendor invoice requests, or urgent messages appearing to come from executives.

When your security team identifies a new phishing campaign targeting your industry, create a simulation based on that actual threat. This keeps training relevant and helps employees recognize the specific tactics used against healthcare organizations.

Encourage a "Report, Don't Punish" culture

Employees who worry about being blamed for falling for a phishing simulation become reluctant to report suspicious emails or admit when they've made a mistake.

Create a culture where reporting potential threats is celebrated, not punished. Make it easy for staff to flag suspicious emails with a single click. When employees report threats, even false alarms, acknowledge and thank them. 

Train for context cues

Rather than memorizing lists of generic warning signs, teach employees to evaluate context. Help staff recognize social engineering tactics that exploit urgency, authority, and trust. The INTERPOL report states that "generative AI enables fraudsters to craft convincing, personalized emails that mimic the style and linguistic patterns of specific individuals or organizations," making these attacks difficult to detect. Train employees to verify unusual requests through alternative channels such as calling the supposed sender directly or checking with a supervisor before taking action. 

Establishing security foundations

The HIPAA Security Rule requires organizations to implement policies and procedures as part of their administrative safeguards.

Designated security leadership

According to the HIPAA Security Rule, organizations must designate a security official responsible for developing and implementing required policies and procedures. This individual serves as the focal point for security initiatives and ensures accountability for maintaining ePHI protection.

Enforce multi-factor authentication and strong password policies

Implement MFA across all systems that access or contain ePHI. Use strong password policies that require adequate length and complexity without creating such burdensome requirements that employees resort to writing passwords down or reusing them across systems. The HIPAA Security Rule requires procedures to verify that persons seeking access to ePHI are who they claim to be, making authentication controls needed.

Use a least privilege access policy

Least privilege access means giving employees only the permissions necessary to perform their specific job functions. This limits the potential damage from compromised accounts and reduces the attack surface for email-based threats.

The HIPAA Security Rule supports this approach through its information access management requirements, which states that access to ePHI be authorized appropriately based on the user's role. This aligns with the Privacy Rule's minimum necessary standard.

Review and audit access permissions regularly. Remove unnecessary access when employees change roles. Ensure that temporary contractors or vendors have defined access limitations and that their access is revoked promptly when no longer needed.

Create an incident response plan

The HIPAA Security Rule requires organizations to implement policies and procedures to address security incidents. Organizations must identify and respond to suspected or known incidents, mitigate harmful effects where possible, and document security incidents and their outcomes.

Your incident response plan should identify stakeholders including IT staff, management, legal counsel, and compliance officers. Define the types of incidents that might occur, from minor phishing attempts to major ransomware attacks. Document the specific steps for each scenario, including how to isolate affected systems, preserve evidence, notify affected parties, and report to appropriate authorities.

Contingency planning and data backup

The HIPAA Security Rule requires that organizations establish contingency plans for responding to emergencies that damage information systems containing ePHI. This includes procedures for backing up data, restoring lost information, and continuing business processes while operating in emergency mode.

Regular data backups protect against ransomware attacks, system failures, and other disasters. Test backup systems regularly to ensure they function correctly and can be restored when needed.

Implementing AI-powered protection

The HIPAA Security Rule's technical safeguards requirements emphasize access controls, audit mechanisms, integrity protections, and transmission security.

AI and machine learning

AI-powered systems analyze communication patterns, learn normal email behavior for your organization, and identify anomalies signaling potential threats.

The evolution of AI-powered phishing attacks

According to Analysis and prevention of AI-based phishing email attacks by Chibuike Samuel Eze and Lior Shamir, attackers now use generative AI to "send each potential victim a different email, making it more difficult for cybersecurity systems to identify the scam email."

According to Eze and Shamir, characteristics of AI-generated phishing include:

• Use more verbs and pronouns than human-written scams
• Average 5.7 characters per word vs. 4.76-5 in manual emails
• Express more positive sentiments while creating artificial urgency
• Demonstrate greater vocabulary diversity with less repetition

Detecting AI-generated threats

According to Eze and Shamir, machine learning can identify AI-generated phishing with 99.3% accuracy when properly trained. Detection methods include topic modeling, style analysis, and deep neural networks. The researchers note that "AI-generated emails are different in their style from human-generated phishing email scams," creating detectable patterns.

• Behavioral analysis - AI learns typical communication patterns for users and groups, including, who communicates with whom, message timing, tone and structure, and common subject lines and content. When emails deviate from these patterns, the AI flags them for scrutiny.
• Intent and sentiment analysis - Advanced AI examines underlying intent and sentiment, detecting urgency indicators, authority exploitation, fear-based manipulation, and requests deviating from normal processes.
• Adaptive learning - AI-powered security continuously learns and improves as threats change, adapting without manual rule updates. However, Eze and Shamir note that systems must be trained on both human-generated and AI-generated phishing examples, stating "it is important to train machine learning systems also with AI-generated emails in order to repel future phishing attacks that are powered by generative AI."
  
  

Multi-layer inspection

The HIPAA Security Rule requires organizations to implement mechanisms that record and examine activity in information systems containing ePHI, as well as measures to ensure that ePHI is not improperly altered or destroyed. A comprehensive solution should include:

• Header and authentication checks - Technical validation of email headers and authentication protocols helps identify spoofed messages and suspicious sources. This includes validating SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

• Attachment scanning - Malicious attachments remain a common attack vector. Scanning should analyze file types and contents for malware, ransomware, and other payloads, detect obfuscation techniques designed to hide malicious code, and identify risky executable behavior before files reach user devices.

• URL and link scanning - Credential harvesting and malware distribution often occur through malicious links embedded in emails. URL scanning inspects links in safe sandbox environments, detects credential harvesting pages and spoofed login portals, and identifies malicious redirects and drive-by download attempts.

Read also: Building an inbound email policy for your organization

Why Paubox provides comprehensive protection

Paubox delivers enterprise-grade inbound email security purpose-built for healthcare organizations. The solution combines advanced technology with healthcare-specific features to provide protection that addresses the challenges facing medical practices.

AI plus rules-based filtering

Rather than forcing organizations to choose between AI-powered detection and rules-based filtering, Paubox provides both. When a message reaches Paubox, it passes through several coordinated layers of inspection working to evaluate every aspect of the email for potential threats. The AI analysis learns what typical communication looks like for each user and group, evaluates tone, intent, and structure to find social engineering patterns, and flags unusual sending behavior such as out-of-pattern requests or language.

Powerful purpose-built features

Paubox includes features that address specific healthcare security challenges:

• ExecProtect automatically prevents attacks from lookalike domains and compromised accounts that impersonate colleagues and trick employees. 
• Paubox Tags authenticate incoming emails that are sent by verified, safe senders with custom tags. This visual indicator helps staff quickly identify legitimate communications from trusted sources.
• Paubox Transcription automatically transcribes voicemail and audio attachments into text that's embedded in the email. This feature improves workflow efficiency while maintaining security by converting audio files.
  
  

Privacy and compliance

Email data is always safe with Paubox and never stored or shared with third parties. The solution is purpose-built for healthcare with HIPAA compliance built into its core. Every feature and function is designed with healthcare's unique regulatory requirements in mind.

Unified platform approach

Paubox offers a unified platform that includes email encryption, inbound email security, email data loss prevention, and email archiving. Administrators manage Inbound Email Security rules, quarantine, reports, and other functions directly within the Paubox dashboard alongside other products.This simplifies administration, reduces the need to manage multiple vendor solutions, and provides consistent security policies across all email functions. 

Best practices for ongoing email security protection

Maintaining inbound email security requires ongoing attention and adherence to best practices.

• Develop and maintain an incident response plan - Create a plan that identifies stakeholders, defines incident scope and severity levels, establishes clear response processes, and includes regular training. 
• Use secure email services - Choose HIPAA compliant email providers that encrypt emails. Sign a business associate agreement (BAA).
• Provide ongoing security training - Deliver regular, engaging training on phishing tactics and email scams. Use short, frequent sessions with varied formats including videos, interactive modules, and real-time simulations. 
• Deploy and configure email filters - Set up filters to quarantine suspicious messages and block known spam sources. Train employees to identify and report emails that bypass filters. 
• Encrypt sensitive data - Ensure automatic encryption of messages containing PHI. Encrypt attachments before sending. 
• Use firewalls and antivirus software - Install and maintain up-to-date firewalls and antivirus software on all devices. Use email-specific antivirus software to scan all incoming and outgoing messages. Automate updates to ensure continuous protection.
• Monitor email traffic - Track email traffic to identify potential threats quickly. Establish regular reporting to monitor for abnormal activity such as unusual sending volumes, communication times, or suspicious external contacts.
• Backup your email data - Establish a regular backup schedule using secure, HIPAA compliant, encrypted solutions. Test backups regularly to ensure they can be restored in case of a security breach or data loss.
• Conduct regular security audits - Perform periodic evaluations of email system access, user accounts, and security policies. Review technical controls, processes, and procedures. Address identified vulnerabilities and maintain documentation for at least six years.

Read also: Inbound Email Security

FAQs

What is the difference between inbound and outbound email security?

Inbound email security protects against threats entering an organization, while outbound security ensures sensitive data is not improperly sent out.

How does email spoofing differ from phishing?

Email spoofing involves forging sender information, while phishing focuses on manipulating recipients into taking harmful actions.

Are small healthcare practices at the same risk level as large hospitals?

Yes, small healthcare practices face similar email-based threats due to their valuable PHI and often limited security resources.