According to the FBI’s Internet Crime Complaint Center, phishing is the single most frequently reported cybercrime category in the US, making up more than one-fifth of all reported cyber incidents. With protected health information (PHI) at stake and strict HIPAA compliance requirements, healthcare practices need inbound email security strategies that go beyond basic spam filters.
Forbes Technology Council member Jeff Bell notes in Tips For Improving Your Email Privacy And Security, "there is no such thing as perfect security." While email providers implement encryption and secure data centers, email accounts and networks remain vulnerable to compromise. This shows why healthcare organizations need multiple layers of protection rather than relying on any single security measure.
The 2025 Healthcare Email Security Report from Paubox reveals that between January 1, 2024, and January 31, 2025, 180 healthcare organizations reported email-related security breaches to the HHS Office for Civil Rights. A study published in Sustainability, "Cyber Risk in Health Facilities: A Systematic Literature Review" by Sardi, Rizzi, Sorano, and Guerrieri, examined the scope of cyber risk in healthcare and found that healthcare experiences more ransomware attacks than any other sector, with email serving as the initial entry point in the majority of cases. The systematic literature review noted that from 2005 to 2019, approximately 249 million individuals were affected by healthcare data breaches, with over ninety percent of breached records in recent years compromised through hacking attacks.
Phishing attacks have become sophisticated, with threat actors using social engineering tactics that exploit the trust relationships and hierarchical structures within healthcare settings. An INTERPOL report notes that criminals are "continuously refining their tactics, utilizing social engineering, artificial intelligence, and instant messaging platforms to launch increasingly sophisticated attacks." Business email compromise (BEC) schemes impersonate executives or vendors to trick employees into transferring funds or sharing sensitive information. Malware disguised in attachments can infiltrate entire networks, while credential harvesting attempts steal login information to access patient records and internal systems.
Learn more: Types of email platform attacks targeting organizations in 2025
According to IBM's 2025 Cost of a Data Breach Report, healthcare recorded "the highest average breach cost among industries for the 12th consecutive year" at $7.42 million. The systematic literature review found that breaches in the healthcare sector averaged approximately $6.45 million, with the cost per breached healthcare record reaching $429 in 2019, which is higher than the $150 average across other industries.
IBM's research reveals that breach costs extend across four categories:
Investing in inbound email security delivers returns by preventing these costly incidents. IBM's research shows that organizations using AI and automation in their security operations achieved average breach costs of $3.62 million, a savings of $1.9 million compared to organizations not using these technologies. These organizations also identified and contained breaches 80 days faster than those without AI-powered defenses. The time savings for IT teams, reduced incident response costs, and avoided downtime shows positive ROI within the first year.
HIPAA regulations establish requirements for protecting electronic protected health information (ePHI). According to the Summary of the HIPAA Security Rule published by the HHS, covered entities and business associates must implement reasonable and appropriate administrative, physical, and technical safeguards. The Security Rule requires organizations to ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit, while protecting against reasonably anticipated threats and ensuring workforce compliance.
Note that email security and email privacy serve different but complementary functions. According to Forbes, email security focuses on protecting account data from unauthorized access, while email privacy relates to how personal information is gathered, shared, stored, or transmitted. Healthcare organizations must address both to maintain protection of patient information and comply with HIPAA requirements.
According to the HIPAA Security Rule, organizations must consider multiple factors when selecting security measures, including their size and complexity, technical infrastructure capabilities, implementation costs, and the probability and criticality of potential risks to ePHI. This scalability allows healthcare practices of all sizes to implement appropriate protections.
According to Kim Stanger in E-mailing and Texting PHI: Beware HIPAA, the HIPAA Privacy Rule actually requires covered entities to communicate with patients via email or text when patients request it, though appropriate safeguards must be in place. Stanger notes a distinction in HIPAA requirements, while covered entities must secure their outbound communications to patients through either encryption or patient warnings about risks, the Security Rule doesn't apply to incoming messages from patients. When patients initiate unsecured email or text communications, that information becomes protected under HIPAA once the provider receives it.
However, Stanger states that this flexibility doesn't extend to communications with other providers, employees, or third parties. For these communications, simply warning recipients about security risks isn't sufficient, organizations must generally ensure their emails and texts comply with Security Rule standards through encryption or other appropriate technical safeguards.
Inbound email security directly addresses several HIPAA Security Rule requirements. It helps prevent unauthorized access to ePHI, maintains the integrity of patient data, and supports audit capabilities that track and monitor security incidents. Organizations that fail to implement adequate email security measures risk not only data breaches but also HIPAA violations that can result in penalties.
Learn more: Best practices for patient communication using HIPAA compliant email
Understanding the different approaches to email security helps organizations choose the right solution for their needs.
Integrated Cloud Email Security solutions work within your existing email platform, normally through API connections to cloud email services like Microsoft 365 or Google Workspace. These solutions analyze emails after they've already been delivered to your email environment.
ICES offers advantages in terms of deployment speed and integration with collaboration tools. However, the after-delivery approach creates a vulnerability window. Even if a malicious email is detected and remediated within seconds, that brief exposure creates risk.
Paubox uses a secure email gateway because it provides the strongest protection for healthcare organizations. The before-delivery model ensures that malicious emails never reach user inboxes, eliminating any possibility of accidental exposure. This approach aligns with the healthcare principle of prevention over remediation.
The SEG approach also provides better visibility and control for IT teams. Administrators can review, quarantine, and release messages before they reach users, rather than scrambling to remove threats from thousands of mailboxes. This proactive approach is good for organizations handling sensitive patient data where a single security lapse can have consequences.
Learn more: SEG vs. ICES and which email security approach protects healthcare
Research from the Association for Intelligent Information Management shows that fewer than half of organizations have established email policies in place, regardless of the majority considering email essential for both internal and external communications.
Effective inbound email security requires defenses that relate to human, process, and technology. This approach aligns with the HIPAA Security Rule's requirement for administrative, physical, and technical safeguards to protect ePHI.
Forbes notes the importance of being intentional with email habits, noting that the volume of messages people send makes it impossible to track where information ends up once you click send. Recipients can forward, copy, screenshot messages, or share them in unexpected ways. This makes it crucial for healthcare employees to consider how they use email and where sensitive information may be vulnerable.
The HIPAA Security Rule requires that organizations train their workforce members on security policies and procedures. This training requirement recognizes that human factors are important to maintaining the security of ePHI. However, the systematic literature review found that approximately 95% of organizations reported inadequate, inconsistent, or donor-dependent training in cybersecurity. The research also noted that most breaches result from employee carelessness and failure to comply with information security policies and procedures, though external hackers remain a threat.
Phishing simulations use realistic scenarios that mirror actual attack patterns targeting healthcare. These might include fake patient portal alerts, vendor invoice requests, or urgent messages appearing to come from executives.
When your security team identifies a new phishing campaign targeting your industry, create a simulation based on that actual threat. This keeps training relevant and helps employees recognize the specific tactics used against healthcare organizations.
Employees who worry about being blamed for falling for a phishing simulation become reluctant to report suspicious emails or admit when they've made a mistake.
Create a culture where reporting potential threats is celebrated, not punished. Make it easy for staff to flag suspicious emails with a single click. When employees report threats, even false alarms, acknowledge and thank them.
Rather than memorizing lists of generic warning signs, teach employees to evaluate context. Help staff recognize social engineering tactics that exploit urgency, authority, and trust. The INTERPOL report states that "generative AI enables fraudsters to craft convincing, personalized emails that mimic the style and linguistic patterns of specific individuals or organizations," making these attacks difficult to detect. Train employees to verify unusual requests through alternative channels such as calling the supposed sender directly or checking with a supervisor before taking action.
The HIPAA Security Rule requires organizations to implement policies and procedures as part of their administrative safeguards.
According to the HIPAA Security Rule, organizations must designate a security official responsible for developing and implementing required policies and procedures. This individual serves as the focal point for security initiatives and ensures accountability for maintaining ePHI protection.
Implement MFA across all systems that access or contain ePHI. Use strong password policies that require adequate length and complexity without creating such burdensome requirements that employees resort to writing passwords down or reusing them across systems. The HIPAA Security Rule requires procedures to verify that persons seeking access to ePHI are who they claim to be, making authentication controls needed.
Least privilege access means giving employees only the permissions necessary to perform their specific job functions. This limits the potential damage from compromised accounts and reduces the attack surface for email-based threats.
The HIPAA Security Rule supports this approach through its information access management requirements, which states that access to ePHI be authorized appropriately based on the user's role. This aligns with the Privacy Rule's minimum necessary standard.
Review and audit access permissions regularly. Remove unnecessary access when employees change roles. Ensure that temporary contractors or vendors have defined access limitations and that their access is revoked promptly when no longer needed.
The HIPAA Security Rule requires organizations to implement policies and procedures to address security incidents. Organizations must identify and respond to suspected or known incidents, mitigate harmful effects where possible, and document security incidents and their outcomes.
Your incident response plan should identify stakeholders including IT staff, management, legal counsel, and compliance officers. Define the types of incidents that might occur, from minor phishing attempts to major ransomware attacks. Document the specific steps for each scenario, including how to isolate affected systems, preserve evidence, notify affected parties, and report to appropriate authorities.
The HIPAA Security Rule requires that organizations establish contingency plans for responding to emergencies that damage information systems containing ePHI. This includes procedures for backing up data, restoring lost information, and continuing business processes while operating in emergency mode.
Regular data backups protect against ransomware attacks, system failures, and other disasters. Test backup systems regularly to ensure they function correctly and can be restored when needed.
The HIPAA Security Rule's technical safeguards requirements emphasize access controls, audit mechanisms, integrity protections, and transmission security.
AI-powered systems analyze communication patterns, learn normal email behavior for your organization, and identify anomalies signaling potential threats.
The evolution of AI-powered phishing attacks
According to Analysis and prevention of AI-based phishing email attacks by Chibuike Samuel Eze and Lior Shamir, attackers now use generative AI to "send each potential victim a different email, making it more difficult for cybersecurity systems to identify the scam email."
According to Eze and Shamir, characteristics of AI-generated phishing include:
Detecting AI-generated threats
According to Eze and Shamir, machine learning can identify AI-generated phishing with 99.3% accuracy when properly trained. Detection methods include topic modeling, style analysis, and deep neural networks. The researchers note that "AI-generated emails are different in their style from human-generated phishing email scams," creating detectable patterns.
The HIPAA Security Rule requires organizations to implement mechanisms that record and examine activity in information systems containing ePHI, as well as measures to ensure that ePHI is not improperly altered or destroyed. A comprehensive solution should include:
Header and authentication checks - Technical validation of email headers and authentication protocols helps identify spoofed messages and suspicious sources. This includes validating SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
Attachment scanning - Malicious attachments remain a common attack vector. Scanning should analyze file types and contents for malware, ransomware, and other payloads, detect obfuscation techniques designed to hide malicious code, and identify risky executable behavior before files reach user devices.
URL and link scanning - Credential harvesting and malware distribution often occur through malicious links embedded in emails. URL scanning inspects links in safe sandbox environments, detects credential harvesting pages and spoofed login portals, and identifies malicious redirects and drive-by download attempts.
Read also: Building an inbound email policy for your organization
Paubox delivers enterprise-grade inbound email security purpose-built for healthcare organizations. The solution combines advanced technology with healthcare-specific features to provide protection that addresses the challenges facing medical practices.
Rather than forcing organizations to choose between AI-powered detection and rules-based filtering, Paubox provides both. When a message reaches Paubox, it passes through several coordinated layers of inspection working to evaluate every aspect of the email for potential threats. The AI analysis learns what typical communication looks like for each user and group, evaluates tone, intent, and structure to find social engineering patterns, and flags unusual sending behavior such as out-of-pattern requests or language.
Paubox includes features that address specific healthcare security challenges:
Email data is always safe with Paubox and never stored or shared with third parties. The solution is purpose-built for healthcare with HIPAA compliance built into its core. Every feature and function is designed with healthcare's unique regulatory requirements in mind.
Paubox offers a unified platform that includes email encryption, inbound email security, email data loss prevention, and email archiving. Administrators manage Inbound Email Security rules, quarantine, reports, and other functions directly within the Paubox dashboard alongside other products.This simplifies administration, reduces the need to manage multiple vendor solutions, and provides consistent security policies across all email functions.
Maintaining inbound email security requires ongoing attention and adherence to best practices.
Read also: Inbound Email Security
Inbound email security protects against threats entering an organization, while outbound security ensures sensitive data is not improperly sent out.
Email spoofing involves forging sender information, while phishing focuses on manipulating recipients into taking harmful actions.
Yes, small healthcare practices face similar email-based threats due to their valuable PHI and often limited security resources.