92% of healthcare IT leaders say they’re confident in their ability to prevent email-based data breaches. That might sound reassuring—until you look under the hood.
Our latest research shows this confidence masks a dangerous gap between perception and reality. Many organizations continue to rely on outdated systems, manual encryption, and assumptions that crumble under scrutiny. The result? Widespread vulnerability, especially where it hurts most: email.
Based on a new survey of 150 U.S. healthcare IT leaders—along with breach analysis and real-world audits—our new report exposes the blind spots putting patient data, compliance, and operational trust at risk.
Here’s what we uncovered.
The confidence gap is real and risky
On paper, things look good. Most healthcare IT teams have policies, tools, and audits in place. But in practice, many of these protections fall apart.
Encryption still depends on user behavior—checkboxes, subject line triggers, portals. Authentication tools are left half-configured. Log files go unread. Incident response plans skip email entirely. These aren’t edge cases. They’re common.
So while confidence is high, real security is far more fragile. And it’s costing healthcare organizations in ways they can’t always measure until it’s too late.
We found:
-
92% of leaders feel confident in their email security
-
But 86% report that their tools cause friction
-
And 8 out of 10 privately worry about their HIPAA compliance
There’s a disconnect between policy and practice. Encryption often relies on user behavior—clicking a button, typing a keyword—which is a compliance red flag. Many email authentication tools (DMARC, SPF) are only partially implemented. Some orgs don’t even review email logs.
Confidence without verification? That’s not security. It’s wishful thinking.
AI-powered threats, legacy defenses
Phishing has evolved fast. AI is making it easier for attackers to craft convincing emails that mimic tone, urgency, and structure—targeting clinicians, billing departments, and HR staff with alarming precision.
But the defenses haven’t kept up. Most IT leaders agree that AI and machine learning are crucial for identifying modern threats. Yet fewer than half have implemented any AI-driven detection tools.
Most healthcare organizations still rely on static filters or basic rule sets—systems that were never designed to identify today’s level of deception. You can’t catch tomorrow’s attacks with yesterday’s tools.
Budgets don't match the risk
Despite being the #1 attack vector in healthcare, email security remains a financial afterthought.
-
Most healthcare orgs allocate under 6% of their IT budget to cybersecurity
-
Financial services: 10–12%
-
General industry: over 20%
This underinvestment wouldn’t be so damning if email wasn’t at the center of so many HIPAA violations, lawsuits, and breach reports. But when the average cost of a breach exceeds $9.8 million, the disconnect becomes indefensible.
The issue isn’t spending. It’s prioritization. Email is still seen as an administrative task, not a frontline risk.
Tools that users work around
If your secure email system creates friction, people will find ways to avoid it. And they do—frequently.
86% of IT leaders say their current tools frustrate users. Delayed messages, clunky mobile access, poor password resets, and confusing interfaces all contribute to one thing: end users going rogue.
We’ve heard it all:
- “Patients keep calling because they can’t open the message.”
- “Our funders asked us to send reports another way.”
- “Our doctors are just texting files instead.”
These workarounds end us as patterns, and they reveal a core truth: tools that get in the way aren’t just inconvenient. They’re dangerous.
What's really getting in the way
IT leaders want to improve their email security, but they’re battling real constraints.
The top barriers they reported include:
-
Implementation complexity (54%)
-
Lack of vendor support (53%)
-
Staffing shortages (45%)
-
Resistance from leadership (44%)
-
Integration with legacy systems (41%)
Add in budget pressure, workflow concerns, and low patient email literacy, and it’s clear why many organizations stay stuck. But accepting the status quo doesn’t make the risk go away. It just shifts the burden to the inevitable incident response.
Assumptions that undermine security
Here’s the most persistent problem: assumptions that feel safe but aren’t.
- IT leaders assume their portals are secure—yet usability issues drive users away.
- They believe training is enough—despite knowing that 95% of phishing still goes unreported.
- They think buying a HIPAA-compliant platform means they're covered—but most tools fail configuration checks when actually audited.
Security goes beyond a checklist. It’s a living system that only works when it aligns with behavior, tech, and policy—all together.
What needs to happen next
From this research, five clear action steps emerge for any healthcare organization serious about tightening their email security posture:
-
Audit your configurations – Vendor claims are meaningless without verification.
-
Automate encryption – If users have to remember to secure an email, your system is flawed.
-
Deploy AI-powered detection like Paubox's ExecProtect+ – Especially as generative threats continue to grow.
-
Fund in proportion to risk – Don’t bury email security under general IT spending.
-
Prioritize usability – Tools must work for real people, not just pass an audit.
Download the full report:
“Healthcare IT is dangerously overconfident about email security.”
