The limits of phishing training in healthcare

Paubox’s 2026 report on healthcare email security found that 170 email-related breaches were reported in 2025, exposing the data of 2.5 million individuals. 72% of healthcare organizations say that their infrastructure needs a major overhaul. Training itself is not narrowing that gap, because most organizations run courses just once a year. Phishing tactics evolve on a weekly basis, but 83% of phishing emails between September 2024 and February 2025 used AI to bypass traditional filters.

The result is predictable: an employee trained in January may be out of date by March, and only 5% of phishing attacks are reported to security teams. Research from a JAMIA multi-institution simulation shows that across nearly 3 million simulated phishing emails, about 1 in 7 messages were clicked, and training did little to reduce the odds. Meanwhile, a JAMA Network assessment attacker knows that email is the easiest entry point, and the value of stolen health data can reach $10 to $1,000 per record.

What phishing training gets right

Phishing training, done thoughtfully, has real benefits. It provides staff with a common language for suspicious messages, fake invoices, urgent password resets, or unexpected attachments and promotes the habit of stopping and thinking before clicking. Evidence from the JAMA Network Open study shows, ”We found that repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email…" Institutions running more than 10 phishing campaigns had about two-thirds the odds of employees clicking (adjusted odds ratio 0.335) relative to the first five campaigns.

Training also enhances regulatory compliance. The HIPAA Security Rule requires workforce members to receive security awareness education, and Paubox’s research shows that leaders are most concerned about the human element; 85% see employee negligence as a top risk. When staff know why reporting is needed, they are more likely to report suspicious emails to IT teams.

Paubox’s report found that organizations that trained more frequently were better at aligning threat trends with staff awareness. Training can also promote a culture of collaboration. Simulation exercises with feedback helps employees view cybersecurity as a matter of patient safety rather than punishment.

Where phishing training starts to break down

Despite these strengths, training often falters because it clashes with the realities of healthcare work. Many programs assume employees have time to scrutinize every message, yet clinicians and administrators juggle urgent documentation and billing. A Digital Health case study from an Italian hospital noted that staff workload and fatigue reduced their ability to detect phishing emails.

Overworked staff reported being unable to prioritize cybersecurity over clinical duties, and roughly one in seven simulated emails were clicked; 16% of employees even downloaded attachments, and only 32% of those required to report suspicious messages actually did so.

Why phishing is harder in healthcare than in other sectors

Studies show that patient records can sell for $10 to $1,000 on black markets, making healthcare a prime target. Attackers know that email is deeply embedded in clinical operations, appointment reminders, lab results, insurance queries, and vendor communications, all of which arrive via email. The same study that analyzed nearly three million simulated emails found that click rates varied widely by institution and season, but almost one in seven messages were still clicked.

Healthcare staff often trust internal communications implicitly, making it easier for attackers to impersonate colleagues or executives. Paubox’s ExecProtect tool addresses display‑name spoofing by automatically quarantining suspicious messages, shielding staff from whale phishing attempts that impersonate executives. Its value is clear when you consider that 60% of healthcare IT leaders still rate their email security as inadequate.

53% of breaches occurred on Microsoft 365, and 41% of organizations were deemed high risk because of misconfigured settings.

How to strengthen an effective phishing training programme

Strengthening phishing defenses means moving beyond annual slide decks and giving healthcare staff support before a risky email ever reaches them. Training still matters. Staff need short, frequent refreshers based on real phishing examples, especially because Paubox found 57% of healthcare organizations conduct email security training only once a year, while only 16% train quarterly or more.

The stronger approach is layered. Healthcare organizations should combine quarterly training, role-specific examples, no-blame reporting, sender authentication, encryption, multifactor authentication, conditional access, and Paubox’s inbound protections.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Does HIPAA require phishing training?

HIPAA does not use the exact phrase phishing training, but the HIPAA Security Rule requires regulated entities to implement a security awareness and training program for workforce members.

How often should healthcare organizations provide phishing training?

HIPAA does not set a specific phishing training schedule, but annual training is weak against fast-changing threats.

Should phishing training include simulated phishing emails?

Yes, simulations can help staff practice realistically, but they should be fair and transparent in purpose.