The role of email security in risk analysis and workforce training

For organizations handling protected health information (PHI), the intersection of email security, risk analysis, and workforce training represents a major component of HIPAA compliance. The HIPAA Security Rule summary document establishes that regulated entities must "Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit" and "protect against reasonably anticipated, impermissible uses or disclosures" while ensuring "compliance by their workforce." Understanding how secure email solutions align with HIPAA's administrative safeguards isn't just a regulatory requirement; it's a pillar of patient privacy protection.

The email security challenge in healthcare

Email has become a much needed communication tool in healthcare settings, facilitating information exchange between providers, staff, and patients. However, this convenience comes with certain risks. Phishing attacks, malware distribution, accidental disclosures, and unauthorized access represent constant threats that can compromise PHI and trigger regulatory consequences.

The challenge is worsened by the human element. Healthcare workers, often focused on patient care rather than cybersecurity, may become the weakest link in the security chain. According to Enhancing Employees Information Security Awareness in Private and Public Organisations: A Systematic Literature Review, about 77% of companies' data breaches are due to exploitation of human weaknesses. 

HIPAA's administrative safeguards framework

HIPAA's Security Rule establishes three categories of safeguards, administrative, physical, and technical. Administrative safeguards represent the policies, procedures, and processes that govern the organization's security posture. Within this framework, two requirements stand out as relevant to email security, risk analysis and workforce training.

According to the HIPAA Security Rule summary document, "The Administrative Safeguards provisions in the Security Rule require a regulated entity to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the regulated entity." The requirement for risk analysis directs how organizations must approach email security. Meanwhile, the security awareness and training requirement requires organizations to implement a security awareness program for all workforce members, including training on email security, malicious software, password management, and login monitoring. As the HIPAA Security Rule summary document states, "A regulated entity must train all workforce members on its security policies and procedures."

Learn more: What is the HIPAA Security Rule for email?

Email security as a risk analysis component

Implementing secure email solutions must begin with risk analysis. This process involves identifying where email-related vulnerabilities exist within the organization's infrastructure and workflows. In a 2020 settlement case, OCR found that PIH Health committed a "failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PIH." This deficiency contributed to a phishing attack that "compromised forty-five of its employees' email accounts, resulting in the breach of 189,763 individuals' unsecured ePHI." As OCR Acting Director Anthony Archeval stated, "Hacking is one of the most common types of large breaches reported to OCR every year. HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients' protected health information."

Organizations must evaluate several things:

• Transmission security: How is PHI transmitted via email? Are messages encrypted in transit? What happens when information leaves the organization's secure environment? A thorough risk analysis examines encryption protocols, evaluates whether end-to-end encryption is necessary for certain communications, and identifies gaps in current transmission security measures. OCR's guidance following the PIH Health settlement emphasizes the need to "encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate."
• Access controls: Who can access email accounts containing PHI? Are there sufficient authentication mechanisms in place? Risk analysis should assess whether access rights are appropriately limited and whether former employees' access has been properly terminated. OCR recommends organizations "ensure that audit controls are in place to record and examine information system activity" and "implement regular reviews of information system activity."
• Threat landscape assessment: What external and internal threats does the organization face through email? This includes analyzing phishing attack frequency, evaluating malware detection capabilities, and understanding social engineering vulnerabilities specific to the organization. The PIH Health case demonstrates the scope of email-based breaches, "The ePHI disclosed in the phishing attack included affected individuals' names, addresses, dates of birth, driver's license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information."
• Information flow mapping: OCR's recommendations emphasize the importance of understanding email workflows: "Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization's information systems." This mapping helps organizations identify vulnerable points where email security controls are needed.

The risk analysis process should produce findings that directly inform email security implementation. The HIPAA Security Rule summary document emphasizes the ongoing nature of this process, stating that "a regulated entity must implement procedures to regularly review its records to track access to ePHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place and modify such security measures as necessary, and regularly reevaluate potential risks to ePHI." OCR further advises organizations to "integrate risk analysis and risk management into the organization's business processes," ensuring that security considerations are included throughout organizational operations.

Workforce training

HIPAA explicitly requires security awareness and training as an administrative safeguard. The systematic literature review emphasizes that about 90% of cybersecurity professionals reported that their companies felt vulnerable to insider threats, showing the need for effective workforce training that transforms employees from potential vulnerabilities into active participants in the organization's security posture.

However, as Haney and Lutters caution in their research on security awareness training, "Some organizations view training simply as a 'check-the-box' exercise, measuring success solely by training completion rates. However, this reveals little about how effective the training is in changing and sustaining attitudes and behaviors." The systematic literature review confirms this concern, noting that "ISA campaigns and training are failing to change employees' behaviour" because organizations "do not reflect adequately on the factors affecting the employees' ISA levels while developing the content for the ISA campaigns." Healthcare organizations must create training programs that engage employees and drive lasting behavior change.

• Foundational email security training: Workforce members must understand basic email security principles. This includes recognizing phishing attempts, avoiding suspicious attachments, verifying sender identities, and understanding when encryption is required. The systematic literature review emphasizes that there was historically "a lack of methods to create 'engaging and appropriate materials' for enhancing ISA," but contemporary research demonstrates that diverse training methodologies, including "interactive workshops, online training modules, simulated phishing exercises, and gamified learning platforms", can engage different learning styles and organizational needs. Training should use real-world examples relevant to healthcare contexts, for instance, emails that appear to come from insurance companies, pharmaceutical representatives, or even hospital administrators. Haney and Lutters emphasize the importance of creative engagement, stating "You want to just put a different spin on it because people just see stuff all the time: 'Have a good password. Lock your computer'…Be creative and think outside the box." This approach helps combat the fatigue that often accompanies repetitive security messaging.
• Role-specific training: Different positions face different email security challenges. Clinical staff might receive targeted training on communicating patient information securely, while billing departments need specific guidance on financial information protection. IT staff require advanced training on security protocols and incident response. The review on employee engagement and accountability emphasizes the need for "tailored learning experiences" that recognize diverse roles and responsibilities within organizations. Moreover, Haney and Lutters note that "people will be more apt to thoughtfully make security decisions when they have a sense of personal responsibility and view security as relevant to their day-to-day lives." Role-specific training helps establish this connection by demonstrating how email security directly impacts each employee's specific responsibilities and the patients they serve.
• Ongoing awareness programs: Organizations should implement continuous awareness programs that include regular simulated phishing exercises, security newsletters, and refresher training sessions. According to the review on employee engagement and accountability, establishing metrics such as "the reduction in successful phishing attempts, increased reporting of security incidents, and improved scores in simulated exercises" helps organizations track training effectiveness over time. 

Moving beyond compliance

Haney and Lutters articulate that "the goal of security awareness training should never be just to check the box but rather to move employees toward intrinsic motivation, where they see the value of security, develop the curiosity to learn more on their own, feel a sense of ownership and empowerment, want to do the right thing, and as a result, actually practice good behaviors."

In healthcare contexts, this means helping staff understand that email security directly protects patient privacy and safety. When employees recognize that their email security practices safeguard the vulnerable patients they care for, security transforms from an imposed burden to an extension of their professional ethics.

The integration cycle

The most effective approach to email security integrates technical solutions with workforce training. This integration works in several ways:

• Risk analysis informs both: Findings from risk analysis should simultaneously drive technology procurement decisions and training curriculum development. If the analysis reveals that mobile device email access presents elevated risk, the organization might implement mobile device management solutions while also training staff on mobile security best practices.
• Training validates technology: When organizations implement new secure email solutions, training ensures workforce adoption and proper use. For example, using encrypted email is only effective if staff understand when and how to use them. Training sessions should accompany technology rollouts, with hands-on practice. However, Haney and Lutters warn,  "Raising awareness of security threats is important, but it does not necessarily lead to behavior change. Doing so without advice or the appropriate tools on how to confront those threats may leave employees feeling anxious, unsatisfied, and powerless." Effective training must empower employees with practical, actionable steps they can implement immediately.
• Technology enables training assessment: Modern email security solutions can provide valuable training metrics. Simulated phishing platforms track click rates and reporting behaviors, offering data on training effectiveness. These metrics feed back into risk analysis, creating a data-driven cycle of continuous improvement. The review on employee engagement and accountability notes that "continuous improvement is facilitated by gathering feedback from participants. Periodic surveys, focus group discussions, and analysis of incident reports can provide valuable insights into the program's strengths and areas for enhancement."
• Incident response bridges both: When email security incidents occur, they provide learning opportunities. Post-incident analysis should examine both technical and human factors, leading to technology adjustments and targeted training interventions.
• Building engagement beyond compliance: The review on employee engagement and accountability emphasizes that successful programs move beyond compliance: "Motivational factors, tailored learning experiences, and the influence of organizational culture play a pivotal role in shaping an engaged workforce that views cybersecurity not as an imposed duty but as an integral part of their professional identity."

Fostering accountability in email security

The HIPAA Security Rule summary document requires that regulated entities "have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures." The review on employee engagement and accountability further outlines that "accountability is reinforced through consequence management, where non-compliance with cybersecurity policies results in appropriate consequences...ranging from additional training for minor infractions to disciplinary action for more severe violations."

However, accountability in healthcare email security should balance enforcement with education. Haney and Lutters advocate for a constructive approach, noting that "the threat of negative consequences has been found to have a limited impact on decisions to implement security, but positive and constructive feedback can be effective in encouraging and maintaining desired behaviors."

When staff members violate email security protocols, the response should prioritize understanding why the violation occurred. 

Effective accountability also requires clear communication channels. Employees need straightforward mechanisms for reporting potential security incidents without fear of consequences. When staff feel empowered to report suspicious emails or potential breaches, organizations gain early warning systems that can prevent minor issues from becoming major incidents. 

Read also: Inbound Email Security

FAQs

Why is email security such a concern in healthcare?

Because most PHI-related breaches in healthcare originate from phishing or human error within email systems.

How does email security relate to HIPAA’s Security Rule?

HIPAA requires organizations to ensure the confidentiality, integrity, and availability of ePHI.

What’s the difference between administrative and technical safeguards in HIPAA?

Administrative safeguards focus on policies and training, while technical safeguards include tools like encryption and access controls.

Why is risk analysis important before implementing email security solutions?

It identifies vulnerabilities in email transmission, access, and workflows so that appropriate protections can be designed.

How does encryption protect email communications in healthcare?

It ensures PHI is unreadable to unauthorized parties during transmission or storage.