Email encryption during delivery plays a direct part in protecting patient data as it moves between organizations.
Recent Paubox analysis shows that this protection cannot be assumed. Research examining how major cloud email platforms handle encryption failures found that delivery often takes precedence over security, even when modern standards are not met. As the report warned, “Forcing TLS sounds like a safeguard… In healthcare, where email routinely carries sensitive patient data, the illusion of security is especially dangerous because when encryption silently fails, there’s no second chance to catch the mistake. No error. No alert. Just delivery that looks successful, but isn’t secure.”
That gap between expectation and reality matters in healthcare, where staff rely on email under time pressure and where messages often contain protected health information. When encryption fails without notice, exposure can occur without any visible sign that something went wrong.
According to IBM, “Transport Layer Security (TLS) is a cryptographic protocol that helps secure communications over unprotected computer networks, such as the Internet. Through various asymmetric and symmetric cryptography techniques, TLS provides end-to-end authentication, confidentiality and data integrity. These protections apply to a wide range of network communications, including email, messaging, voice over IP (VoIP) and virtual private networks (VPNs).”
TLS protection depends on both sides of the connection supporting modern encryption standards. If the receiving server cannot negotiate a secure connection, email platforms must decide whether to stop delivery or proceed without adequate protection. Research shows that many platforms choose delivery.
Read more: What is encryption?
As per A Comprehensive Symbolic Analysis, TLS has multiple versions because the protocol has been updated over time to respond to new security threats and improve performance. Early versions focused on basic encryption, while newer releases strengthened cryptography, fixed known weaknesses, and reduced the time it takes to establish secure connections. TLS 1.2 is still widely used and secure, while TLS 1.3 is the current standard, designed to be faster and safer by removing outdated algorithms and simplifying the handshake process.
Alongside the protocol itself, TLS relies on certificates to establish trust. A TLS certificate is a digital credential that confirms a website or service is legitimate and enables encrypted communication between a user’s browser and a server. These certificates protect data in transit, such as login details or emails, and are used for HTTPS websites and secure email systems.
Healthcare email systems often rely on “old, legacy systems” shaped by “lack of funding, lack of cybersecurity personnel, and health staff using workarounds,” according to The need for cybersecurity self-evaluation in healthcare. These platforms may still function, but they frequently run without modern protections like enforced TLS, patching, or strong authentication. As one participant put it, “The natural inclination of most people…is to use an old system and keep using it.”
That reliance creates clear exposure. Healthcare stakeholders described the sector as a “complex mix” of providers and technologies, warning that “legacy systems…are a major vulnerability point.” In environments handling large volumes of PHI where downtime is unacceptable, outdated email infrastructure directly weakens an organization’s ability to prevent or contain cyber incidents.
Non-TLS email systems amplify that risk. Research published in Frontiers in Digital Health explains that attackers can “insert themselves into the middle of communication transmission” to “eavesdrop, steal, or modify information being exchanged before it reaches the receiving end.” Once inside the communication stream, attackers can “access mounds of information and manipulate, steal, ransom, or otherwise compromise the records.” The lack of secure server authentication also makes spoofing easier, fueling phishing, which one analysis found was the starting point for “89% of cybercrimes.”
Recent Paubox research examined how two widely used cloud email platforms handle TLS failures in real-world conditions. The findings showed that encryption can fail silently, without alerting the sender or blocking delivery.
The report explained that “Google will still deliver messages using TLS 1.0 and 1.1, encryption protocols deprecated years ago.”
In contrast, Microsoft’s behavior differed but did not eliminate exposure. The same summary noted that “Microsoft refuses those outdated protocols, but sends the message anyway, completely unencrypted.”
The same research linked these behaviors to broader breach patterns, noting that “31.1% of breached healthcare orgs had misconfigurations that exposed them to major email risks… Microsoft 365 alone accounted for 43.3% of all healthcare email breaches in 2024… Downgrade behaviors and weak encryption protocols remain systemic, often due to legacy systems and intermediary devices.”
TLS weaknesses are often compounded by certificate issues. Even when encryption is technically in place, certificate validation problems can undermine trust in the connection.
Reporting based on Paubox data found that “An estimated 3 million email addresses may be at risk of exposure to common cyberattacks, such as man-in-the-middle attacks, because email delivery often proceeds even when certificate validation fails… encrypted email is routinely sent to servers with expired or self-signed certificates, preventing reliable verification of the recipient’s identity.”
The same report explained the underlying concern, stating that “When certificates are expired or self-signed, encryption may still occur, but the integrity of the connection cannot be proven.”
In healthcare workflows, legacy systems and intermediary devices increase the likelihood of these failures. Older mail servers may not support modern TLS versions. Third-party gateways may downgrade connections. Cloud platforms may deliver messages anyway to avoid interrupting business processes. As the report summarized, “Paubox found that cloud email platforms frequently deliver messages even when certificate validation fails, prioritizing delivery over verification.”
From a compliance perspective, the issue is not whether a specific protocol is named in regulation, but whether organizations can demonstrate appropriate safeguards. As one passage noted, “HIPAA doesn’t spell out ‘no self-signed certs,’ but the Security Rule requires organizations to verify the integrity of the connection.”
The research reviewed here shows that encryption can fail without warning, certificates can be invalid without detection, and email platforms may prioritize delivery over security. In an environment where email remains necessary to patient care, those conditions create risk that is easy to overlook and hard to audit after the fact.
Modern TLS enforcement, certificate management, and secure email design are therefore not optional hygiene tasks. They decide whether protected health information is actually safeguarded as it moves through the systems that healthcare depends on every day.
Paubox’s approach to healthcare email security is designed around eliminating silent failure modes. Rather than allowing messages to downgrade or fall back to unencrypted delivery, Paubox enforces modern TLS standards and manages certificate validation as part of the delivery process.
The approach removes reliance on individual user decisions and reduces exposure caused by legacy recipient systems. Encryption is applied automatically, and delivery behavior is aligned with healthcare compliance expectations rather than convenience.
Learn more: HIPAA Compliant Email: The Definitive Guide (2026 Update) | Paubox
TLS is the protocol that encrypts email as it travels between mail servers, helping protect patient information from interception.
Protocols such as TLS 1.0 and 1.1 have known weaknesses and are deprecated by security standards bodies.
Yes. Research found that messages may still be delivered using weak encryption or no encryption at all when TLS negotiation fails.
Certificates verify the identity of the receiving server. Expired or self-signed certificates prevent reliable verification of the connection.
Paubox enforces modern TLS, manages certificate validation, and avoids silent fallback to unencrypted delivery, reducing exposure of PHI.