Why cloud platforms may prioritise email deliverability over security

De Gagne and colleagues have documented how email has become foundational to virtually every clinical and administrative workflow, making the choice of email platform a decision with direct compliance consequences.

The problem is that these platforms are engineered to prioritise deliverability, ensuring emails reach their destination, over security. When a recipient's server presents an expired, self-signed, or otherwise invalid certificate, cloud platforms deliver the message anyway rather than blocking it. The sender sees nothing unusual. The recipient gets the message. But the encryption layer protecting that message may be weaker than expected, or in some cases, not guaranteed at all. For healthcare organisations exchanging protected health information, this design choice creates a compliance risk.

Deliverability vs. security

Cloud email providers optimise for speed, inbox placement, and reliability. The business objective is that the messages should arrive. Merlo, Fard, and Hawamdeh's research on cloud computing's impact on enterprise digital transformation found that reduced upfront costs, operational flexibility, and scalability were the most frequently cited drivers of cloud adoption. Twenty percent of the studies they analysed identified cost savings as the primary motivator, with operational flexibility and market pressure following at 10%. Security, by contrast, appeared as the most cited barrier to adoption, mentioned in 32% of studies as a negative factor discouraging organisations from using cloud services.

The features that make cloud platforms attractive, availability, ease of use, seamless delivery, are the same features that can undermine security. Encryption, certificate validation, and TLS enforcement often aren’t considered when it comes to ensuring that messages reach the inbox.

The Paubox certificate report illustrates this tension in the real world. In a sample of 803,378 unique outbound email relays, roughly 4% of connections went to servers with unverifiable certificates, including expired or self-signed. Cloud email platforms frequently deliver these messages anyway. As Dizon and Meehan explain in their study of encryption principles, authentication is a core objective of encryption; it "permits the authorised parties to identify the author, sender and receiver of information." When certificate validation fails, and a message is delivered regardless, the authentication that encryption is supposed to guarantee collapses. The sender assumes the message was secure. The compliance record shows nothing went wrong, even though the encryption was never verified.

Read more: The hidden certificate crisis in healthcare email

Why cloud platforms make this choice

Three factors explain why cloud platforms prioritise deliverability over strict security enforcement:

The business model rewards reliability, not compliance

Cloud providers compete on uptime, speed, and seamless functionality. Merlo, Fard, and Hawamdeh found that 60.56% of survey respondents were satisfied with their cloud provider's services, but satisfaction was measured against operational performance, not security assurance. In fact, 28.17% of participants could not confidently evaluate their provider's security performance at all. The market rewards platforms that ensure emails "just work." Blocking messages due to certificate failures would generate support tickets, frustrate users, and drive customers to competitors. As the Paubox certificate report found, cloud email platforms routinely accept weak or unverifiable certificates because the alternative is message failure. Deliverability wins over security.

Global scale makes strict enforcement impractical

Microsoft and Google handle a significant share of global business email. Merlo, Fard, and Hawamdeh's survey found that 36.62% of respondents used Microsoft, 25.35% used Amazon, and 21.13% used Google as their cloud service provider. At this scale, enforcing strict certificate validation on every outbound connection would block a significant volume of legitimate email. The 4% certificate failure rate observed in the Paubox report translates into potentially millions of messages. Blocking all of them would disrupt healthcare workflows, vendor communications, and patient correspondence. Platforms make a calculated decision to deliver the message and let the recipient's infrastructure bear the risk.

User expectations reinforce permissive defaults

Ali, Al-Khalidi, and Al-Zaidi's research on cloud computing security found that cloud computing's "appealing qualities," like on-demand availability, virtually limitless resources, and minimal technical expertise required, drive adoption precisely because they reduce friction. Users expect email to arrive without intervention. The Paubox survey of small healthcare practices found that 98% of respondents said their platform "encrypts emails by default," yet most were using platforms whose encryption silently drops when the recipient's server does not support modern protocols. The gap between what users believe their platform does and what it actually does is where compliance risk accumulates.

Learn more: Differences between compliance and security

Compliance risks for healthcare

The deliverability-first design of cloud email platforms creates HIPAA compliance risks for healthcare organisations.

Unverified encryption exposes PHI in transit. HIPAA's Security Rule requires covered entities to "implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network." When a cloud platform silently accepts an invalid certificate and delivers a message, the organisation has no evidence that PHI was transmitted securely. Dizon and Meehan's research establishes that encryption serves three objectives: confidentiality, integrity, and authenticity. A self-signed certificate removes third-party validation of server identity, meaning authenticity cannot be confirmed. As the Paubox certificate report states, "HIPAA doesn't spell out 'no self-signed certs,' but the Security Rule requires organizations to verify the integrity of the connection. A self-signed certificate cannot provide that verification."

Business Associate Agreements shift liability, not risk. The Paubox report on healthcare email attacks found that 28% of email-related breaches in 2025 involved business associates. Vendor-related email exposure was the most common email breach pattern reported to HHS that year. A signed BAA creates a contractual framework, but it does not guarantee that a vendor's email infrastructure maintains valid certificates or enforces encryption. When a billing vendor's server presents an expired certificate, and the cloud platform delivers the message anyway, the covered entity retains regulatory exposure. Ali, Al-Khalidi, and Al-Zaidi emphasise that cloud hosting inherently means "losing control over infrastructure and data." In healthcare email, that loss of control extends to the certificate hygiene of every downstream vendor.

The Paubox report on HIPAA and email security found that in 2025, OCR issued fines ranging from $80,000 to over $9 million for organisations whose email systems lacked enforced encryption or adequate risk analysis. A clinic was fined $25,000 simply for sending PHI to the wrong recipient via unencrypted email. The Paubox survey of small practices found that 82% of healthcare IT leaders worry their staff will miss a critical alert or skip a security step, yet 47% cited reliance on default email provider settings as a reason for failing HIPAA compliance audits. Providers are unknowingly transmitting unencrypted PHI because their platform prioritised deliverability, and there is no audit trail to indicate otherwise.

Related: Blind spots in security methods

How to mitigate the risk

Closing the gap between deliverability and compliance requires shifting from assumptions about encryption to verification of encryption.

• Enforce TLS with fallback blocking: The most direct mitigation is to prevent insecure delivery rather than allowing it. When a recipient's server presents an invalid certificate, the email should not be sent over that connection. Paubox Email Suite addresses this by actively checking the certificates on receiving servers before transmitting PHI. It looks for expired certificates, self-signed certificates, incomplete or missing certificate chains, and revoked or malformed certificates. When validation fails, Paubox blocks the standard delivery path and automatically delivers the message as a secure Paubox message instead.
• Audit vendor BAAs against technical reality: A signed BAA is a legal requirement, but it is not a technical safeguard. Healthcare organisations should audit the certificate infrastructure of business associates and downstream vendors. The Paubox certificate report found that certificate failures appear across the healthcare ecosystem, in hospitals, clinics, billing firms, revenue cycle vendors, imaging companies, and managed service providers. Organisations rarely know when they rely on a vendor with a broken certificate infrastructure.
• Train staff that deliverability is not compliance: The Paubox survey of small healthcare practices found that 83% of respondents believed patient consent removes the need for encryption, and 64% believed portals are required for HIPAA compliance. These misunderstandings persist because staff equate successful delivery with secure delivery. Training programmes should explicitly address how cloud platforms handle certificate failures and why a delivered message is not necessarily a compliant message.
• Document communication policies in risk management frameworks: HIPAA's Security Rule requires not only that encryption is active, but that it can be proven. Logs and audit trails should demonstrate that safeguards were applied for every outbound message containing PHI. As Dizon and Meehan note, auditability is among the additional objectives of encryption; organisations need systems that produce verifiable proof of encryption, not just the assumption that encryption is working.

Future outlook

The regulatory environment around healthcare email encryption is shifting from flexibility to mandate.

In early 2025, the Office for Civil Rights proposed updates to the HIPAA Security Rule that would make encryption of all ePHI, at rest and in transit, a required safeguard, not an addressable one. The proposed rule also calls for mandatory annual compliance audits, configuration hardening, and verified security controls for business associates.

At the same time, cloud platforms continue to evolve their architectures around deliverability and AI-driven optimisation. Merlo, Fard, and Hawamdeh note that future research is needed to "explore and understand the impacts of AI and cloud computing on the digital transformation of the enterprise," acknowledging that the intersection of AI-driven services and cloud infrastructure will reshape how data is handled. For healthcare, this creates a reality where platforms may become more sophisticated at ensuring messages arrive while encryption enforcement remains a secondary concern.

Dizon and Meehan's analysis of encryption principles offers a framework for evaluating this trajectory. They argue that technical principles such as "information security, primacy of keys and resistance to attacks should be recognised and upheld in the development and adoption of encryption regulation." When cloud platforms architecturally encode a preference for deliverability over security, the researchers connect this to Lessig's theory that technology architecture regulates behaviour as powerfully as law, and argue that technical principles of encryption must be recognised and upheld in technology regulation. Healthcare organisations cannot wait for platforms to change their defaults. They must demand compliance-first solutions rather than accepting convenience-first architectures.

FAQs

What is email deliverability?

Email deliverability refers to whether an email successfully reaches the recipient's inbox.

What is the role of a Business Associate Agreement?

A BAA is a legal contract between a covered entity and a vendor that handles PHI. It establishes obligations for safeguarding ePHI but does not guarantee that the vendor's technical infrastructure enforces encryption.

What is a self-signed certificate?

A self-signed certificate is a digital certificate created by the server itself rather than issued by a trusted certificate authority. Since no third party has verified the server's identity, there is no independent way to confirm the certificate is legitimate.