Why private practices are prime targets for email-based cyberattacks

According to Vulnerability to Cyberattacks and Sociotechnical Solutions for Health Care Systems: Systematic Review by Pius Ewoh and Tero Vartiainen, between 2012 and 2022, more than 24% of all data breaches across all industries originated in the healthcare sector. Furthermore, between 2009 and 2021, the US Department of Health and Human Services reported 4,419 healthcare data breaches, resulting in over 314 million healthcare records being lost, stolen, or exposed.

Cybersecurity and How to Maintain Patient Safety published by the Patient Safety Network, stated that data breaches affected over 112 million Americans in 2023, this is more than double the 46.8 million impacted in 2022.

Read also: Why rural hospitals face greater cyberattack risks

The dangerous overconfidence 

According to the Healthcare IT is dangerously overconfident about email security report by Paubox, 92% of healthcare IT leaders say they are confident in their ability to prevent email-based data breaches. Yet when we examine the actual configurations and security measures in place, the Paubox report reveals that this confidence rarely translates to robust protection. 

Andrew Hicks, Partner and National HITRUST Practice Lead at Frazier & Dieter Advisory, LLC, observes in the Paubox report: "As a cybersecurity consulting practice engaging with hundreds of organizations annually, we consistently observe a critical gap in email security practices. Too often, organizations rely on infosec policies, user training, or manually enforced controls—rather than implementing automated, policy-driven email encryption solutions."

The data confirms that 8 out of 10 IT healthcare leaders admit they worry about their HIPAA compliance status, according to the Paubox report. This anxiety exists alongside their stated confidence, this shows just how uncertain many organizations are about their actual email security.

Limited cybersecurity infrastructure

Research published in the Phishing in healthcare organizations: threats, mitigation and approaches found that around 2%–3% of all email and internet traffic to an NHS Healthcare Organization are considered suspicious, this represents over 50 million internet transactions and over 100,000 potentially malicious emails annually in just one organization. For private practices without security infrastructure, these numbers can be seen as constant vulnerability.

The cost of implementing robust security measures can seem expensive for small practices operating on tight budgets. However, we must note that the average cost of a healthcare data breach now exceeds millions of dollars when accounting for regulatory fines, legal fees, remediation costs, and reputational damage. As Ewoh and Vartiainen note, organizations tend to spend more money on procuring new technology while committing only 5% or less of their budgets to the security of their critical healthcare systems.

The Paubox report confirms that most healthcare organizations allocate less than 6% of their IT budgets to cybersecurity. This is opposite to financial services, where cybersecurity budgets often exceed 10–12% of total IT spend, and general industry, where cybersecurity takes up 21% of IT budgets on average. As Tony Cox, CIO of Henderson Behavioral Health, observes in the Paubox report: "I see the gap in time between new vulnerabilities emerging and budgets catching up to them. That delay? That's where the attackers live."

Yet technology investment alone cannot solve the problem. As emphasized in Healthcare 4.0: A Review of Phishing Attacks in Cyber Security, even the best security systems are ineffective without informed and vigilant users. 

Staff vulnerabilities

According to the same healthcare cybersecurity study, phishing now accounts for more than 80% of social hacking across organizations. Phishing emails have become sophisticated, mimicking communications from insurance companies, pharmaceutical suppliers, or even colleagues. 

Amy Larson DeCarlo, Principal Analyst at Global Data, notes this vulnerability in the Paubox report: "Cybercriminals are exploiting the biggest vulnerability within any organization: humans. As progress in artificial intelligence (AI) and analytics continues to advance, hackers will find more inventive and effective ways to capitalize on human weakness in areas of (mis)trust, the desire for expediency, and convenient rewards."

Furthermore, Ewoh and Vartiainen's research confirms that human error is a significant factor in the event of a cyberattack and accounts for more than 70% of data fraud and breaches in business organizations. The research demonstrates just how effective these attacks can be, noting that in one healthcare study involving around 5,000 employees, over 65% clicked on at least two suspicious emails, and mandatory training programs showed no effect in reducing these click rates.

It's fair to say that traditional one-time training approaches may not protect staff from sophisticated threats. The Paubox report reinforces this point by noting that while training helps, 95% of phishing still goes unreported, meaning organizations need better detection systems rather than just more training sessions.

The dominance of email as an attack vector

The research in ‘Phishing in healthcare organizations’ reveals that phishing resulted in more breaches than malware and unpatched systems combined (48% vs 41%). This finding shows that even practices with updated software and antivirus protection remain vulnerable if their email security and staff awareness are inadequate.

Cyber attackers typically gain access through phishing tactics that require just one employee to click a link in a deceptive email. Once clicked, malware spreads throughout the organization's network, as explained in the article published by the Patient Safety Network. 

The Paubox report notes that, "Attackers are scraping LinkedIn profiles and crafting spoofed messages that bypass outdated logic entirely." These AI-powered attacks represent an evolution in phishing sophistication that legacy security systems simply cannot match. The report notes that 89% of healthcare IT leaders identified AI and machine learning as critical for detecting email threats, yet only 44% of organizations currently use AI-powered threat detection, leaving a gap between awareness and action.

Legacy systems and complex devices

Private practices face a double challenge when it comes to their technology infrastructure. According to Ewoh and Vartiainen's systematic review, 85% of medical organizations use outdated operating systems or infrastructure. These legacy systems, often running on unsupported software, lack critical security updates and create easy entry points for cybercriminals.

At the same time, modern healthcare relies on a complex network of connected devices. The systematic review found that 51% of studies acknowledged network-connected endpoint medical devices as the most significant technical reason for healthcare systems' vulnerability to cyberattacks. For private practices, this means that everything from electronic health record systems to connected diagnostic equipment potentially creates new attack surfaces that must be secured.

The Paubox report highlights the barriers preventing organizations from modernizing their email security. Among IT leaders surveyed, 54% cited implementation complexity as a top concern, 53% pointed to lack of vendor support, and 41% struggled with integration challenges with legacy systems. 

Learn more: Modernization of healthcare legacy systems

Regulatory compliance gaps

The Paubox report reveals that most portals introduce friction, leading to non-compliance workarounds. When security systems create obstacles, staff are likely to find ways around them, often compromising the very protections those systems were meant to provide. The report found that 86% of IT leaders say their current email security tools cause workflow friction, with 54% citing clunky user interfaces as a primary frustration.

Smaller practices may lack the legal and compliance expertise to properly assess their vulnerabilities or implement appropriate safeguards. They may be unaware that HIPAA requires not just data security but also regular risk assessments, employee training, and incident response plans. 

The Joint Commission now mandates that accredited organizations conduct hazard vulnerability analyses and maintain comprehensive continuity of operations plans, disaster recovery plans, and emergency operations plans, as outlined in the article published by the Patient Safety Network. For private practices, meeting these requirements while managing day-to-day clinical operations can be a challenge.

As Ryan Winchester, Director of IT at CareM, notes in the Paubox report: "Our company is as strong as the weakest employee link. HIPAA compliance depends on awareness and proper training—but also the right systems."

The real-world impact on patient safety

As Pelletreau, Riggi, Gale, and Mossburg emphasize in Cybersecurity and How to Maintain Patient Safety, when healthcare systems are compromised, patient safety is directly threatened. Critical procedures may be delayed, clinicians lose access to vital information such as medical histories and allergy records, and treatment decisions must be made without timely access to diagnostic imaging or lab results.

During system downtime, healthcare workers must resort to workarounds including calling pharmacies to retrieve medication information, using fax machines for orders within the facility, relying on paper charts, and deploying runners to communicate between units. Recovery from these attacks can take several months, requiring validation of decrypted files, system functionality checks, manual entry of paper forms back into electronic systems, and replacement of compromised devices.

Read also: The far-reaching impact of email attacks on healthcare

Protecting your practice

Based on recommendations from HHS and the Joint Commission as cited in Cybersecurity and How to Maintain Patient Safety, organizations should consider appointing a clinical director of cybersecurity, someone who understands both security principles and clinical operations, to oversee cyber-awareness programs, cyber-hygiene measures like firewalls, and incident planning and response.

The Paubox report offers five moves healthcare organizations should make immediately:

1. Audit your secure email configurations. Don't assume. Many compliance failures result from false assumptions rather than negligence. Teams think their vendor handles security, or they've passed a one-time audit and treat that as permanent clearance.
2. Stop making users choose encryption, make it automatic. As the Paubox report emphasizes: if your HIPAA compliance depends on end users remembering to encrypt, you're not compliant, you're pushing your luck.
3. Upgrade detection systems to keep up with AI-powered threats. Legacy rule-based filters form an essential baseline, but they can't match the sophistication of AI-generated phishing attacks. If your email security plan doesn't already include AI-powered detection, you're giving attackers a head start.
4. Fund email security in proportion to its risk. Email is the single largest vector for cyberattacks in healthcare, yet it's often buried inside broader IT budgets. The average cost of a breach now exceeds $9.8 million in lawsuits, fines, and operational fallout.
5. Choose tools that disappear into the workflow, not ones that disrupt it. The most secure email system is the one your users actually use. Tools that create friction will inevitably be bypassed, undermining even the best-intentioned security efforts.

Drawing from the sociotechnical solutions outlined by Ewoh and Vartiainen, effective protection requires addressing three interconnected areas; human behavior through enhanced training and awareness, technology through proper investment in security infrastructure and phasing out legacy systems, and organizational processes through clear policies and verification procedures.

As Hoala Greevy, CEO of Paubox, notes in the report: "We've seen email threats evolve faster than many tools meant to stop them. It's not just about phishing anymore—it's about deception at scale."

FAQs

Are private practices targeted more than large hospitals because they hold less data?

No, private practices are targeted because their data is just as valuable but normally less protected.

Can cyber insurance fully protect a practice from the financial impact of a breach?

Cyber insurance can help offset costs, but it does not prevent breaches or cover all regulatory and reputational damage.

Are non-clinical staff equally at risk of being targeted by phishing attacks?

Yes, attackers frequently target administrative and billing staff who handle sensitive data but may receive less security training.

Does HIPAA compliance automatically mean a practice is secure from cyberattacks?

No, HIPAA compliance sets minimum standards and does not guarantee real-world protection against evolving threats.