• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Life Sciences
  • Investments
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage

Healthcare IT Dangerously Overconfident in Email Security, New Report Finds

by Fred Pennic 06/09/2025 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

What You Should Know: 

– A new 2025 report from Paubox reveals a critical disconnect between the perceived security readiness and actual email vulnerability within healthcare organizations. While 92% of healthcare IT leaders express confidence in their ability to prevent email-based data breaches, 8 out of 10 admit to worrying about their HIPAA compliance status, highlighting a dangerous overconfidence that leaves patient data exposed.

– The report, “2025 Healthcare Email Security Report” leverages survey data from 150 U.S. healthcare IT leaders, breach analysis, and configuration audits, argues that email remains healthcare’s largest cybersecurity vulnerability. Critical gaps persist due to outdated systems and tools that create significant user frustration, leading staff to bypass security protocols.

The Confidence Gap: Why Perceived Security Isn’t Reality

The confidence expressed by IT leaders is undermined by common on-the-ground realities. The Paubox report points to widespread security weaknesses that are often overlooked, including:

  • User-dependent encryption that relies on staff to take extra steps.
  • Partially configured email authentication tools like DMARC and SPF.
  • A lack of formal incident response workflows for email-related risks, which is a HIPAA violation.
  • Failure to review email logs and analytics.

“Too often, organizations rely on infosec policies, user training, or manually enforced controls—rather than implementing automated, policy-driven email encryption solutions,” said Andrew Hicks, a partner at Frazier & Dieter Advisory, LLC. “This overreliance on human-dependent safeguards introduces unnecessary risk.”

This gap is further widened by significant barriers to adopting modern, HIPAA-compliant email solutions. Over half of IT leaders (54%) cited implementation complexity as a top concern, followed by a lack of vendor support (53%), IT staffing shortages (45%), and resistance from leadership (44%).

AI-Powered Threat Detection is Missing in Action

Phishing attacks are becoming more sophisticated, increasingly personalized and generated by AI to evade traditional, rules-based filters. The report highlights that while 89% of healthcare IT leaders believe AI and machine learning are critical for detecting email threats, only 44% are currently using AI-powered threat detection.

This leaves the majority of organizations vulnerable to modern attacks that can easily bypass outdated security measures. “If your email security plan doesn’t already include AI, you’re giving attackers a head start,” the report warns.

Budgets are Out of Touch with Risk

Despite email being the single largest attack vector in healthcare, the report finds a severe underinvestment in securing it. A majority (56%) of healthcare organizations allocate less than 10% of their IT budgets to cybersecurity, with most dedicating less than 6%.

This is starkly lower than in other sectors, such as financial services (10-12%) and general industry (21%). This underfunding persists even as the average cost of a healthcare data breach has climbed to $9.8 million in fines, lawsuits, and operational fallout.

When Security Plans Create Friction

A critical theme of the report is that usability is a core component of security. When security tools are cumbersome, they get bypassed. An overwhelming 86% of IT leaders admit that their current email security tools cause workflow friction for users.

Top frustrations include:

  • Complex password resets (54%)
  • High rates of false positives in filters (48%)
  • Clunky user interfaces (46%)
  • Delays from encryption processes (45%)

Perception ≠ Protection: 5 Moves to Make Now

The report concludes that confidence without clarity is dangerous. To move from a state of perceived security to one of genuine protection, healthcare organizations must challenge their assumptions and take decisive action. Paubox recommends five key moves:

  1. Audit your secure email configurations. Don’t assume they are set up correctly.
  2. Stop making users choose encryption. Make it automatic and seamless.
  3. Upgrade detection systems to keep up with AI-powered threats.
  4. Fund email security in proportion to its risk.
  5. Choose tools that disappear into the workflow, not ones that disrupt it.

For more information about the report, visit https://www.paubox.com/2025-report-healthcare-it-is-dangerously-overconfident-about-email-security

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Interview

The AI Paradox in Healthcare: Notable CEO Shares Why Moving Too Slowly is a Greater Risk

Most-Read

Pfizer and Trump Administration Announce Landmark Agreement to Lower Drug Costs

Pfizer and Trump Administration Announce Landmark Agreement to Lower Drug Costs

KLAS Report: Epic's Native Ambient Speech Tool Reshapes Customer AI Strategies

KLAS Report: Epic’s Native Ambient Speech Tool Reshapes Customer AI Strategies

Epic Unveils MyChart Central and New APIs to Advance Interoperability at Open@Epic

Epic Outlines Roadmap for Next-Generation Data Sharing at Open@Epic

Epic Launches Comet: A New AI Platform to Predict Patient Health Journeys

Epic Launches Comet: A New AI Platform to Predict Patient Health Journeys

RevSpring to Acquire Kyruus Health, Creating a Unified Patient Experience

RevSpring to Acquire Kyruus Health, Creating a Unified Patient Experience

Oracle Confirms Layoffs in Kansas City

Oracle Confirms Layoffs in Kansas City

Philips Future Health Index 2025: AI and Digital Tech Can Help Solve Cardiac Care Crisis

Philips Future Health Index 2025: AI and Digital Tech Can Help Solve Cardiac Care Crisis

Optain Health Secures $26M to Advance AI-Powered Retinal Screening

Optain Health Secures $26M for AI-Powered Retinal Screening

Sutter Health and Epic Launch "Sutter Sync" to Optimize Remote Chronic Care

Sutter Health and Epic Launch “Sutter Sync” to Optimize Remote Chronic Care

Patient Square Capital Acquires Premier in $2.6B Deal

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |