Email is a common attack surface, with phishing campaigns exploiting gaps in user awareness and outdated infrastructure. These phishing attacks are attempts to acquire sensitive information via openly targeted email communications, often crafted to appear legitimate or to impersonate trusted entities within or outside the healthcare system.
The Cybersecurity and Infrastructure Security Agency (CISA) guidance originates at a government agency level but its influence on healthcare organization practices can be traced through evolving recommendations around anti-phishing measures, mandatory staff training, and technical safeguards.
The results indicated that healthcare workers generally performed well in identifying phishing attempts, with no malicious credential harvests or harmful file downloads reported during the assessment. However, the presence of a substantial volume of potentially harmful email (as evidenced in a BMJ Health & Care Informatics study, with about 2%–3% of all incoming messages flagged as suspicious) reveals ongoing risks.
Primary guidelines can be derived from Binding Operational Directive 18-01: Enhance Email and Web Security, that requires federal civilian agencies to strengthen their cyber defenses. reflect a synthesis of operational insights, best practices, and standards such as those from the National Institute of Standards and Technology (NIST). They aim to mitigate persistent risks posed by phishing emails and unencrypted web traffic, which remain among the leading causes of cybersecurity incidents across sectors, including healthcare, government, and infrastructure.
At the core of CISA’s email security guidance is the deployment of strong email authentication protocols. The Security Journal study ‘Prevention and mitigation measures against phishing emails: a sequential schema model’ provides one of the main recommendations, “CISA (n.d.) suggests SPF and DKIM in detecting unauthorized emails. SPF enables the recipient to know which mail servers are used from the sender’s domain, which in turn shows the DNS ‘which servers are allowed to send email on behalf of a domain’.” DKIM adds cryptographic signatures to outgoing emails, allowing the receiving system to verify content authenticity and sender validity.
DMARC provides a policy framework instructing mail servers how to handle messages failing SPF or DKIM checks, with the strictest reject policy preventing unauthenticated emails from reaching user inboxes. This approach reduces the risk of email spoofing and phishing attacks, as shown in studies emphasizing how DMARC reject policies provide the strongest protection against spoofed emails.
CISA’s Binding Operational Directive 18-01, the Healthcare and Public Health Sector Cybersecurity Performance Goals, and related federal standards like those from NIST are used to influence the way email is secured. They are designed to reduce the risk of phishing, email-based compromises, and web exploitation, all needed for protecting sensitive health information and ensuring compliance with HIPAA and other regulations in healthcare environments. The central points include:
According to the CISA guidance, “Phishing emails and the use of unencrypted Hypertext Transfer Protocol (HTTP) remain persistent channels through which malicious actors can exploit vulnerabilities in an organization’s cybersecurity posture. Attackers may spoof a domain to send a phishing email that looks like a legitimate email.” Email accounted for approximately 17.5% of breaches in healthcare between 2010 and 2019, second only to paper/film records breaches.
Incidents involving email-based breaches have been increasing sharply since 2016, reflecting the sector’s growing reliance on digital communication and the integration of smart devices into healthcare workflows. These vulnerabilities are multifaceted, stemming from both technological weaknesses and human factors, which CISA’s guidance aims to address comprehensively.
A prominent technological vulnerability is the widespread use of outdated or incomplete email security controls, like weak or missing authentication protocols and encryption. Several NCBI studies report that many healthcare providers fail to fully implement protocols like SPF, DKIM, and DMARC.
The gap opens the door for malicious actors to craft emails that appear legitimate, deceiving healthcare professionals into inadvertently disclosing sensitive information or clicking malicious links. Attackers frequently use CEO phishing or business email compromise methods that impersonate trusted executives, a tactic documented to be increasing within healthcare.
A large proportion of healthcare email communication lacks adequate encryption, increasing the risk of interception or man-in-the-middle attacks. Older protocols like SSLv3 or insecure cipher suites remain in use, further exposing sensitive PHI during transmission. CISA’s guidance to phase out these outdated methods and adopt strong encryption standards is aimed squarely at plugging this vulnerability.
Related: HIPAA Compliant Email: The Definitive Guide
Healthcare organizations handle large volumes of sensitive patient data (ePHI), making them attractive targets for cybercriminals. Many healthcare employees use email to transmit private health information, but they may lack sufficient security awareness, making them vulnerable to phishing attacks and other email-borne threats.
The most common attacks include phishing, spear-phishing, business email compromise (BEC), malware distribution, and ransomware attacks. Phishing is often used to steal credentials or deliver malware.
Phishing emails trick employees into revealing their login credentials or downloading malicious attachments.