Healthcare organizations struggle with targeted phishing and credential theft, even as technical controls improve and awareness efforts intensify. Between 2024 and January 2025, 180 organizations filed breach reports with the HHS Office for Civil Rights due to email security failures. The Paubox and IBM 2025 reports paint a clear picture that phishing is no longer sporadic but systemic. Without layered safeguards, patient data, clinical workflows, and institutional reputations remain vulnerable.
To mitigate these growing threats, healthcare organizations must adopt a proactive, layered approach to cybersecurity, one that blends modern technologies with strategic planning and continuous education. Technical controls may be the starting point, but human vigilance and infrastructure modernization are equally important components of effective risk mitigation.
Multifactor Authentication (MFA) is one of the most recognized security controls today, but it’s far from foolproof. While MFA adds a layer of security by requiring multiple factors for access, such as a password, fingerprint, or passcode, attackers have adapted with tools that exploit its vulnerabilities.
MFA bypass kits, which are readily available on the dark web, allow attackers to capture credentials and hijack session tokens. These tactics enable unauthorized access even when MFA is deployed. Amy Larson DeCarlo, Principal Analyst at GlobalData, warns, “MFA bypass kits are readily accessible and cost-effective. The danger for HIPAA-compliant organizations is that cybercriminals can use these kits to capture credentials and session tokens, which in turn can be used to gain access to Personally Identifiable Information of patients and employees.”
To mitigate this risk, healthcare organizations must move away from legacy verification methods like passwords, one-time codes, and push notifications. DeCarlo recommends transitioning to authentication methods that are harder to intercept, such as digital signatures or passkeys.
Passkeys represent a modern alternative to passwords. Built on the FIDO2 framework, passkeys eliminate shared secrets between users and servers. Instead of storing passwords in databases that could be breached, passkeys rely on asymmetric cryptography. Public keys are stored on servers while private keys remain on personal devices, significantly reducing the risk of credential theft.
According to research conducted by the University of Southern California, passkeys are up to 75% faster than typing passwords and boast a 20% higher success rate for authentication. They also integrate with biometrics like facial recognition and fingerprints, offering convenience alongside privacy. Research published in the Partners Universal Innovative Research Publication (PUIRP) states that passkeys isolate secret authentication factors on personal devices, which prevents visibility by internal staff and enhances individual privacy. Because private keys are never transmitted or centrally stored, the chances of mass compromise drop significantly.
Learn more: Why MFA bypass tactics often start with email
As threats escalate, regulatory momentum is shifting. The proposed Healthcare Information Security and Accountability Act (HISAA) aims to mandate cybersecurity standards across healthcare entities, adding legislative oversight to technical enforcement.
Brent Hoard, Partner at Troutman Pepper, outlines what the bill would require: “The proposed legislation would include more prescriptive technology requirements, annual independent audit and testing requirements, additional vendor oversight, and enhanced penalties that could even include criminal charges.”
However, industry reactions to HISAA have been mixed. Many leaders agree that stricter standards are needed, but smaller healthcare organizations worry about their ability to absorb the administrative burden. “The requirements would be costly, but likely manageable, for larger, more resource-rich organizations,” Hoard explains. “However, the administrative, assessment/audit, and testing requirements could pose significant challenges, especially for smaller healthcare entities.”
If passed, HISAA would strengthen accountability and data protection nationwide, but healthcare leaders must prepare for increased scrutiny, broader compliance audits, and potentially new operational standards. For now, the bill serves as a wake-up call that cybersecurity is no longer optional.
Go deeper: The latest HIPAA updates and what's coming in 2025
Even strong defenses can falter. Despite best efforts, security incidents remain possible, and without a predefined response, the damage can escalate quickly. Incident response planning remains a neglected priority in many healthcare systems, yet its absence amplifies harm.
A comprehensive response plan should clearly outline procedures for isolating and containing the breach, removing the threat actor, restoring impacted systems and data, and conducting a full post-incident review. This playbook should be tested regularly and involve stakeholders across departments, including IT, legal, compliance, and clinical operations.
“We encountered a significant case where an outdated email system directly impacted patient care due to a cybersecurity breach,” recalls Matt Murren, CEO of True North ITG. “The consequences were severe, including operational downtime, limited clinical functions, delayed patient services, and compromised patient trust.”
Outdated email platforms are especially dangerous because they lack the fundamental safeguards required for modern data protection. Encryption, access control, audit logging, and integration support are often missing. Murren stresses the regulatory implications, “HIPAA compliance is non-negotiable. Legacy systems jeopardize both security and reputation.”
Leonard Hamer, CEO of Physician Select Management, agrees, emphasizing the value of working with vendors who have formal security certifications. “Choosing technology partners and platforms that prioritize HIPAA compliance and hold a HITRUST certification is vital in healthcare,” he states. HITRUST-certified organizations demonstrate adherence to strict privacy and security benchmarks and provide added assurance that patient data will be protected across platforms.
Email security may be the foundation, but it’s not enough on its own. With 31.1% of breached entities classified as “High Risk,” according to the Paubox report, AI-powered email filtering must become standard, blocking spear phishing and Business Email Compromise (BEC) with real-time intelligence. These advanced filtering solutions, powered by artificial intelligence and threat intelligence, are designed to detect and neutralize sophisticated phishing campaigns that traditional filters often miss.
In addition to filtering, encryption remains a basis of secure communication. In a study analyzing healthcare professionals’ perceptions of digital health technology threats, encryption was rated the most effective security measure for preventing breaches, receiving an average score of 4.36 out of 5. This widespread endorsement within the healthcare community shows the need for secure message delivery protocols and strong encryption frameworks.
To further enhance email security, organizations should implement layered authentication controls. Protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) work together to authenticate email sources and prevent spoofing attempts. These configurations help ensure that messages are trustworthy and minimize the likelihood of manipulation.
Related: How AI has successfully stopped email breaches: Real-world case studies
How AI and automation are changing the face of HIPAA compliance
Technology can’t replace vigilance. The Paubox report found that only 5% of phishing attempts are flagged by employees, exposing gaps in organizational defense. These blind spots which are often caused by lackluster training or generic security awareness programs, make staff an unwitting vulnerability.
Security awareness training should move beyond traditional presentations and policy reminders. Healthcare organizations must provide consistent, engaging, and healthcare-specific training designed to simulate real-world scenarios. These sessions should teach staff to spot phishing red flags such as mismatched URLs, urgent language, and unfamiliar senders mimicking internal personnel.
“Healthcare organizations must move to modern, cloud-hosted email systems as a baseline for security,” says David Chou, Founder of Chou Group. “Equally important is ongoing education to protect staff from phishing and social engineering, which continue to be the most effective tactics used by attackers.”
Security awareness is more than a checkbox but a defense strategy. By transforming every staff member into a frontline cybersecurity participant, organizations can limit the spread of malicious messages and reduce overall risk.
Read more: The role of cloud technology in HIPAA compliance
The importance of training for email security
Building healthcare security awareness programs
The importance of firewalls in healthcare security
A set of specifications for passwordless authentication developed by the FIDO Alliance.
A targeted phishing attack where the attacker mimics a trusted source to trick victims into revealing sensitive information.
Business Email Compromise scams that deceive staff into transferring money or confidential data.
Yes. Paubox holds HITRUST certification, ensuring alignment with healthcare data protection standards.