New Report Exposes Confidence Crisis in Healthcare IT Security

SAN FRANCISCO--(BUSINESS WIRE)--A new Paubox report reveals that healthcare IT leaders significantly overestimate their email security—leaving patient data exposed to real and growing threats.

Why it matters: Patient data doesn’t just live in EHRs. It flows through inboxes, attachments, referrals, and care coordination chains every single day. If your email system isn’t locked down, your HIPAA posture is a house of cards.

Share

According to Healthcare IT is dangerously overconfident about email security, 92% of healthcare IT leaders believe they are equipped to prevent email breaches.

They’re not.

A survey of 150 U.S.-based healthcare organizations exposed that most are relying on outdated systems, misconfigured tools, and email security processes that are routinely bypassed by staff.

The report points to a widespread “confidence gap” in healthcare cybersecurity, where leaders assume they are secure but fail to match that confidence with the technology, training, or budget investment needed to keep up with today’s threats.

Why it matters:

Patient data doesn’t just live in EHRs. It flows through inboxes, attachments, referrals, and care coordination chains every single day. If your email system isn’t locked down, your HIPAA posture is a house of cards.

“As a cybersecurity consulting practice engaging with hundreds of organizations annually, we consistently observe a critical gap in email security practices. Too often, organizations rely on infosec policies, user training, or manually enforced controls—rather than implementing automated, policy-driven email encryption solutions,” shared Andrew Hicks, Partner and National HITRUST Practice Lead for Frazier & Dieter Advisory, LLC. “This overreliance on human-dependent safeguards introduces unnecessary risk and undermines the integrity of outbound email protection strategies.”

Despite 89% of respondents identifying AI and machine learning as essential for detecting modern email threats, only 44% say they’ve implemented AI-powered solutions. At the same time, 56% of organizations allocate less than 10% of their security budget to email—the sector’s top threat vector.

Key findings from the report include:

• 8 out of 10 healthcare IT leaders admit they worry about their HIPAA compliance status
• 86% say their current tools create workflow friction
• Common barriers to improving email security include implementation complexity (54%), vendor limitations (53%), and legacy tech (41%)

“We’ve seen email threats evolve faster than many tools meant to stop them,” said Hoala Greevy, CEO of Paubox. “It’s not just about phishing anymore–it’s about deception at scale.”

The report also includes five recommended steps for closing the confidence gap, such as auditing email configurations, eliminating manual encryption processes, and funding email security in proportion to its risk.

“Cybercriminals are exploiting the biggest vulnerability within any organisation: humans,” said Amy Larsen DeCarlo, Principal Analyst for Global Data. “As progress in artificial intelligence (AI) and analytics continues to advance, hackers will find more inventive and effective ways to capitalise on human weakness in areas of (mis)trust, the desire for expediency, and convenient rewards.”

The full report is available at: https://hubs.la/Q03rfnmY0

About Paubox

Paubox offers HIPAA compliant communication solutions that empower healthcare organizations of any size to simply and securely communicate. Our suite of solutions includes HIPAA compliant encrypted email, inbound email security, HIPAA compliant email marketing, and HIPAA compliant email API for transactional communications. Our customers love our HITRUST certified solutions and we have industry-topping G2 ratings (4.9/5 stars). Learn more at paubox.com