Think your email is secure? A new report says otherwise

Despite a surge in cyberattacks and the evolving complexity of phishing threats, 92% of health care IT leaders say they feel confident in their ability to prevent email-based data breaches. According to a new report from secure email provider Paubox, though, that confidence may be misplaced.

Drawing from a Q1 2025 survey of 150 U.S.-based health care IT leaders, the Paubox report, “Healthcare IT is dangerously overconfident about email security,” uncovers persistent security gaps and chronic underinvestment in what remains health care’s top cybersecurity threat vector: email.

Perception vs. protection

Although most respondents say they are HIPAA compliant, many lack the automated safeguards necessary to make that compliance real in daily operations. In fact, 8 out of 10 IT leaders surveyed said they worry about their actual compliance status.

Encryption processes that depend on user behavior, security tools that hinder workflow and a lack of real-time analytics contribute to what the report calls a “house of cards” security posture.

The report also highlights a major mismatch between email risk and budget allocation. Although email is health care’s most common cyberattack vector, 56% of respondents said their organization spends less than 10% of security budgets on email protection efforts. Moreover, most allocate less than 6% of their IT budgets to cybersecurity.

That compares poorly to other industries — cybersecurity budgets in the financial services industry and general industry often exceed 10-12% and 21% of total IT spending, respectively.

“I see the gap in time between new vulnerabilities emerging and budgets catching up to them,” said Tony Cox, CIO of Henderson Behavioral Health. “That delay? That’s where attackers live.”

AI tools lagging, despite a known threat

Although 89% of respondents agreed that artificial intelligence (AI) and machine learning (ML) are critical for identifying email threats, only 44% said they currently use AI-powered threat detection. Instead, many organizations rely on outdated, rules-based filters — despite phishing attacks that increasingly use generative AI to mimic real communication.

“We’ve seen email threats evolve faster than some of the tools meant to stop them,” said Hoala Greevy, CEO of Paubox. “It’s not just about phishing anymore — it’s about deception at scale.”

Friction breeds failure

Perhaps the most striking finding: 86% of health care IT leaders say their current email security tools create workflow friction. Complex logins, false positives and poor mobile usability often lead users to bypass secure systems entirely, sending protected health information (PHI) over unsecured channels like text or personal email.

“If your HIPAA compliance depends on end users remembering to encrypt, you’re not compliant. You’re pushing your luck,” the report states.

The result is a dangerous cycle: tools meant to protect patient data often create such frustration that staff work around them, leaving organizations even more vulnerable.

Time for a usability shift

Andrew Hicks, MBA, CCSK, CRISC, CISA, CCSFP, HCISPP, partner and HITRUST practice lead at Frazier & Deeter Advisory, said health care organizations are still too reliant on human safeguards. “Too often, organizations rely on infosec policies, user training or manually enforced controls — rather than implementing automated, policy-driven email encryption solutions,” he said.

The report calls on health care leaders to adopt tools that operate seamlessly within clinical workflows, prioritize AI-powered detection and align cybersecurity investment with actual risk.

“The most secure email system is the one your users actually use,” the report concludes. “Confidence without clarity is dangerous. And in health care, it means lawsuits and lost trust.”