The following is a guest article by Gerasim Hovhannisyan, CEO at EasyDMARC
In just the first six months of 2025, nearly 30 million health records were compromised in major data breaches rocking the US healthcare sector. Strikingly, 9 out of 10 of these breaches involved hacking attempts. This is hot off the heels of 2024’s high-profile NHS breach, demonstrating just how even the most well-resourced systems are not immune. While the healthcare sector has made strides in modernizing its infrastructure and implementing cybersecurity frameworks, it’s still struggling to close basic security gaps. In fact, it wasn’t until 2017 that hacking became the leading cause for breaches, reflecting a shift in the threat landscape. Today, the industry is still racing to catch up.
At the same time, the volume of protected health information generated and stored has grown exponentially, driven by the adoption of electronic health records (EHR). For an industry charged with safeguarding deeply personal data, overlooking email-based threats is as dangerous as it is preventable. And when hacking incidents multiply, so do breach volumes. This oversight comes with high stakes with consequences going far beyond operational disruption, leaving already vulnerable individuals even more exposed than ever.
The Overlooked Weak Link: Inboxes
When discussing healthcare cybersecurity, attention often drifts toward high-tech vulnerabilities like medical devices, patient portals, or hospital networks. But it’s the humble inbox that often opens the door to a devastating disaster.
Phishing attacks account for more than 90% of cyber incidents across sectors, and healthcare is no exception. These attacks don’t rely on advanced technical exploits, but on human error.
Major breaches have shown that attackers don’t need a barrage of hacking attempts to impact a large number of patient records. A single errant click from a fatigued employee is often all it takes for attackers to access internal systems. Hospitals, clinics, insurance firms, or other HIPAA-covered organisations are particularly exposed due to the pressures to keep systems running and limited dedicated cybersecurity resources.
This is also precisely why email security guardrails exist – to catch phishing attempts before they ever land in an inbox. But having the tool isn’t enough; they also need to be enforced. Our data illustrates this enforcement gap that remains, where among the top 2,000 U.S. healthcare providers using email authentication, 39% merely monitor phishing threats rather than proactively block them. This passive approach does little to stop attacks in real time, allowing potentially harmful emails to reach staff inboxes.
Visibility Without Enforcements
Many healthcare organizations have taken the first steps toward email protection by adopting standards like DMARC (Domain-Based Message Authentication, Reporting and Conformance). However, the report reveals that only 15% of those organizations actually enforce policies that block unauthenticated emails.
This gap between visibility and enforcement creates a false sense of security. IT leaders may assume that the presence of DMARC is enough, but when configured only to monitor rather than act, the benefits are severely limited. The result is a system that identifies threats but fails to prevent them, leaving attackers with a clear path in.
Turning Point for Email Standards
There are currently no direct regulatory fines tied specifically to weak enforcement of tools like DMARC, but there is some momentum for change of late. Tech giants like Google, Yahoo, and Microsoft have all moved to enforce stricter email security requirements over the past 18 months. These policies have set new baselines for what’s considered acceptable, reinforcing that proactive email protection is no longer optional.
And while regulatory frameworks like HIPAA may not name specific email protocols, they consistently focus on the need for robust protections against phishing. If a healthcare organization suffers a breach linked to poor email security or a lack of anti-phishing controls, that could lead to compliance failures and fines.
While other sectors adapt to this new reality, healthcare continues to trail behind, not out of disregard but often due to competing priorities. IT teams are stretched and keeping systems operational takes precedence. That’s precisely why a cultural shift is needed across the sector, from passive monitoring to active prevention. This means moving beyond mere compliance checkboxes and embracing enforcement that blocks phishing attempts before they reach employees’ inboxes.
A Matter of Trust and Safety
At its core, healthcare is built on trust. Patients trust providers to protect their most intimate information, while staff trust systems to function safely and securely. Phishing attacks undermine that trust, often with long-lasting consequences. Paying attention to stronger email protections offers one of the most accessible and cost-effective ways to raise the sector’s cybersecurity baseline, safeguarding a system where small breaches carry enormous consequences. Cyberattacks are a threat the healthcare industry cannot afford to ignore. The inbox may not be flashy, but it’s often where security is tested, and where it fails.
No comments:
Post a Comment