Just ten years ago, cybersecurity was never part of the conversation inside a hospital or clinic. Today, it’s become part of the job - a growing concern for everyone from IT leads to executive boards. B
udgets have grown, awareness is up, and there’s a clear understanding that healthcare is a high-value target, especially as the number of patient health information breaches has more than doubled over the past 14 years.
CEO and Co-Founder of EasyDMARC.
And yet, for all this progress, one of the most common gateways for cyberattacks has barely changed: email.
The recent attack on Yale New Haven Health, a sophisticated breach that exposed sensitive patient data, is a reminder that email continues to be the weakest link in the healthcare industry’s broader security efforts.
We’re not just talking about a few outdated systems or missed training sessions. This is a much deeper issue, rooted in how cybersecurity priorities are managed across complex and often overstretched organizations.
Email: A persistent vector, poorly contained
While much of the focus in healthcare security has been on protecting electronic health records or connected medical devices, most attackers take a far simpler route: the inbox.
Phishing, the act of tricking someone into opening or engaging with a fraudulent message, remains the single most common method used to breach healthcare systems.
EasyDMARC’s recent research into the top 2,000 U.S. healthcare providers found that while over half have adopted DMARC, an industry-recognized standard for verifying the legitimacy of incoming emails, only 15% are using it to actively block suspicious messages.
Around 40% are using DMARC in its weakest setting, which simply observes and logs suspicious activity but takes no action to stop it.
In clinical terms, it’s like a triage nurse who flags an infection but doesn’t isolate the patient. The system sees the problem but doesn’t respond.
Why email security falls through the cracks
Part of the problem is operational pressure. In healthcare, technical teams are rightly focused on uptime; making sure imaging systems, EHRs, and other essential services are always running.
Email doesn’t always get the same attention. It’s often handled separately, seen as administrative infrastructure rather than clinical. But when nearly every staff member uses email daily to coordinate care or share documentation, that assumption breaks down.
What we’re seeing as a result is a gap between priorities: email is critical to how modern healthcare operates, yet it’s rarely treated that way when it comes to securing it.
Industry standards are shifting
Some of the largest email providers are now tightening the rules around authentication. Google and Yahoo began requiring DMARC enforcement for bulk email senders in early 2024. Microsoft followed in May of this year. These changes mark a turning point in our approach to cybersecurity.
For healthcare providers, this regulatory change matters perhaps more than other industries. Not only because of the risk of patient data exposure, but also because continued non-enforcement will eventually impact email deliverability, trust, and compliance. When lives are at stake, healthcare providers can’t afford to take their chances with email security.
From instrumentation to enforcement
Right now, the healthcare sector’s biggest challenge is to act on what it already knows. We know that email is the number one attack vector.
As cybercriminals refine their scams with AI, now is the time to move from passive monitoring to enforced and effective authentication policies. This does require cross-team coordination, but it doesn’t demand wholesale infrastructure change.
In fact, the most effective security gains often come from rethinking how existing tools are being used and taking simple steps to ensure they’re doing the job they were designed for securely.
Securing trust at the system level
Trust is foundational to healthcare. Patients trust providers to safeguard their data. Clinicians trust their systems to be reliable and secure. But every time a phishing attack succeeds, that trust is eroded.
Securing email won’t solve every cybersecurity challenge, but it is one of the simplest and most impactful areas to address.
In a system where the cost of failure is measured not just in fines or downtime, but in compromised care and lost confidence, protecting communication channels must become a baseline expectation.
It’s time we stopped viewing email as a background utility and started treating it like the critical infrastructure it has become.
We've featured the best secure email provider.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.