Healthcare organizations are turning a blind eye to phishing attacks
The vast majority of phishing attacks against the healthcare sector go unreported to security teams, leaving organizations unable to fully learn from their mistakes.
In a survey of 150 US-based healthcare IT leaders for secure email firm Paubox, six-in-ten said they had experienced at least one email security breach last year, and three-quarters that they expected even more security challenges this year.
The top risks were phishing, man-in-the-middle attacks, and password guessing, often through personal information revealed on social media.
However, IT leaders said 95% of phishing attacks went unreported to security teams, along with 96% of known email violations of the 1996 Health Insurance Portability and Accountability Act (HIPAA), aimed at protecting sensitive health information from disclosure without patient’s consent.
As a result, these incidents weren’t investigated, meaning that systems weren’t patched, staff weren’t alerted, and patients weren’t warned that their data may be at risk.
“We encountered a significant case where an outdated email system directly impacted patient care due to a cybersecurity breach,” said Matt Murren, CEO of healthcare IT support firm True North ITG.
“The phishing attack compromised user credentials and eventually deployed ransomware across the network. It shut systems down for two weeks. Appointments were delayed. Test results were inaccessible. Urgent care cases were diverted elsewhere. Patients lost trust. This isn’t just an IT failure — it’s a patient safety crisis.”
The problem doesn’t seem to be a lack of awareness amongst staff. Nine-in-ten said they carried out staff training.
Ryan Winchester, CareM director of information technology, said “no amount of training can completely eliminate human error, so businesses must have safeguards in place.”
The report found that healthcare organizations currently allocate only 11–20% of their IT budgets to email security, despite email being their top risk area. One persistent problem is poor infrastructure, with 83% of healthcare IT leaders saying that legacy systems disrupt day-to-day operations.
“I’ve seen first-hand how legacy email platforms can quietly — but critically — undermine operational stability and efficiency across healthcare organizations” said Murren.
In larger healthcare networks, the most common challenges include high maintenance costs that drain IT resources, persistent security vulnerabilities, outdated and complex user interfaces, system performance bottlenecks, and limited support for mobile and remote working.
The result is reactive firefighting, with about 37% of healthcare IT leaders spending between 11 and 20 hours per week just resolving secure email tickets.
“Healthcare doesn’t need more patchwork fixes — it needs a mindset shift. Patients expect secure, convenient communication, and it’s on us to meet that standard,” said CEO of Paubox Hoala Greevy.
MORE FROM ITPRO
Source link
