92% of Healthcare IT Leaders Believe They’re Prepared to Prevent Email Breaches. They’re Not.

A new Paubox report shows just how off the mark healthcare IT leaders are about their email security. Based on first-party data from 150 U.S.-based healthcare IT leaders, the report reveals a dangerous confidence gap: leaders think they’re covered, but the data says otherwise.

92% of healthcare IT leaders believe they’re prepared to prevent email breaches. They’re not.

“Healthcare IT is dangerously overconfident about email security,” reveals that 92% of healthcare IT leaders believe they’re prepared to prevent email breaches. They’re not.

Most rely on outdated systems, tools that slow people down, and processes that actively undermine compliance. Organizations overestimate their security readiness, underinvesting in email security while forcing staff to work around clunky tools.

Marketing Technology News: MarTech Interview with Jeremy Woodlee, General Manager @ Infillion

Key findings from the report:

• 86% say their current tools create workflow friction, causing staff to bypass security processes
• 56% spend less than 10% of their security budget on email—despite it being the top threat vector
• Only 44% use AI-powered threat detection, even though 89% say it’s critical

“We’ve seen email threats evolve faster than some of the tools meant to stop them,” said Hoala Greevy, Founder and CEO of Paubox. “It’s not just about phishing anymore—it’s about deception at scale.”

Marketing Technology News: The Martech ROI playbook: Proving value beyond the technology investment

The report outlines the most common barriers IT leaders cited to adopting secure, compliant email solutions, including implementation complexity (54%), lack of vendor support (53%), and integration challenges with legacy systems (41%). These roadblocks create an environment where staff routinely bypass secure systems, putting patient data at risk.

“As a cybersecurity consulting practice engaging with hundreds of organizations annually, we consistently observe a critical gap in email security practices,” says Andrew Hicks, Partner and National HITRUST Practice Lead at Frazier & Dieter Advisory, LLC. “Too often, organizations rely on infosec policies, user training, or manually enforced controls—rather than implementing automated, policy-driven email encryption solutions. This overreliance on human-dependent safeguards introduces unnecessary risk and undermines the integrity of outbound email protection strategies.”

“I see the gap in time between new vulnerabilities emerging and budgets catching up to them,” says Tony Cox, CIO for Henderson Behavioral Health. “That delay? That’s where the attackers live.”

Why it matters: PHI isn’t confined to EHRs. It flows through email, attachments, referrals, and coordination chains every day. Without strong email security safeguards in place, your compliance framework is one click away from collapse.