Healthcare IT leaders are giving themselves top marks on email breach detection while their organizations keep getting breached, according to new research from Paubox. In a survey of 170 U.S. healthcare IT leaders, 100% rated their real-time breach detection as Excellent or Good. In the same sample, 58% admitted their organization had been breached through email in the past two years.
“Recipient experience is not secondary to security,” said Hoala Greevy, founder and CEO of Paubox. “When more than a third of clinical staff are working around the encryption control, the control is not working.”
The findings come from the Healthcare Email Security Maturity Index 2026, published today by Paubox, a HIPAA compliant email security company. The Maturity Index scored each organization across eight dimensions of email security and surfaced the gap between what leaders believe their controls do and what the data shows.
The scoring exposed encryption as the weakest dimension. Breached organizations themselves told Paubox what needed to change: 47% named strengthening encryption policies as their top post-breach action, ahead of phishing simulation training or changing email providers.
The encryption tools healthcare relies on are pushing staff to work around them. 48% of healthcare organizations always require email recipients to log in to a portal to read encrypted messages. Among those, more than 1 in 3 report clinical staff bypassing the workflow entirely.
“Recipient experience is not secondary to security,” said Hoala Greevy, founder and CEO of Paubox. “When more than a third of clinical staff are working around the encryption control, the control is not working.”
Healthcare data breaches carry the highest cost of any industry at $7.42 million per incident, according to IBM Security. Phishing is the leading initial access vector.
The report’s closing roadmap urges healthcare organizations to make encryption the default for outbound protected health information, replace legacy portals with a secure message center, and treat automation as a security control rather than a productivity feature.
Leave a comment