Email Is Still the Front Door and Healthcare Keeps Leaving It Unlocked

I used to break into companies for a living, and I can tell you that the most reliable way in was almost never a zero-day or a custom exploit. It was email. It was always email. Send the right message to the right person at the right time and you're inside. Twenty-five years later, I'm reading Paubox's 2026 Healthcare Email Security Report and nothing has changed - except the numbers got worse.

Paubox analyzed 170 healthcare email-related breaches reported to the HHS Office for Civil Rights in 2025. Their conclusion? "The greatest risk lies not with novel and increasingly sophisticated threats, but the foundational weaknesses in email security that have existed and been exploited by threat actors for years."

Let that sink in. Healthcare isn't getting compromised by cutting-edge attacks. It's getting compromised by the same misconfigured email infrastructure that's been a problem since SPF was invented.

The Numbers Are Damning

Forty-one percent of healthcare organizations were assessed as high-risk in 2025, up from 31% the year before. That's not a trend line - that's a failure mode.

Fifty-three percent of breaches involved Microsoft 365, up from 43% in 2024. Before you blame Microsoft, read the next line from the report: misconfiguration represents a bigger security problem than the platform itself. Organizations are buying enterprise email platforms and then failing to configure the security controls those platforms provide. It's like buying a deadbolt and leaving it in the box.

Seventy-four percent of breached domains had ineffective DMARC protection, up from 65% in 2024. Break that down further: 41% lacked DMARC entirely. Another 33% had it set to monitoring-only mode - which means it watches spoofed emails sail through and does nothing about it. Over half had permissive or missing SPF records, the most basic check for whether an email actually came from an authorized server.

These aren't advanced security controls. SPF, DKIM, and DMARC have been around for years. They're free to implement. The documentation is public. And yet three-quarters of breached healthcare organizations couldn't be bothered to set them up properly.

3 Million Addresses Exposed by Bad Certificates

Here's the finding that should genuinely alarm anyone running email infrastructure in healthcare: approximately 3 million email addresses are at risk because healthcare organizations are sending encrypted email to servers running expired or self-signed TLS certificates.

Think about what that means. Your organization implements email encryption - good. But the receiving server has a certificate that can't be validated - bad. And instead of refusing delivery, the email system shrugs and sends the message anyway. That's a textbook man-in-the-middle setup. An attacker sitting between the two mail servers can intercept the "encrypted" traffic because nobody verified who they were actually talking to.

In healthcare, those emails contain patient data. Referral notes. Lab results. Insurance details. PHI flowing over a channel that thinks it's secure but isn't. A MITM attack on this traffic isn't theoretical - it's trivially achievable when the certificate validation is broken.

From an attacker's perspective, this is a gift. You don't need to compromise an endpoint. You don't need credentials. You just need to position yourself on the network path and collect the data that's being handed to you.

Why Healthcare Keeps Failing at Email

I've been asked this question a hundred times, and the answer is always the same: healthcare security teams are overwhelmed, underfunded, and fighting on too many fronts. Email configuration feels like a solved problem - you set up Exchange or M365, turn on the defaults, and move on to the next fire.

But the defaults aren't enough. A DMARC policy in monitoring mode is not protection. An SPF record that doesn't cover all your sending sources is worse than no SPF at all, because it creates a false sense of security. And TLS without certificate validation is encryption theater.

The other problem is visibility. Most healthcare organizations have no idea what their email security posture actually looks like. They don't know which domains are missing DMARC enforcement. They don't know which mail flows are hitting servers with bad certificates. They don't have anyone checking whether their SPF records are still accurate after the last vendor integration added a new sending service.

Attackers know this. When I was in the business, I'd check a target's DNS records before I did anything else. A missing DMARC record told me I could spoof their domain. A permissive SPF record told me which third-party services I could impersonate. These checks take five minutes and they tell you everything about how seriously an organization takes email security.

What This Actually Costs

Every one of those 170 breaches triggered HIPAA notification requirements. Many triggered OCR investigations. Some will result in corrective action plans, fines, and mandatory monitoring. The litigation exposure we covered from the BakerHostetler report - 14% of incidents resulting in class action lawsuits - applies here too.

And the reputational damage is real. When a hospital has to send breach notification letters because someone spoofed their domain and phished employee credentials, patients lose trust. Referring physicians think twice. The organization's name ends up on the HHS Breach Portal - the "Wall of Shame" - permanently.

All because SPF wasn't configured correctly. All because DMARC was set to "none" instead of "reject." All because nobody validated the TLS certificate on the receiving end.

Fix the Basics, Then Go Further

Step one: audit your DMARC, SPF, and DKIM records. Every domain. Every subdomain. Set DMARC to "reject" - not "none," not "quarantine." If you're worried about breaking legitimate mail flows, monitor first, but set a deadline and enforce it.

Step two: check your TLS certificate validation. Are your mail servers accepting delivery to endpoints with expired or self-signed certificates? If yes, you have an encryption gap that needs to close immediately.

Step three: stop treating email security as a one-time configuration. Every new vendor integration, every new sending service, every domain change can introduce gaps. You need continuous monitoring.

This is where SecUnit fits. Our agents don't just scan your perimeter once and hand you a PDF. They continuously validate your email security posture - testing SPF alignment, probing DMARC enforcement, checking certificate chains on outbound mail flows. When a misconfiguration appears - because someone added a new sending service and forgot to update SPF, because a certificate expired overnight - the agents catch it before an attacker does.

The Paubox report says it clearly: the biggest email threats in healthcare aren't sophisticated. They're foundational. And if you're not continuously validating those foundations, you're building your security on sand. Talk to us.