Are you up to date on the latest email security threats?
In this post, we share details from our just-released Email Cyber Threat Readiness Report, exploring the most effective ways to strengthen your healthcare organization’s email cyber threat readiness in 2025.
Let’s go!
Conduct Regular Risk Assessments
To strengthen your company’s email security posture, you must first identify vulnerabilities in your infrastructure that malicious actors could exploit. Frequent risk assessments will highlight the security gaps in your email infrastructure and allow you to implement the appropriate strategies to mitigate threats.
A comprehensive email risk assessment should include:
- Assessment of email encryption practices.
- Review of email authentication protocols, i.e., SPF, DKIM, DMARC.
- Evaluation of access control policies and practices.
- Assessment of malware detection capabilities.
- Audit of third-party integrations.
- Testing of employee email threat awareness through simulated attacks to determine threat readiness and training needs.
- Review of incident response and business continuity plans, especially, in this case, in regard to email-based threats.
A risk assessment may also involve the use of vulnerability scanning tools, which scan your email infrastructure looking for conditions that match those stored in a database of known security flaws, or Common Vulnerabilities and Exposures (CVEs). Alternatively, healthcare companies often employ the services of ethical, or ‘white hat’, hackers who carry out penetration tests, in which they purposely attempt to breach your email security measures to pinpoint its flaws.
Implement Email Authentication Protocols
As touched on above, enabling and correctly configuring the right email authentication protocols is an essential mitigation measure against phishing and BEC attacks, domain spoofing and impersonation, and other increasingly common email threats. Just as importantly, it allows recipient email servers to verify that a message is authentic and originated from your servers, which reduces the risk of your domain being blacklisted and your emails being directed to spam folders instead of the intended recipient’s inbox.
The three main email authentication protocols are:
- DomainKeys Identified Mail (DKIM): adds a cryptographic signature to outgoing emails, allowing the recipient’s server to verify that the email was not altered in transit.
- Sender Policy Framework (SPF): allows domain owners to specify which servers are authorized to send emails on their behalf, mitigating domain spoofing and other forms of impersonation.
- Domain-based Message Authentication, Reporting & Conformance (DMARC): builds on SPF and DKIM by establishing policies for handling unauthorized emails. It instructs the recipient email server to monitor, quarantine, or reject emails that fail authentication checks.
Establish Robust Access Control Policies
Implementing comprehensive access control policies reduces the chances of ePHI exposure by restricting its access to individuals authorized to handle it. Additionally, access privileges shouldn’t be equal and should be granted based on the employee’s job requirements, i.e., role-based access control (RBAC).
Zero Trust Architecture (ZTA), in contrast, is a rapidly emerging, and more secure, alternative to RBAC. ZTA’s core principles are “least privilege”, i.e., only granting the minimum necessary access rights, and “never trust, always verify”, i.e., continually asking for the user to confirm their identity as the conditions of their session change, e.g., their location, the resources they request access to, etc.
Enable User Authentication Measures
Because a user’s login credentials can be compromised, through a phishing attack or session hijacking, for instance, access control, though vital, only protects ePHI to an extent. Subsequently, you must require a user to prove their identity, through a variety of authentication measures – with a common method being multi-factor authentication (MFA).
Recommended by HIPAA, MFA requires users to verify their identity in two or more ways, which could include:
- Something they know (e.g., one-time password (OTP), security questions)
- Something they have (e.g., a keycard or security token)
- Something they are (i.e., biometrics: retinal scans, fingerprints, etc.).
What’s more, it’s important to note that the need to enable MFA will be emphasized to a greater degree when the proposed changes to the HIPAA Security Rule go into effect in late 2025.
Identify and Manage Supply Chain Risk
While on the subject of access control, one of the most significant security concerns faced by healthcare organizations is that several third-party organizations, such as vendors and supply chain partners, have access to the patient data under their care to various degrees. As a result, cybercriminals don’t have to breach your email security measures to access ePHI – they could get their hands on your patients’ data through your vendors.
Consequently, third-party risk management must be a fundamental part of every healthcare organization‘s email threat mitigation strategy. This requires you to ensure that each vendor you work with has strong email security measures in place. In light of this, a HIPAA requirement is to have a business associate agreement (BAA) in place with each third party, or business associate, so you both formally establish your responsibilities in securing ePHI.
Set Up Encryption for Data In Transit and At Rest
Encrypting the patient data contained in email communication is a HIPAA regulation, as it prevents its exposure in the event of its interception by a cybercriminal. You should encrypt ePHI both in transit, i.e., when being included in emails, and at rest, i.e., when stored in a database.
Encryption standards sufficient for HIPAA compliance include:
- TLS (1.2 +): a commonly-used encryption protocol that secures email in transit; popular due to being ‘invisible’, i.e., simple to use.
- AES-256: a powerful encryption standard primarily used to safeguard stored data, e.g., emails stored in databases or archives.
- PGP: uses public and private key pairs to encrypt and digitally sign emails for end-to-end security.
- S/MIME: encrypts and signs emails using digital certificates issued by trusted authorities.
Develop a Patch Management Strategy
One of the most common means of infiltrating company networks, or attack vectors, is exploiting known security vulnerabilities in applications and hardware. Vendors release updates and patches to fix these vulnerabilities, so it’s crucial to establish a routine for regularly updating and patching email delivery platforms and the systems and infrastructure that underpin them.
Additionally, vendors periodically stop supporting particular versions of their applications or hardware, leaving them more susceptible to security breaches. With this in mind, you must track which elements of your IT ecosystem are nearing their end-of-support (EOS) date and replace them with suitable, HIPAA-compliant alternatives.
Implement Continuous Monitoring Protocols
Continuously monitoring your IT infrastructure is crucial for remaining aware of suspicious activity in your email traffic and potential security breaches. Without continuous monitoring, cybercriminals have a prime opportunity to infiltrate your network between periodic risk assessments.
Worse, they can remain undetected for longer periods, allowing them to move laterally within your network and access your most critical data and systems. Conversely, continuous monitoring solutions employ anomaly detection to identify suspicious behavior, unusual login locations, etc.
Develop Business Continuity and Disaster Recovery Plans
The unfortunate combination of organizations being so reliant upon email communication, email threats being so prevalent, and the healthcare sector being a consistent target for cyber attacks makes a data breach a near inevitability rather than a mere possibility.
Consequently, it’s imperative to develop business continuity and disaster recovery protocols so you can resume normal operations as soon as possible in the event of a cyber attack. An essential part of a disaster recovery plan is making regular data backups, minimizing the impact on the service provided to patients and customers.
Implement Email Threat Awareness Training for Employees
Healthcare organizations must invest in email threat awareness training for their employees, so they can recognize the variety of email-based cyber attacks they’re likely to face and can play a role in their mitigation.
Email threat awareness training should include:
- The different email-based cyber threats (e.g., phishing), how they work, and how to avoid them, including AI-powered threats.
- Who to inform of suspicious activity, i.e., incident response procedures.
- Your disaster recovery protocols.
- Cyber attack simulations, e.g., a phishing attack or malware download.
While educating your employees will increase their email threat readiness, failing to equip them with the knowledge and skills to recognize email-based attacks could undermine your other mitigation efforts.
Download LuxSci’s Email Cyber Threat Readiness Report
To gain further insight into the most effective email threat readiness strategies and how to better defend your healthcare organization from the ever-evolving threat landscape, download your copy of LuxSci’s Email Cyber Threat Readiness Report for 2025.
You’ll also learn about the top email threats facing healthcare organizations in 2025, as well as how the upcoming changes to the HIPAA Security Rule may further impact your company’s cybersecurity and compliance strategies.
Grab your copy of the report here and reach out to us today if you want to learn more.
SSL and TLS play critical roles in securing data transmission over the internet, and AES-256 is integral in their most secure configurations. The original standard was known as Secure Sockets Layer (SSL). Although it was replaced by Transport Layer Security (TLS), many in the industry still refer to TLS by its predecessor’s acronym. While TLS can be relied on for securing information at a high level—such as US Government TOP SECRET data—improper or outdated implementations of the standard may not provide much security.
