Phishing is not only a training problem. It is an identity, configuration, workflow, and response problem. HHS describes social engineering as an effort to trick people into revealing information or taking an unsafe action, and its guidance emphasizes that attackers can use email, texts, calls, or convincing impersonation to reach sensitive systems and data.
A resilient email program assumes some messages will bypass filters and some people will make mistakes. The goal is to reduce how often those mistakes succeed, limit what a compromised account can reach, detect abnormal activity quickly, and make reporting easy.
1. Inventory mailboxes, roles, and data flows
Begin with every active mailbox, shared mailbox, alias, forwarding rule, service account, and third-party application connected to email. Identify which accounts handle patient information, referrals, billing, payroll, wire instructions, password resets, administrative access, or executive approvals.
Remove dormant accounts and unknown forwarding. Shared work should use managed shared mailboxes or approved workflows rather than shared passwords. Assign an owner to every non-person account and document why it exists.
2. Require strong, phishing-resistant authentication
HHS recommends MFA for internet-facing systems such as email and notes that not all MFA methods are equally effective. Where supported, prioritize phishing-resistant authenticators based on cryptographic credentials, such as FIDO/WebAuthn security keys or passkeys. These methods are designed to resist credential capture by a fake login page.
At minimum, require MFA for every mailbox, remote administrator, and privileged role. Block legacy authentication that bypasses modern controls, protect enrollment and recovery methods, and avoid permanent exceptions that quietly become the weakest path into the tenant.
3. Protect the organization's sending domain
SPF, DKIM, and DMARC help receiving systems determine whether mail claiming to come from your domain is authorized. CISA's phishing guidance recommends enabling DMARC and explains that SPF and DKIM support sender verification.
- SPF lists systems authorized to send on behalf of the domain.
- DKIM adds a cryptographic signature that helps verify message integrity and origin.
- DMARC connects those signals to a published handling policy and reporting.
Inventory legitimate senders before moving to an enforcement policy. Review reports, correct misaligned services, and advance deliberately toward quarantine or rejection rather than publishing a strong policy that breaks valid business mail.
4. Harden inbound and outbound mail controls
Enable anti-phishing, impersonation, malware, attachment, and unsafe-link protections appropriate to the platform. Flag messages from outside the organization, detect look-alike domains and executive impersonation, restrict risky attachment types, and inspect links at delivery and click time when supported.
Outbound monitoring matters too. Unexpected bulk sending, new inbox rules, unusual forwarding, and messages sent from unfamiliar locations can reveal a compromised mailbox.
5. Remove high-risk decisions from email alone
Create independent verification steps for bank changes, payroll requests, gift cards, password resets, release-of-information requests, and vendor payment instructions. Staff should verify high-impact changes through a known phone number or approved system, not contact details supplied inside the message requesting the change.
Use secure portals or approved encrypted workflows for ePHI when appropriate. Do not let convenience turn a general mailbox into an undocumented repository of sensitive attachments.
6. Limit what a compromised mailbox can do
Separate daily email accounts from administrative identities. Apply least privilege, restrict third-party application consent, review delegated mailbox access, and limit automated forwarding to external domains. A clinical or billing mailbox should not also hold broad administrative control over the environment.
7. Train for reporting, not perfect detection
Teach staff to recognize urgent credential prompts, unexpected document shares, changed payment instructions, QR-code lures, unusual MFA prompts, and impersonated help-desk requests. Use realistic examples from the organization's work rather than generic annual slides.
Give users a one-click or clearly documented reporting method. Reward fast reporting, including when someone clicked. Fear and blame delay containment.
8. Monitor the signals that matter
Review sign-ins, mailbox audit events, administrative changes, forwarding rules, application grants, impossible or atypical travel, repeated MFA failures, and unusual sending. Define who receives alerts after hours and what evidence the responder must capture.
9. Prepare a mailbox-compromise playbook
The playbook should cover session revocation, password and authenticator reset, malicious rule removal, application-token review, message tracing, affected-recipient identification, endpoint investigation, and escalation into the HIPAA incident-response process. Document the timeline and preserve relevant audit records before retention periods expire.
Healthcare email-security checklist
- Every mailbox, alias, forwarding rule, and connected application has an owner.
- MFA is required, with phishing-resistant methods prioritized.
- Legacy authentication and unmanaged external forwarding are blocked.
- SPF, DKIM, and DMARC are configured and monitored.
- High-risk financial and access changes require independent verification.
- Users have an easy, blame-free phishing-reporting method.
- Mailbox and identity alerts have named responders.
- A tested compromise playbook connects technical response to HIPAA review.
Authoritative resources
- HHS OCR: Social Engineering
- HHS OCR: HIPAA and Cybersecurity Authentication
- HHS OCR: System Hardening and Protecting ePHI
- CISA: Phishing Guidance - Stopping the Attack Cycle at Phase One
This article is educational and does not constitute legal advice or guarantee compliance. Controls should be selected through risk analysis and configured for your systems, users, and applicable requirements.


