Back to all insights
Email SecurityPhishingHIPAAHealthcareSecurity

Email Security for Healthcare Practices: Stopping Phishing

Edward Stratton · · 11 min read

Email is still the front door to your practice — and the door attackers knock on most. A single staff member clicking one convincing message can hand over a password, reroute a payment, or open the path to ransomware. If you want to know how to stop phishing emails at a small medical practice without buying a stack of tools you do not understand, this guide lays out the whole picture: the authentication that proves your mail is yours, the human habits that catch what filters miss, and a layered defense model you can run on a small-practice budget.

We will not pretend any of this guarantees you will never be phished — nothing does. The goal is to strengthen your security posture so the easy attacks bounce off, the hard ones get caught by a second layer, and your team knows exactly what to do when something slips through. That is email security as a team effort, which is how we think it should work.

Why email is the highest-value target in a clinic

Phishing endures because it skips your firewall entirely and aims at a person. In a healthcare setting the incentives are sharp: practices hold electronic protected health information (ePHI), process insurance and patient payments, and run on tight schedules where a “quick, urgent” request gets actioned without a second look.

The three patterns that hit clinics hardest are worth naming plainly:

  • Credential phishing — a fake login page (often imitating Microsoft 365 or your practice management portal) that harvests a username and password. This is the most common opening move, because one valid login often unlocks email, files, and sometimes the whole tenant.
  • Business email compromise (BEC) — an attacker either spoofs or takes over a real mailbox to redirect a payment, change banking details, or pressure staff into a wire or gift-card “favor” for the doctor or office manager.
  • Malware and ransomware delivery — a booby-trapped attachment or link that drops a payload, frequently as the first step toward encryption and extortion.

The uncomfortable truth: most clinic breaches do not begin with a genius hacker. They begin with a believable email and a busy human. Defense means making the believable email easier to catch.

A vendor breach makes all three worse. When a benefits administrator or clearinghouse is breached and patient names, insurers, and dates of birth leak, the next wave of phishing is personalized and far more convincing — which is why email security and vendor risk management are two halves of the same problem.

The Clinic Email Defense Layers framework

Email security fails when a practice treats it as one product to buy. It works when you think in layers, where each layer catches what the one before it missed. Here is the model we use with small practices — five layers, simplest to most human.

Layer 1 — Authentication (prove your mail is really yours). SPF, DKIM, and DMARC are DNS records that let the receiving world verify that mail claiming to be from your domain actually came from you. This is the foundation; without it, anyone can spoof your practice’s name. We cover the specifics below.

Layer 2 — Filtering (block the obvious before a human sees it). Your mail platform’s anti-spam and anti-malware filtering, ideally tuned a notch above the default, plus link and attachment scanning. The goal here is volume reduction: stop the mass-market junk so attention is reserved for the messages that actually require judgment.

Layer 3 — Account protection (make a stolen password not enough). Phishing-resistant multi-factor authentication on every mailbox, so a harvested password alone does not grant entry. How and where to apply MFA is its own deep topic — see our guide to MFA for healthcare.

Layer 4 — Human judgment (the layer attackers actually fight). Trained staff who can spot a phish and, just as importantly, feel safe slowing down to check. This is the layer that catches the targeted attack your filter never saw before. The strongest layer is your workforce — see security awareness that actually works.

Layer 5 — Response (assume one will get through). A simple, rehearsed routine for reporting, containing, and recovering from the message that slips past the first four layers. Hope is not a plan; a one-page response routine is.

No single layer is sufficient. A practice with great filtering but no MFA is one password away from compromise; a practice with MFA but no trained staff will eventually approve a malicious login. Defense in depth means never relying on one thing being perfect.

What is SPF, DKIM, and DMARC, and does my practice need it?

Short answer: any practice that sends email from its own domain should have all three. They are widely recommended best practice — Microsoft and Google both advise setting up SPF, DKIM, and DMARC together — and they are the difference between “anyone can impersonate your clinic” and “impersonation gets rejected or flagged.” Here is each in plain English.

SPF (Sender Policy Framework)

SPF is a DNS record that lists which mail servers are allowed to send email for your domain. When a receiving server gets a message claiming to be from your practice, it checks whether the sending server is on your approved list. If not, that is a signal the mail may be forged.

The common mistake: practices add a new service (a scheduling tool, a newsletter platform, a payment notifier) and forget to include it in SPF, so legitimate mail starts failing — or they pile in so many includes that the record breaks SPF’s lookup limit. Keep the list accurate and lean.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to each outgoing message. The receiving server uses a public key published in your DNS to confirm the message genuinely came from your domain and was not altered in transit. Where SPF asks “did this come from an approved server,” DKIM asks “is this message authentic and untampered.” You want both.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC ties SPF and DKIM together and tells the receiving world what to do when a message fails: nothing, quarantine it, or reject it outright. Just as valuable, DMARC sends you reports showing who is sending mail using your domain — including impersonators. For a healthcare practice whose patients are a phishing target, publishing a DMARC policy is one of the highest-leverage hours of work you can do.

You do not jump straight to the strictest setting. You roll it out in stages, watching the reports so you do not accidentally block your own legitimate mail. Here is the decision table we use.

DMARC rollout decision table

StagePolicy (p=)What it doesWhen to move on
1. Observep=noneNothing is blocked; you only collect reports on who sends as your domain.Once reports show your legitimate senders (mail platform, scheduler, billing, newsletter) all pass SPF/DKIM.
2. Containp=quarantineFailing mail is sent to spam/junk rather than the inbox.After a few weeks at quarantine with no legitimate mail being caught.
3. Enforcep=rejectFailing mail is refused outright — spoofed messages never arrive.This is the destination. Stay here and keep watching reports as you add services.

The principle: never start at reject. Start at none, fix what the reports reveal, then tighten. A rushed jump to reject is the fastest way to make your own appointment reminders vanish.

How to stop phishing emails at a small medical practice: train the human layer

Filters and authentication stop most attacks, but the targeted one is built to look right. This is where a trained human is your best sensor. Teach staff a short, repeatable “stop-and-check” routine rather than a long list of rules nobody remembers.

The stop-and-check phishing triage checklist

Before clicking, downloading, or acting on any email that asks you to do something, run these six checks:

  1. Pressure? Does it push urgency, secrecy, or fear (“act now,” “do not tell anyone,” “account will be closed”)? Manufactured urgency is the single most reliable phishing tell.
  2. Sender real? Hover the actual address — not the display name. A friendly name is trivial to fake; the address behind it is harder. Watch for look-alike domains (a swapped letter, an extra word, a different ending).
  3. Link honest? Hover links and read where they truly point before clicking. The visible text and the real destination are often different.
  4. Money or credentials? Does it ask you to log in, pay, change banking details, or buy gift cards? Treat any request touching money or passwords as guilty until verified.
  5. Expected? Were you expecting this message, from this person, about this thing? An unexpected invoice, password reset, or “doctor needs a favor” deserves suspicion by default.
  6. Verify out of band. If anything fails the checks, confirm through a known channel — call the person on a number you already have, not one in the email. Never reply to the suspicious message to “check.”

Print it. Tape it by the front desk. The point is not to turn staff into analysts; it is to build a reflex to pause on the messages that matter.

Specific tells worth training on

  • Mismatched or look-alike domains in the sender or in links (a portal name with one character changed).
  • Generic greetings to someone who should know your name, or oddly perfect formality.
  • Attachments you did not ask for, especially anything urging you to “enable content” or “enable macros.”
  • A login page reached from an email link. Reach your Microsoft 365 or practice-management login by typing the address or using a saved bookmark — never by clicking through an email.
  • Tone that is almost right. AI-written phishing has erased most spelling-error tells; judge by the request and context, not the grammar.

Is email HIPAA-compliant? Email, ePHI, and your vendors

A common myth is that HIPAA bans email for protected health information. It does not. HHS is explicit that the Security Rule “does not expressly prohibit the use of email for sending e-PHI” and allows ePHI to travel over an open network as long as it is adequately protected (HHS FAQ). What the rule requires is that you assess the risk and apply reasonable access, integrity, and transmission-security safeguards — with encryption as an addressable specification you implement or document an equivalent for. In short: email is permitted if you have assessed the risk and the ePHI is adequately protected in transit.

Two practical implications follow:

  • A business associate agreement (BAA) is required when a provider creates, receives, maintains, or transmits ePHI on your behalf. If your email or secure-messaging platform handles ePHI, HHS guidance treats it as a business associate, and a signed BAA is part of doing it properly. Major business platforms run HIPAA BAA programs — Microsoft 365, for example — whereas free consumer mailboxes generally do not, which is one reason a clinic should not run patient communication on a personal account.
  • Adequate protection in transit matters. Mail carrying ePHI should not be readable if intercepted, which is why practices that email ePHI routinely use a secure-messaging or encryption layer rather than plain mail. For the fuller picture of what “encrypted” actually means, see encryption at rest and in transit.

Email security and HIPAA’s Security Rule are not separate projects. Phishing defense, access control, and transmission security are all safeguards the rule expects you to address through a documented risk analysis — which is the spine of the whole effort. You can see how these pieces fit together on our HIPAA Security Rule hub.

Assume it will happen, because eventually it does. What separates a scare from a breach is how fast and how calmly the practice responds. The worst outcome is a staff member who clicks, panics, and stays silent. Build a culture where reporting is rewarded, not punished — and have a routine ready.

If someone clicks a suspicious link or enters credentials on a fake page:

  1. Report immediately, blame no one. Speed beats shame. The clock starts the moment of the click, not the moment someone admits it.
  2. Change the password now, from a different, trusted device — and change it anywhere that password was reused.
  3. Check MFA and active sessions. Confirm no new MFA method was added by an attacker, and sign out active sessions so a captured password cannot be used.
  4. Disconnect if malware is suspected. If an attachment ran or the device is acting oddly, take it off the network and bring in your IT support rather than “seeing if it’s fine.”
  5. Look for the follow-on move. Compromised mailboxes are often used to send more phishing internally or to alter payment instructions — check sent items and any mailbox rules that were quietly created.
  6. Document and assess. Write down what happened and when. If ePHI may have been accessed or exfiltrated, this becomes a HIPAA matter — and your first-24-hours incident response routine takes over.

A practice that has rehearsed these six steps contains an incident in minutes; one improvising under stress loses hours it does not have.

Where to start

If you do nothing else this month, do these three things, in order:

  1. Confirm SPF and DKIM are correct, then publish a DMARC record at p=none and start reading the reports. This is the highest-leverage technical step, and it is mostly DNS work you do once.
  2. Print the stop-and-check checklist and walk your team through it in a ten-minute huddle. Make it explicit that pausing to verify is encouraged, never penalized.
  3. Write your one-page “clicked a link” response routine and tell everyone where it lives — before you need it.

From there, tighten DMARC toward quarantine and then reject, confirm MFA is on every mailbox, and make sure your provider has signed a BAA if ePHI ever touches email.

The Byzantine takeaway

You will never make your practice un-phishable, and any vendor who promises that is selling theater. What you can do is build layers — authentication that proves your mail is yours, filtering that clears the noise, MFA that blunts stolen passwords, trained people who catch the targeted attack, and a calm routine for the message that slips through. Each layer is modest alone; together they turn email from your biggest liability into a managed risk. None of it requires an enterprise budget — it requires a plan, an afternoon of DNS work, and a team that knows it is safe to hit pause. That is exactly the kind of affordable, practical security a small practice deserves, and the work we are glad to do alongside you.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

June 5, 2026·4 min read

When a Dental Benefits Vendor Is Breached: What Practices Should Do

DentaQuest confirmed a breach exposing 2.6 million accounts. Here is what a small dental or medical practice should actually do when a benefits vendor is hit.
June 2, 2026·11 min read

AI in Dentistry and Oral Surgery: The HIPAA Questions to Ask First

AI helps dental and oral surgery practices — but feeding patient data to a consumer AI model without a BAA is a HIPAA problem. How to adopt AI safely.
June 1, 2026·4 min read

Device Code Phishing Is Bypassing MFA: What Small Practices Should Do

Device code phishing hijacks Microsoft 365 mailboxes without stealing a password — and standard MFA doesn't stop it. What it means for healthcare practices.