Why healthcare CISOs are rethinking email security in 2026.
The email attacks that are actually succeeding against healthcare organizations this year don't look like the ones your secure email gateway was designed to stop. The threat has changed shape. The defensive stack, for most organizations, has not.
A healthcare CISO we spoke with last month described the problem in one sentence: "Our gateway is catching everything it was designed to catch, and none of what's actually getting through." That is, with some local variation, the story across most of the multi-site clinical operators we work with. Spending on email security has gone up. Successful incidents have also gone up. The two facts are related.
What changed is not the volume of email attacks. It is the composition.
The attacks that work now.
Three categories of email attack have moved from the edge cases to the mainstream in the last twelve to eighteen months. Each one bypasses the core logic of a traditional secure email gateway.
1. Impersonation without malware.
The classic healthcare attack — a malicious attachment hidden in a claims document or a fake fax — still happens, but it is no longer where the losses are. The losses are in business email compromise: a convincingly spoofed email from a vendor, a payer, or an executive, asking a clinical or finance employee to change a bank routing number, release a patient record, or approve a wire transfer.
There is no attachment. There is no link. There is no payload for the gateway to scan. The entire attack is a social engineering play that lives inside a perfectly well-formed email. Against a signature-based or attachment-based detection stack, it is invisible.
2. Compromised legitimate vendors.
The most dangerous emails in a healthcare environment now come from compromised accounts at real vendors — medical device suppliers, billing services, credentialing firms — that the hospital has been exchanging email with for years. The email is authenticated. The sending domain is legitimate. The threading is coherent. The only thing wrong is that the person on the other end is not the vendor anymore.
Our incident response work on two separate healthcare engagements in the past year traced back to exactly this vector. In one case, the attacker had been silently reading the vendor's mailbox for forty-three days before sending the first fraudulent message. The fraudulent message passed every gateway check the hospital had. It had to. It came from the vendor's real account.
3. AI-assisted personalization.
The generative-AI-written phishing email is, by itself, not a qualitatively new threat. The qualitative shift is in personalization at scale. An attacker can now produce a hundred different variants of a pretext email, each one tailored to the specific role, facility, and communication style of the target, with perfect grammar in English and in Spanish, and none of the tells that older phishing detection systems were trained on.
The first generation of email security assumed the attacker was operating at volume and cutting corners. The second generation has to assume the attacker is operating with context and patience.
A legacy gateway's content-scoring model was built on the assumption that phishing emails had shared linguistic features — odd phrasing, clumsy urgency, generic salutations. That assumption was defensible in 2018. It is not defensible in 2026.
Why the legacy stack falls short.
The traditional secure email gateway was engineered for three jobs: filter spam, detonate malicious attachments in a sandbox, and check URLs against reputation feeds. Those three jobs remain necessary. They are no longer sufficient.
The missing layer is behavioral. A modern email threat is not detected by reading the message. It is detected by noticing that this sender has never before asked this recipient to do this thing, and that the reply address on this seemingly-legitimate vendor email does not actually match the vendor's real mailbox. That kind of detection requires a signal most legacy gateways never ingest — the historical communication graph of the organization itself.
What a modern posture looks like.
The healthcare organizations we've helped modernize their email security over the last year have all converged on a similar structure, regardless of which vendor they ended up with. The shape matters more than the brand:
- An API-integrated layer behind the gateway. Modern platforms — Check Point Harmony Email, Abnormal, Avanan, Microsoft Defender for Office 365 with the right plan — sit behind the perimeter gateway and analyze mail post-delivery, with full access to the organization's historical communication patterns. This is where behavioral and impersonation detection actually happens.
- Sender-policy hygiene completed, not aspirational. SPF, DKIM, and DMARC enforced at reject or quarantine, not monitor. Every healthcare organization we've assessed in the last year has DMARC records. Roughly a third of them are still set to
p=none, which is the equivalent of having a lock on the door and leaving the door open. - BEC-specific user workflows. A one-click "report this as suspicious" button that goes to the SOC, not to an abuse inbox that nobody reads. A lightweight reauthorization flow for banking or routing changes that bypasses email entirely. A documented escalation path for clinical staff who receive an urgent request from an "executive."
- Vendor-compromise drills. A tabletop exercise that asks: "If our largest device vendor's mailbox were compromised tomorrow, what would our process be for detecting, containing, and communicating that to the rest of our staff?" Most organizations we ask have never run this drill.
- Metrics that reflect the new threat. Measuring phishing click-rate is necessary but no longer sufficient. The better metrics are BEC dwell time (how long is a compromised internal or vendor account active before detection), vendor-impersonation reports per month, and the close-rate on user-reported suspicious messages.
The leadership question.
The question a CISO in a healthcare operator should be prepared to answer — for the CEO, for the board, and for a cyber insurance underwriter — is no longer "do we have email security." That question had an easy answer and no longer matters. The question now is closer to: "When an attacker compromises a vendor we've been emailing for five years, how do we notice, and how fast?"
If the honest answer is "we wouldn't," the stack is not ready. Not because the gateway is bad, but because the gateway was never meant to answer that question. A different layer has to.
About Colossus. Colossus Technologies Group is a veteran-led cybersecurity firm headquartered in Boston, serving healthcare, government, financial services, and technology clients. Our cybersecurity practice is led by operators with deep backgrounds in defending networks against nation-state adversaries. We advise, assess, and operate email security programs for healthcare organizations ranging from growth-stage clinical operators to multi-site enterprise systems.