DMARC Still Not Widely Adopted by Healthcare Organizations

Share this article on:

By adopting the Domain-based Message Authentication, Reporting and Conformance (DMARC) Standard, healthcare organizations can detect and prevent email spoofing and abuse of their domains; however, relatively few healthcare organizations are using DMARC, according to a recent study conducted by the email authentication vendor Valimail.

DMARC is an open standard that ensures a domain can only be used by authorized senders. If DMARC is not implemented, it is easy for a hacker to send an email that contains a company’s domain in the From field of the email.

Security awareness programs train employees never to click on hyperlinks or open attachments contained in emails from unknown senders. However, when the email appears to have been sent from a contact or known individual, the messages are often opened, links are clicked, and attachments are opened.

Research conducted by Cofense suggests more than 91% of all cyberattacks start with a phishing email, and the majority of successful phishing attacks use email impersonation techniques. If controls are not implemented to block email impersonation, companies will be vulnerable to phishing attacks.

DMARC is one of the most effective anti-phishing controls. When a DMARC record is created for a domain, the receiving server checks to determine whether the sender of the message is authorized to use the domain. If the message is authenticated, it will be delivered. If the authentication fails, the receiving server will take the action detailed in the DMARC record. If permissive controls are set, the message will still be delivered although policies can be set to direct the message to the quarantine (spam) folder or at the most aggressive level, the message will be rejected.

For the study, Valimail assessed the domains of 928 healthcare companies around the world with annual revenues in excess of $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those companies (13%) have adopted DMARC to secure their domains and prevent email spoofing.

Even when DMARC is implemented, most healthcare companies set permissive monitor-only policies. While those organizations will be alerted to email impersonation attacks, the messages will not be blocked. Few healthcare organizations have implemented DMARC at the enforcement level, which is necessary to protect against email impersonation attacks. Overall, only 1.7% of healthcare organizations have set policies that reject emails sent by unauthorized senders.

While few healthcare companies have adopted DMARC, the study showed a majority – 60% – have adopted the Sender Policy Framework (SPF) standard. While SPF is an effective control, it only validates the return-path field. It does not prevent hackers from conducting email impersonation attacks and using an organization’s domain in the from field.

DMARC adoption is increasing, although implementation is clearly a challenge for many healthcare organizations. Valimail notes in its report that it is typically only the largest healthcare organizations that successfully implement DMARC, suggesting DMARC implementation is a resource issue for smaller companies.

Author: HIPAA Journal

Share This Post On