HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

DMARC Still Not Widely Adopted by Healthcare Organizations

By adopting the Domain-based Message Authentication, Reporting and Conformance (DMARC) Standard, healthcare organizations can detect and prevent email spoofing and abuse of their domains; however, relatively few healthcare organizations are using DMARC, according to a recent study conducted by the email authentication vendor Valimail.

DMARC is an open standard that ensures a domain can only be used by authorized senders. If DMARC is not implemented, it is easy for a hacker to send an email that contains a company’s domain in the From field of the email.

Security awareness programs train employees never to click on hyperlinks or open attachments contained in emails from unknown senders. However, when the email appears to have been sent from a contact or known individual, the messages are often opened, links are clicked, and attachments are opened.

Research conducted by Cofense suggests more than 91% of all cyberattacks start with a phishing email, and the majority of successful phishing attacks use email impersonation techniques. If controls are not implemented to block email impersonation, companies will be vulnerable to phishing attacks.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

DMARC is one of the most effective anti-phishing controls. When a DMARC record is created for a domain, the receiving server checks to determine whether the sender of the message is authorized to use the domain. If the message is authenticated, it will be delivered. If the authentication fails, the receiving server will take the action detailed in the DMARC record. If permissive controls are set, the message will still be delivered although policies can be set to direct the message to the quarantine (spam) folder or at the most aggressive level, the message will be rejected.

For the study, Valimail assessed the domains of 928 healthcare companies around the world with annual revenues in excess of $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those companies (13%) have adopted DMARC to secure their domains and prevent email spoofing.

Even when DMARC is implemented, most healthcare companies set permissive monitor-only policies. While those organizations will be alerted to email impersonation attacks, the messages will not be blocked. Few healthcare organizations have implemented DMARC at the enforcement level, which is necessary to protect against email impersonation attacks. Overall, only 1.7% of healthcare organizations have set policies that reject emails sent by unauthorized senders.

While few healthcare companies have adopted DMARC, the study showed a majority – 60% – have adopted the Sender Policy Framework (SPF) standard. While SPF is an effective control, it only validates the return-path field. It does not prevent hackers from conducting email impersonation attacks and using an organization’s domain in the from field.

DMARC adoption is increasing, although implementation is clearly a challenge for many healthcare organizations. Valimail notes in its report that it is typically only the largest healthcare organizations that successfully implement DMARC, suggesting DMARC implementation is a resource issue for smaller companies.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.