Survey Reveals Poor State of Email Security in Healthcare

A recent survey showed 98% of top healthcare providers have yet to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard.

The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and cybersecurity firm Agari investigated the level of DMARC adoption in the healthcare industry and the state of healthcare email security.

For the report, Agari analyzed more than 500 domains used by healthcare organizations and pharmaceutical firms, as well as more than 800 million emails and over 1,900 domains from its Email Trust Network.

The report – Agari Industry DMARC Adoption Report for Healthcare – shows that while DMARC can all but eliminate phishing attacks that impersonate domains, only 2% of the top healthcare organizations and fewer than 23% of all healthcare organizations have adopted DMARC.

Only 21% of healthcare organizations are using DMARC to monitor for unauthenticated emails, yet those organizations are not blocking phishing emails. Only 2% are protecting patients from phishing attacks spoofing their domains. NH-ISC reports that only 30% of its members have adopted DMARC.

The impersonation of domains is a common tactic employed by phishers to fool victims into believing emails have been sent by trusted organizations. The healthcare industry is at the highest risk of being targeted by fraudulent email, according to the report. Over the past 6 months, 92% of healthcare domains have been targeted by phishers and scammers using fraudulent email. 57% of all emails sent from healthcare organizations are fraudulent or unauthenticated.

DMARC has been widely adopted in industry, although the healthcare industry lags behind. The same is true of federal agencies, which have been slow to implement the email security standard. Last month, the U.S Department of Homeland Security addressed this by issuing a Binding Operational Directive, which required all federal agencies to implement DMARC within 90 days.

The healthcare industry is being urged to do the same. NH-ISAC is already encouraging its members to adopt DMARC, while the GCA has launched a ‘90-Days to DMARC’ challenge, which commences on December 1. Under the challenge, GCA will be releasing guidance, conducting webinars, and making resources available to help healthcare organizations plan, implement, analyze, and adjust DMARC.

“GCA is challenging organizations in all sectors to follow the path set forward by DHS. We applaud NH-ISAC for calling upon its members to implement DMARC,” said Phil Reitinger, President and CEO of GCA.

Jim Routh, CSO, Aetna, said “The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email which reduced the risk of phishing, resulting in more email engagement and healthier lives for members.”

“Successful DMARC implementations from Aetna, Blue Shield of California and Spectrum Health are leading the way for other healthcare industry organizations to restore trust in communications,” said Patrick Peterson, founder and executive chairman of Agari.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.