Healthcare Information Security

Cybersecurity News

Healthcare Email Security Defenses Lag Behind Other Industries

Mimecast found health organizations are no more or less targeted than other sectors; rather, its security controls and technology can’t keep pace with hackers and attack methods, like phishing.

healthcare email defense security

By Jessica Davis

- Email security defenses in the healthcare sector lag behind other industries, with healthcare organizations currently in the reaction stage of bolstering its defenses, according a recent Mimecast analysis.

Mimecast regularly performs email security risk assessments across all sectors, pulling data aggregated from actual inbound email traffic from client organizations. For the first time, Mimecast broke down that data to determine how the healthcare sector is faring against email-borne threats compared to other sectors.

Report Findings: Lagging Healthcare Email Security

What Mimecast found was that the healthcare sector’s email defenses aren’t as strong as other industries, with more than 16 percent of the inspected 2.2 million emails were seen as false negatives – spam and or contained malware or malicious content that still got through email filters.

For comparison, the other sectors saw an average of about 12 percent false negatives.

“There’s a significantly higher percent of bad mail getting through,” Cybersecurity Strategist Matthew Gardiner told “We broke it down further, and of that 12 percent, one in every 3,741 emails contained malware. Not all of these attacks are based on malware.”

READ MORE: Phishing Attack Breaches Data of 30,000 Memorial Hospital Patients

“It’s a great stepping stone from an attackers point of view,” he added. “The rate of malware getting through is almost twice as often than other industries, which is one in 5,300 emails with malware overall.”

Cyber impersonation attacks, such as wire transfers, also proved problematic for healthcare. About one in 350 emails are impersonations, which Gardiner explained is almost 10 times more likely than other sectors with just one in 4,290 email impersonation attempts.

There’s a theory much like the explosion of disease reporting after the virus is first discovered, as the Department of Health and Human Services requires organizations to report, “it feels like there’s this surge in healthcare breaches,” said Gardiner.

But to Gardiner, the problem is that the average healthcare organization tends to be smaller and less sophisticated from an IT point of view. Many also struggle with smaller IT budgets, meaning healthcare IT teams can’t afford the security that big businesses like banks can afford.

“Healthcare has a double problem, where a regular business doesn’t have medical tech,” said Gardiner. “Essentially they have to cover two domains.”

READ MORE: Email Fraud Attacks on Healthcare Jumped 473% Since 2017

“They’re also paying for underinvestment of years ago,” he added. “Even if you had all of the money in the world, you couldn’t mature instantly. It takes years to build out tech and practices. It’s my sense that they’ve been more under duress in recent years, as they’re in catch-up mode.”

Best Practice Email Security

Healthcare organizations need to employ a three-pronged security approach. Gardiner explained that it starts with defensive tech, which is currently lagging behind the times. After, they should focus on their people.

“The security program hasn’t been a strong aspect with health providers as much as it has in financial services; it’s a training aspect,” said Gardiner. “Phishing exposes technology. And if your tech doesn’t catch it, then it’s up to the people.”

The third angle is the sophistication of business practices. Gardiner stressed that “if if you’re weak in all three areas, the attack gets in, and there are no checks and balances…. Weaknesses in all three areas becomes exposed.”

Health organizations need to focus on general security controls, such as keeping sensitive data in a fewer number of places, encrypting it at rest, access controls, patching, and the like. Gardiner explained that they should pivot to phishing and ensure that their anti-phishing tools has been evaluated within the last year, as “the attacks and the tech have changed.”

READ MORE: Phishing, Negligent Insiders Leave Healthcare Vulnerable, HIMSS says

Next, providers must evaluate security awareness training, educating staff creates a layered security approach, he said. Lastly, they need to look at the most sensitive business practices to make sure they’re not vulnerable to “a single point of failure.”

Gardiner stressed the need for strong governance, especially when it comes to impersonation emails. For example, when a hacker attempts to dupe employees into wire transferring funds, there needs to be accountability or a second point of validation, like a verbal confirmation or an existing banking relationship.

State of the Industry

Right now, healthcare is in the reacting stage. Reflecting on his 20 years in the security industry, Gardiner explained that there’s a normal cycle for businesses when it comes to cybersecurity. They first feel the pain of breaches and security lapses and then they react.

“Healthcare maybe felt the pain heavily in the last three years, and my sense is now they’re reacting,” said Gardiner. “But you can show up with all of the money in the world, and you can’t solve the problem in a day.”

“Required disclosure creates awareness that more needs to be done,” he continued. “Healthcare providers are reacting… the numbers don’t really prove that the problem is being solved. But it’s directionally headed in the right direction.”

However, Gardiner is optimistic that it will be less of a challenge for the healthcare sector to catch-up than it was with other industries given cloudification and data evolution, which makes the problem more solvable.

“The IT systems and security controls that we use are progressing, but the hackers are progressing faster and that’s been the game for a while,” Gardiner said. “It’s not that we’re not progressing, we’re just not progressing fast enough.”

“There is hope: The security industry itself is becoming more accessible, and easier to manage,” he added. “We can’t solve all customer problems, but we can help minimize challenges.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...