- The majority of the largest US public hospitals are not utilizing enough protections on healthcare email security, according to a recent Global Cyber Alliance (GCA) survey.
At least 22 of the top 48 for-profit hospitals in the nation have deployed the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol, GCA found. Just six of the 50 largest hospitals are working to protect their email campaigns.
DMARC is utilized for defending against phishing attacks, helping organizations gain more insight on attempted spamming, phishing, or spear-phishing campaigns.
"As cyber threats mount against healthcare providers, deploying DMARC is an essential solution to protecting their patients' data privacy," GCA President and CEO Philip Reitinger said in a statement. "The protocol has been proven effective, and deployment can reasonably be done by organizations of all sizes, making it an invaluable resource for hospitals who need to protect their patients' digital health. I strongly encourage healthcare organizations to use this protocol to its fullest capacity."
GCA also found that only one of the hospitals using DMARC deploys it at a level preventing spam from being delivered to inboxes. The other 27 hospitals utilizing DMARC deploy it to monitor emails from their own domain but not to prevent inboxes from receiving spam.
Citing data from Verizon's 2017 Data Breach Investigative Report (DBIR), GCA noted that email attacks were the most popular way for malicious users to attempt to gain access.
Ninety-five percent of phishing attacks followed the process of phishing techniques being linked to software installation on a user's device, according to the DBIR. Nearly half of the reported data breaches – 43 percent – stemmed from phishing as well.
Verizon Enterprise Solutions Global Security Services Executive Director Bryan Sartin said in a statement that the human factor is a key issue for cybersecurity.
"Cybercriminals concentrate on four key drivers of human behavior to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty,” Sartin explained. “And as our report shows, it is working, with a significant increase in both phishing and pretexting this year."
GCA observed that DMARC aids organizations by stopping scammers from using an email domain to attempt infiltration.
Aetna Chief Security Officer Jim Routh added that DMARC prevents malicious email “from using the most common tactic.”
"DMARC improves the consumer digital experience by eliminating malicious emails from spoofed domains, increasing the level of trust that consumers have in email,” Routh said in a statement. “The improvement in trust results in better health outcomes for consumers while also offering better protection of their health information."
Email security is a critical area that healthcare organizations cannot overlook, especially as cybersecurity threats continue to evolve and become more sophisticated.
NIST released a special publication, Trustworthy Email, in September 2016 to highlight how IT managers can navigate email security measures.
Simple Mail Transport Protocol (SMTP) is susceptible to numerous types of attacks, NIST explained in its executive summary.
“The basic standards have been modified and augmented over the years with adaptations that mitigate some of these threats,” report authors wrote. “With spoofing protection, integrity protection, encryption and authentication, properly implemented email systems can be regarded as sufficiently secure for government, financial and medical communications.”
DMARC was one of the recommendations NIST suggested to improve email security.
“DMARC allows email sending domain owners to specify policy on how receivers can verify the authenticity of their email, how the receiver can handle email that fails to verify, and the frequency and types of report that receivers should send back,” NIST explained. “DMARC benefits receivers by removing the guesswork about which security protocols are in use, allowing more certainty in quarantining and rejecting inauthentic mail.”
Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Reporting and Conformance (DMARC) can also help secure SMTP and the Domain Name System (DNS), according to NIST.
Transport Layer Security (TLS) can help in email transmission security, while email content security can be aided with encryption and authentication of message content using Secure/Multipurpose Internet Mail Extensions.