- Nearly all top healthcare providers – 98 percent – have not implemented Domain-based Message Authentication, Reporting & Conformance (DMARC), which could lead to healthcare email security issues, according to a recent survey.
The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and Agari published Agari Industry DMARC Adoption Report for Healthcare, analyzing the DMARC policies of more than 500 domains in healthcare and pharmaceutical.
DMARC is an email authentication standard that aims to eliminate phishing emails. It stemmed from a Yahoo and PayPal experiment in 2007 that was designed to prevent account credential phishing.
Healthcare is at the highest risk of being targeted by fraudulent email, the report showed. Fifty-seven percent of emails that are allegedly from the healthcare industry are fraudulent or unauthenticated. Furthermore, 92 percent of healthcare domains have been targeted by fraudulent email.
Approximately three-quarters of healthcare organizations have not deployed DMARC to protect email, the report said. Two percent of surveyed entities are using quarantine or reject policies on their domains to prevent phishing or spoofing. Twenty-one percent of respondents said they have deployed DMARC to monitor unauthenticated emails but that they are not blocking phishing emails.
The US Department of Homeland Security (DHS) issued a directive in October 2017 that mandated federal agencies to adopt DMARC within 90 days. In response, NH-ISAC asked its members to pledge to adopt DMARC, and said it will issue the same request at its upcoming fall summit.
NH-ISAC members are leading the rest of the healthcare industry in DMARC adoption, according to the survey. While 70 percent of NH-ISAC members have no policy in place, that is still a 7 percent improvement over the rest of the sector.
“The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email which reduced the risk of phishing, resulting in more email engagement and healthier lives for members,” said Aetna CSO Jim Routh, who is also NH-ISAC Chairman.
Agari Founder and Executive Chairman Patrick Peterson explained that entities that have deployed DMARC have seen an increased lift in email click through rate because the phishing and spam emails have been minimized.
“By heeding the guidance of NH-ISAC leaders, healthcare companies will improve security for themselves, their healthcare providers and their patients,” Peterson said in a statement. “Successful DMARC implementations from Aetna, Blue Shield of California and Spectrum Health are leading the way for other healthcare industry organizations to restore trust in communications.”
A GCA survey from June 2017 also stressed the need for improved healthcare email security, which would largely benefit from DMARC adoption. That survey found that at least 22 of the top 48 for-profit hospitals in the nation had deployed DMARC. However, six of the 50 largest hospitals were working to protect their email campaigns.
"As cyber threats mount against healthcare providers, deploying DMARC is an essential solution to protecting their patients' data privacy," GCA President and CEO Philip Reitinger said in a statement. "The protocol has been proven effective, and deployment can reasonably be done by organizations of all sizes, making it an invaluable resource for hospitals who need to protect their patients' digital health. I strongly encourage healthcare organizations to use this protocol to its fullest capacity."
The June GCA survey also revealed that one of the hospitals using DMARC said it was deployed at a level preventing spam from being delivered to inboxes. The other 27 hospitals using DMARC reported the practice was utilized to monitor emails from their own domain, not to prevent spam from going into inboxes.
Email attacks were the most popular way for malicious users to attempt to gain access, GCA reported, citing data from the Verizon 2017 DBIR. DMARC will benefit organizations by topping scammers from using an email domain to attempt infiltration, the agency said.
"Cybercriminals concentrate on four key drivers of human behavior to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty,” Verizon Enterprise Solutions Global Security Services Executive Director Bryan Sartin said in a statement. “And as our report shows, it is working, with a significant increase in both phishing and pretexting this year."