Content, Breach, Phishing

Healthcare Email Security Defenders Want DMARC Installed in 90 Days

Credit: Pixabay

There are harrowing examples aplenty that cyber crooks view healthcare as prime hunting grounds for confidential data to steal. But now we’re learning that no industry or sector, not even government, is at greater risk from email phishing than healthcare.

Nearly 60 percent of email messages claiming to be from healthcare web sites are actually bogus, concluded the National Health Information Sharing and Analysis Center (NH-ISAC), Global Cybersecurity Alliance (GCA), and email security provider Agari in a new study entitled, Agari Industry DMARC Adoption Report for Healthcare. The trio announced the study’s findings at the NH-ISAC Fall Summit held this week in Scottsdale, AZ.

In fact, only two percent of healthcare providers have installed and set to reject or quarantine suspected phishing emails flagged by the Domain-based Message Authentication, Reporting & Compliance (DMARC) email authentication protocol, Agari said in the report. DMARC technology allows both the receiver and sender of an email to confirm that a message is authentic, ensuring that only authorized users can send email on behalf of an organization or domain.

Even though DMARC is lightly implemented in any industry, the study’s rather alarming data has prompted the NH-ISAC to again urge its members to add the protocol in 2018. The GCA has gone even farther, challenging medical organizations to install the platform by March 1, 2018.

Why the DMARC push? First, last October, when the U.S. Department of Homeland Security mandated federal agencies to adopt DMARC within 90 days, the NH-ISAC immediately followed suit by asking its members to voluntarily do the same. And, secondly, healthcare watchdogs believe that their industry desperately needs tighter email security to combat mushrooming fraud. Accepted security protocols, while effective, aren’t enough.

For the report, Agari said it analyzed the DMARC policies of more than 500 domains in the healthcare and pharmaceutical sectors and examined about 800 million emails and more than 1,900 domains from its network. DMARC usage was checked across the healthcare industry in organizations with sales exceeding $1 billion. The results were compared to a similar analysis six months earlier with the same dataset.

Key findings:

  • Healthcare needs DMARC: Nearly 80 percent of healthcare organizations aren’t using DMARC to monitor unauthenticated emails. While 20 percent have deployed DMARC it’s not being set to block phishing emails. By comparison, slightly less than 70 percent of Fortune 500 have not published any DMARC policy on their domains.
  • Phishers love healthcare: In the past six months, 92 percent of healthcare domains have been targeted by fraudulent email.

Full disclosure: Agari is a founding member of DMARC. But that shouldn’t diminish the study’s results, which are supported or duplicated to one degree or another by other researchers. For example, in cyber security provider McAfee’s Q2 Threat Report, healthcare accounted for 26 percent of Q2 2017 security incidents, including phishing.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.