Improving the State of Email Security in Healthcare Using DMARC

About 98% of healthcare providers are still not yet implementing the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard. This information is based on a survey conducted by the National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA) and Agari, a cybersecurity firm. Agari surveyed over 500 domains that healthcare organizations and pharmaceutical companies use, 800 million emails and more than 1,900 domains from the Email Trust Network.

The Agari Industry DMARC Adoption Report for Healthcare revealed that about 23% of healthcare providers have implemented DMARC. But only 21% of providers use DMARC to keep track of unauthenticated emails, but do not stop phishing emails. Only 2% stop phishing attacks that spoof their domains. The NH-ISAC report showed that 30% of its members are already using DMARC.

Domain impersonation is commonly utilized by phishers to fool people that a trusted organization sent them emails. The healthcare industry is a favorite target of fraudulent email. In the last 6 months, 92% of healthcare domains had been hit by phishers and scammers with fraudulent emails. Patients should take heed as 57% of emails coming from healthcare organizations are unauthenticated or fraudulent.

Many industries have adopted DMARC as an email security standard. But the healthcare industry and federal agencies are lagging behind. To fast track the implementation, the U.S. Department of Homeland Security issued a Binding Operational Directive last month. All federal agencies are required to implement DMARC in 90 days. The healthcare industry is being asked to take the same action just like what NH-ISAC did to encourage its members to adopt DMARC. The GCA started a ’90-Days to DMARC’ challenge on December 1. There are webinars and resources available to assist healthcare organizations in planning, implementing, analyzing and adjusting DMARC.

Some positive feedback on the use of DMARC includes that of Aetna, Blue Shield of California and Spectrum Health. Aetna’s consumer experience improved with the elimination of unwanted and fraudulent email paving way to more email engagement and healthier member communication.