Healthcare Organizations Slow to Adopt DMARC

by | May 26, 2018

By implementing the Domain-based Message Authentication, Reporting and Conformance (DMARC) Standard, healthcare organizations can identify and restrict email spoofing and abuse of their domains; however, relatively few healthcare groups are using DMARC for spam filtering, according to the results of a recent study carried out by the email authentication vendor Valimail.

DMARC is an open standard that means a domain can only be used by authorized senders. If DMARC is not adopted, it is simple for a hacker to send an email that contains a company’s domain in the From field of the email.

Security awareness programs train staff to avoid clicking on hyperlinks or open attachments contained in emails from unknown senders. However, when the email seems to have been sent from a contact or known person, the messages are often opened, links are clicked and attachments are downloaded.

Research completed by Cofense suggests more than 91% of all cyberattacks start with a phishing email and the majority of successful phishing attacks use email impersonation methods. If controls are not put in place to block email impersonation, companies will be susceptible to phishing attacks.

DMARC is one of the most successful anti-phishing controls. When a DMARC record is set up for a domain, the receiving server checks to determine whether the sender of the message is cleared to use the domain. If the message is authenticated, it will be sent. If the authentication fails, the receiving server will take the action listed in the DMARC record. If permissive controls are in place, the message will still be sent although policies can be set to broadast the message to the quarantine (spam) folder or at the most aggressive level, the message will be rejected.

For the study, Valimail reviewed the domains of 928 healthcare companies around the globe with annual revenues over $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those firms (13%) have adopted DMARC to secure their domains and stop email spoofing.

Even when DMARC is in place, most healthcare companies set permissive monitor-only policies. While those groups will be alerted to email impersonation attacks, the messages will not be blocked. Few healthcare groups have adopted DMARC at the enforcement level, which is necessary to safeguard against email impersonation attacks. Overall, only 1.7% of healthcare groups have policies in place that reject emails sent by unauthorized senders.

While few healthcare firms have implemented DMARC, the study showed a majority – 60% – have adopted the Sender Policy Framework (SPF) standard. While SPF is an effective control measure, it only validates the return-path field. It does not stop hackers from carrying out email impersonation attacks and using an organization’s domain in the from field.

DMARC adoption is on the rise, although implementation is clearly an obstacle for many healthcare groups. Valimail notes in its report that it is typically only the largest healthcare groups that successfully put in place DMARC, suggesting DMARC implementation is a resource issue for smaller firms.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy