Healthcare Organizations Slow to Adopt DMARC

By implementing the Domain-based Message Authentication, Reporting and Conformance (DMARC) Standard, healthcare organizations can identify and restrict email spoofing and abuse of their domains; however, relatively few healthcare groups are using DMARC for spam filtering, according to the results of a recent study carried out by the email authentication vendor Valimail.

DMARC is an open standard that means a domain can only be used by authorized senders. If DMARC is not adopted, it is simple for a hacker to send an email that contains a company’s domain in the From field of the email.

Security awareness programs train staff to avoid clicking on hyperlinks or open attachments contained in emails from unknown senders. However, when the email seems to have been sent from a contact or known person, the messages are often opened, links are clicked and attachments are downloaded.

Research completed by Cofense suggests more than 91% of all cyberattacks start with a phishing email and the majority of successful phishing attacks use email impersonation methods. If controls are not put in place to block email impersonation, companies will be susceptible to phishing attacks.

DMARC is one of the most successful anti-phishing controls. When a DMARC record is set up for a domain, the receiving server checks to determine whether the sender of the message is cleared to use the domain. If the message is authenticated, it will be sent. If the authentication fails, the receiving server will take the action listed in the DMARC record. If permissive controls are in place, the message will still be sent although policies can be set to broadast the message to the quarantine (spam) folder or at the most aggressive level, the message will be rejected.

For the study, Valimail reviewed the domains of 928 healthcare companies around the globe with annual revenues over $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those firms (13%) have adopted DMARC to secure their domains and stop email spoofing.

Even when DMARC is in place, most healthcare companies set permissive monitor-only policies. While those groups will be alerted to email impersonation attacks, the messages will not be blocked. Few healthcare groups have adopted DMARC at the enforcement level, which is necessary to safeguard against email impersonation attacks. Overall, only 1.7% of healthcare groups have policies in place that reject emails sent by unauthorized senders.

While few healthcare firms have implemented DMARC, the study showed a majority – 60% – have adopted the Sender Policy Framework (SPF) standard. While SPF is an effective control measure, it only validates the return-path field. It does not stop hackers from carrying out email impersonation attacks and using an organization’s domain in the from field.

DMARC adoption is on the rise, although implementation is clearly an obstacle for many healthcare groups. Valimail notes in its report that it is typically only the largest healthcare groups that successfully put in place DMARC, suggesting DMARC implementation is a resource issue for smaller firms.