GCA Press Release

99% of the Largest Public and For-Profit Hospitals in U.S. Fail to Protect Their Email Domains

NEW YORK, June 15, 2017 – Healthcare providers care for our sick and injured, conduct life-saving procedures, and produce cutting edge research that helps cure illness and disease. In short, they are custodians of our physical well-being.

But, they are also guardians of our digital health. Healthcare providers hold terabytes of personal data, from social security numbers to healthcare histories, that could greatly impact lives should that information fall into the wrong hands.

New research sheds light on the need for healthcare providers to place a greater emphasis on infections of the cyber variety.

In a survey released today, the Global Cyber Alliance (GCA) found that only 6 of the 50 largest public hospitals in the U.S. are protecting their email domains from being hijacked by cyber criminals focused on tricking patients into giving up personal information. For-profit hospitals fared better (but not good enough) as at least 22 of the top 48 for-profit hospitals have deployed the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol – a mechanism for defending against phishing attacks – in a limited capacity.

Only one of the hospitals using DMARC has it deployed at a level that prevents spam from being delivered to inboxes. The remaining 27 hospitals using DMARC are still at the lowest level of deployment which monitors emails from their domain but does not prevent spam from being delivered to inboxes. Reasons for this can vary, including that these hospitals are early in the process of DMARC implementation. In the end, not one of the one hundred hospitals scanned is experiencing the full benefits of DMARC implementation.

DMARC is specifically designed to help organizations stop spammers and phishers from using an email domain to conduct malicious attack by tricking unsuspecting customers, partners and employees. DMARC provides insight into any attempts to spam, phish, or spear-phish an organization’s brand or name.

Verizon’s 2017 Data Breach Investigative Report (DBIR), released at the end of April, found that 15% of data breaches in the last year involved healthcare organizations. The favorite tool of bad actors to gain access? Email.

Specifically, attackers are using phishing emails with malicious attachments to target valuable medical records stored on hospital networks. These records include personally identifiable information such as home address and social security number. In all, 66% of malware installed on healthcare networks was delivered via email attachment, according to Verizon.

A recent survey from Agari also demonstrates the vulnerability of the healthcare industry. Of those healthcare companies valued over $1 billion dollars, only 15% have DMARC implemented. Out of those companies, only 7 organizations are quarantining or blocking fraudulent email.

DMARC helps the healthcare industry prevent the worst type of malicious email from using the most common tactic,” said Jim Routh, Chief Security Officer for Aetna. “DMARC improves the consumer digital experience by eliminating malicious emails from spoofed domains, increasing the level of trust that consumers have in email. The improvement in trust results in better health outcomes for consumers while also offering better protection of their health information.”

As cyber threats mount against healthcare providers, deploying DMARC is an essential solution to protecting their patients’ data privacy,” said Philip Reitinger, president and CEO of GCA. “The protocol has been proven effective, and deployment can reasonably be done by organizations of all sizes, making it an invaluable resource for hospitals who need to protect their patients’ digital health. I strongly encourage healthcare organizations to use this protocol to its fullest capacity.”

GCA now offers a DMARC Setup Guide that will take network security professionals step-by-step through the entire DMARC installation process at The guide is available in multiple languages including English, Spanish, German, French, Japanese and Mandarin.

About The Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. It is a catalyst to bring communities of interest and affiliations together in an environment that sparks innovation with concrete, measurable achievements. GCA’s mantra “Do Something. Measure It.” is a direct reflection of its mission to eradicate systemic cyber risks.

GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at

By Mary Kavaney

Last week, alarming statistics were published on the lack of DMARC implementation in the financial sector. While the top 5 banks in the United States have implemented DMARC to protect their organizations and customers, the rest of the research results were not so good. Out of the top 50 banks in the U.S., only 11 use DMARC; out of the top 50 European banks, only 9 utilize the benefits of DMARC; and of the top 50 independent banks in the U.S., none use DMARC!

I have listened to the reasons why organizations have not implemented DMARC: it will prevent valid email from getting through; it’s too complicated and will take too long; they don’t have enough resources. I know; I know all the challenges…but they can be overcome! In the meantime, all sectors are getting hammered, especially finance. In fact, the FS-ISAC feels so strongly about the importance of implementing DMARC, they issued a letter to their membership encouraging its adoption. It will be interesting to see who is really paying attention and willing to follow the lead of their fellow financial services colleagues.

Despite millions of dollars being spent in security and hundreds of thousands of hours by dedicated IT people, the bad guys are still winning, and the battle is being lost. At the FS-ISAC conference last week in Singapore, Ken Chau, Deputy Director for the Monetary Association of Singapore, said 90 percent of the banks in the APAC region experienced a cyber attack in 2016.

Christian Karam, Director of Cyber Threat Intelligence at UBS in Singapore, said at the conference that when he went to UBS, there was such a complicated security apparatus, he decided to take a novel approach and shut down all the feeds and start over.

Wow. Start over.

Depending on the size and complexity of the organization, DMARC can be a time-consuming investment, but perhaps instead of adding to the security queue, we must seriously consider starting over.

Isn’t it time to do things differently? GCA is a huge proponent of DMARC and took on the task of increasing global implementation as its first project. We have partners and resources, and a free tool that can get you started or take you through the whole process. You can learn more at:

It’s time to rethink, start over, and do things differently.


The author, Mary Kavaney, is the Chief Administrative Officer at the Global Cyber Alliance.