99% of the Largest Public and For-Profit Hospitals in U.S. Fail to Protect Their Email Domains
NEW YORK, June 15, 2017 – Healthcare providers care for our sick and injured, conduct life-saving procedures, and produce cutting edge research that helps cure illness and disease. In short, they are custodians of our physical well-being.
But, they are also guardians of our digital health. Healthcare providers hold terabytes of personal data, from social security numbers to healthcare histories, that could greatly impact lives should that information fall into the wrong hands.
New research sheds light on the need for healthcare providers to place a greater emphasis on infections of the cyber variety.
In a survey released today, the Global Cyber Alliance (GCA) found that only 6 of the 50 largest public hospitals in the U.S. are protecting their email domains from being hijacked by cyber criminals focused on tricking patients into giving up personal information. For-profit hospitals fared better (but not good enough) as at least 22 of the top 48 for-profit hospitals have deployed the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol – a mechanism for defending against phishing attacks – in a limited capacity.
Only one of the hospitals using DMARC has it deployed at a level that prevents spam from being delivered to inboxes. The remaining 27 hospitals using DMARC are still at the lowest level of deployment which monitors emails from their domain but does not prevent spam from being delivered to inboxes. Reasons for this can vary, including that these hospitals are early in the process of DMARC implementation. In the end, not one of the one hundred hospitals scanned is experiencing the full benefits of DMARC implementation.
DMARC is specifically designed to help organizations stop spammers and phishers from using an email domain to conduct malicious attack by tricking unsuspecting customers, partners and employees. DMARC provides insight into any attempts to spam, phish, or spear-phish an organization’s brand or name.
Verizon’s 2017 Data Breach Investigative Report (DBIR), released at the end of April, found that 15% of data breaches in the last year involved healthcare organizations. The favorite tool of bad actors to gain access? Email.
Specifically, attackers are using phishing emails with malicious attachments to target valuable medical records stored on hospital networks. These records include personally identifiable information such as home address and social security number. In all, 66% of malware installed on healthcare networks was delivered via email attachment, according to Verizon.
A recent survey from Agari also demonstrates the vulnerability of the healthcare industry. Of those healthcare companies valued over $1 billion dollars, only 15% have DMARC implemented. Out of those companies, only 7 organizations are quarantining or blocking fraudulent email.
“DMARC helps the healthcare industry prevent the worst type of malicious email from using the most common tactic,” said Jim Routh, Chief Security Officer for Aetna. “DMARC improves the consumer digital experience by eliminating malicious emails from spoofed domains, increasing the level of trust that consumers have in email. The improvement in trust results in better health outcomes for consumers while also offering better protection of their health information.”
“As cyber threats mount against healthcare providers, deploying DMARC is an essential solution to protecting their patients’ data privacy,” said Philip Reitinger, president and CEO of GCA. “The protocol has been proven effective, and deployment can reasonably be done by organizations of all sizes, making it an invaluable resource for hospitals who need to protect their patients’ digital health. I strongly encourage healthcare organizations to use this protocol to its fullest capacity.”
GCA now offers a DMARC Setup Guide that will take network security professionals step-by-step through the entire DMARC installation process at https://dmarc.globalcyberalliance.org. The guide is available in multiple languages including English, Spanish, German, French, Japanese and Mandarin.
About The Global Cyber Alliance
The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. It is a catalyst to bring communities of interest and affiliations together in an environment that sparks innovation with concrete, measurable achievements. GCA’s mantra “Do Something. Measure It.” is a direct reflection of its mission to eradicate systemic cyber risks.
GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at globalcyberalliance.org.