NH-ISAC to hospitals: Implement DMARC in 2018 or risk domain hijacking

As email spoofing erodes trust in healthcare organizations, industry groups are urging DMARC adoption while the Department of Homeland Security has mandated it for federal agencies.
By Bill Siwicki
01:06 PM
Share
Implement DMARC

The healthcare industry is at the highest risk of phony email, with 57 percent of messages being fraudulent or unauthenticated, often caused by domain hijacking, according to a new study from the National Health Information Sharing and Analysis Center, the Global Cybersecurity Alliance and cybersecurity firm Agari.

To reduce this fraud, the National Health Information Sharing and Analysis Center is urging its members to implement DMARC in 2018 and the Global Cybersecurity Alliance has issued its “90 Days to DMARC“ challenge. The study by the three organizations reveals that 98 percent of top healthcare provider organizations have not implemented enforcement policies for DMARC.

[Also: Is your hospital hacker bait? Here's how to change that]

DMARC stands for Domain-based Message Authentication, Reporting and Conformance, an email authentication standard that can virtually eliminate phishing emails that impersonate domains. 

Just last month, the U.S. Department of Homeland Security issued Binding Operational Directive 18-01, which mandated federal agencies adopt DMARC within 90 days.

“The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email, which reduced the risk of phishing, resulting in more email engagement,” said Jim Routh, CSO at Aetna.

[Also: Holiday cybersecurity: Defense tips for hospitals to get systems through the season]

Hijacking an organization’s email domain enables attackers to use the domain combined with efforts to spoof names and brands to get to users and convince them to click on a link or document that contains malicious software that could contain ransomware or other forms of attack that will cause disruptions or worse.

Security vendors Network Solutions, Postmark, Symantec and others sell software to protect email domains from being hijacked, and the Global Cybersecurity Alliance offers DMARC. Spam filters block incoming attacks, but DMARC helps organizations stop spammers and phishers from using an email domain to conduct attacks by tricking unsuspecting individuals.

The GCA conducted research that found just six of the biggest 50 public hospitals and 22 of the top 48 for-profit hospitals currently use the DMARC protocol and among those that have implemented it all but one have done so in a limited capacity.

DMARC is just one option and the Global Cybersecurity Alliance’s research only looked at DMARC adoption, so its measurements do not necessarily mean that hospitals are not using other tools to protect email domains.

“Organizations that have deployed DMARC have seen a significant lift in email click-through rate, as they minimize the phishing and spam emails that erode trust in their brand,” said Patrick Peterson, founder and executive chairman of Agari. “By heeding the guidance of National Health Information Sharing and Analysis Center leaders, healthcare companies will improve security for themselves, their healthcare providers and their patients.”

Successful DMARC implementations by Aetna, Blue Shield of California and Spectrum Health are leading the way for other healthcare industry organizations to restore trust in communications, Peterson added.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com