In a new data-driven research report released today, Valimail found that the overwhelming majority of large health organizations are susceptible to “spoofing” of their own email domains.
Fortunately, this security gap is easy to fix.
(The full Valimail Health Care Industry Report is available now as a free download.)
Also known as impersonation attacks, spoofed emails are a leading vector for cyberattacks. Multiple sources, including Verizon, have found that phishing is implicated in 91 percent of cyberattacks, and as much as two-thirds of phishing attacks utilize impersonation.
For this report, Valimail analyzed the primary domains for 928 health care companies around the world with revenues of at least $300 million annually. Our definition of health care included hospitals, medical equipment & supply makers, pharmaceutical manufacturers, pharmacies, and physicians/health practitioners.
We found that 121 of these companies (13 percent) have begun to protect themselves by using Domain-based Message Authentication, Reporting and Conformance (DMARC), a standard that detects and prevents email spoofing.
Similar to other industries that we’ve studied in recent reports (such as our Email Fraud Landscape for Q1 2018), less than 15 percent of health care companies that deploy DMARC succeed in getting to enforcement. As a result, the overall rate of enforcement in global health care is 1.7 percent.
Authentication needed to protect PHI
Health care companies are particularly at risk because they are responsible for maintaining the integrity of protected health information (PHI).
Unfortunately, phishing is such a ubiquitous and reliable method for gaining access to enterprises that many IT people (in all industries, not just health care) might not be aware of the technical controls that are available to protect their organizations, starting with email authentication.
Authenticating an email domain means that only authorized senders are able to deliver email using that domain in the <From:> field, and when correctly configured it’s a reliable way to completely eliminate the most common — and hardest to detect — form of phishing. Without DMARC enforcement, companies’ email domains can be easily impersonated by hackers to launch phishing attacks against employees, executives, customers, and partners.
However, fewer than two percent of the world’s largest health care companies are protected from impersonation by DMARC at enforcement. This is a major security issue, putting protected health information (PHI) and other mission-critical data at risk.
Common barriers to authentication
One of the most likely reasons that health care companies are struggling with DMARC is that their IT infrastructures are already complicated, and DMARC appears on their radar screens as yet another complex IT implementation project.
Indeed, the more complicated an IT environment is, the more challenging it can be to get DMARC to enforcement. One of the issues with getting to DMARC enforcement is that IT and security staff must identify and explicitly authorize all the services that are sending email using the company’s domain. Miss one, and you risk blocking legitimate email when you move to an enforcement policy.
Companies using manual approaches to DMARC implementation find it difficult to identify all such services reliably, and therefore they tend to be very cautious in moving to enforcement.
Regulations and budgetary constraints also mean that IT and security staff in health care must perform delicate balancing acts to decide where to allocate resources. In fact, Valimail’s study found that companies with larger revenues are much more likely to have published DMARC records. This suggests that implementing DMARC is viewed as a resource-intensive issue and is usually undertaken only by companies with larger budgets.
These issues are not unique to the health industry. Valimail has found similar issues in every industry we have studied, including the global media industry and the U.S. government. There’s no way around it: Getting email authentication to enforcement is challenging for companies using a manual approach.
Automation is the key to successful authentication
There is a better way, however: Automated email authentication. With next-generation, fully automated email authentication solutions, such as the Valimail IDEA Platform, health care companies can more reliably identify every service sending as them. They can quickly and easily authorize only those senders they want to authorize, while blocking all others — and the platform automatically generates the necessary DMARC, SPF, and DKIM records, in real time, in response to mail gateway requests.
With Valimail’s platform, authentication is truly automated, from end to end. More than that, the onus of getting to authentication is on Valimail, not on your staff — and that’s why Valimail is able to get its customers to enforcement in an average of 100 days.
To learn more about the health care industry’s unique challenges and to see the full report, visit https://go.valimail.com/healthcare-industry-report.html .