The healthcare sector needs better defence against phishing

Cyber-attacks can have a direct effect on patient care, and understanding how these attacks gain access to organizations is critical in safeguarding against them

In today’s digital age, the healthcare industry faces huge challenges when it comes to safeguarding sensitive data from cyber threats.

With stories of ransomware attacks increasingly dominating headlines, the importance of robust and comprehensive cyber security has never been more apparent.

The consequences of falling victim to cyber-attacks can be particularly devastating for healthcare organizations as they are trusted with vast amounts of highly sensitive, valuable, and potentially costly data.

When critical systems are hindered, the knock-on effects can impede communication channels, logistics, and other vital operations essential to patient care. With so much at stake, the implications for patient privacy, trust in the healthcare system, and financial stability are profound.

93% of all cyber-attacks begin with a phishing email

Understanding how these attacks initially gain access to organizations is critical in effectively safeguarding against them. According to Verizon, 93% of all cyber-attacks begin with a phishing email.

To combat this, security tools have been developed that automatically flag emails impersonating the domains of more trusted senders. While many of these tools have helped healthcare workers and people, in general, identify phishing emails, statistics suggest that phishing threats are only growing in number and complexity.

Tools such as SPF, DKIM, and DMARC have placed greater emphasis on preventing emails from hitting inboxes in the first place, removing the need to rely on human judgment. This is an effective way to prevent phishing and spoofing attempts.

Despite the widespread availability of this technology, however, the vast majority of operators, hospitals, and clinics are still not utilizing it to protect themselves from phishing emails.

Understanding DMARC uptake

To better understand the scope and scale of this problem across the healthcare industry, research by email security provider EasyDMARC reviewed the security policies of 2000 clinics and hospitals in Europe and America.

The survey examined the use of the Domain-based Message Authentication, Reporting and Conformance (DMARC) standard among healthcare practitioners in both regions.

When comparing the data, some interesting similarities and differences emerge:

Overall DMARC adoption rate

The adoption rate of DMARC in the United States stands at 42% among the total reviewed domains, while in Europe, the adoption rate is a full 10% lower at 32%. With the usage of DMARC below half in both regions, the data reveals that a troubling amount of sensitive data may be susceptible to phishing attempts from cybercriminals.

However, as there are various ways DMARC tools can be configured, with each offering different levels of protection, the statistics of adoption rate only tell part of the story.

Configuration to do nothing:

One of the most revealing insights brought to light by the research is that among those that have taken the important step of adopting DMARC in the United States and Europe, 19% and 18%, respectively, have configured it to do nothing about impersonating emails, gaining no benefit from the security tool.

Another configurable DMARC policy is flagging suspicious emails and placing them into quarantine (Spam), with 7% of organizations from Europe and 5% in the United States opting for this option.

Employing these sub-optimal policies could initially be taken as an active choice made by users; it is far more likely, however, to be an unfamiliarity with the various policies and their benefits.

‘Reject’ Policy Implementation

The ‘reject’ DMARC policy represents the gold standard because it automatically discards emails that imitate legitimate domains and represents a threat to the user. When it comes to the adoption of the policy, however, the numbers are concerning.

In the United States, out of the minority of institutions that have deployed DMARC, only 18% enacted a ‘reject’ policy. The situation is even worse in Europe, with the number sitting at just 7.2%. This means that while 1,480 of the 4,000 organizations surveyed have adopted DMARC, just 12.6% are using the most effective policy.

It is worrying that even among those organizations using DMARC, the majority remain vulnerable to phishing attacks due to policies not being configured with the highest levels of security in mind.

A potential troubling consequence of this is that organizations may feel wholly protected from phishing emails simply because they have DMARC in place, even if they haven’t fully configured it to be effective. Furthermore, if a successful attack is made against an organization with DMARC, it may well harm the standard’s reputation for protecting businesses.

The future of phishing-proof healthcare

Overall, the data suggest that not only is there huge room for improvement in the adoption of email security tools like DMARC, SPF and DKIM, but it also highlights the need for an improved understanding of how their policies are implemented. It’s clear that the most secure configurations of these programmes and policies often remain unused across the healthcare sector.

With current adoption rates, many phishing emails are being allowed to reach inboxes, and with the development of technologies such as generative AI, the capacity for cybercriminals to create genuinely believable email copy is improving exponentially, meaning there is an ever-increasing opportunity for malicious emails to be mistaken as genuine.

It is crucial for organizations in both the United States and Europe to recognize the significance of email security tools as a valuable defence against phishing and spoofing attacks. Efforts should be made to raise awareness, provide education, and incentivize the implementation of effective tools and policies enhancing cybersecurity on both sides of the Atlantic.

Cybersecurity is no longer just an IT problem. Healthcare organizations must assume the responsibility of protecting sensitive data rather than relying on the discernment of their employees. Only with informed top-down security measures can organizations better protect their sensitive data, maintain patient privacy, and strengthen trust in the healthcare system.

This piece was written and provided by Gerasim Hovhannisyan, CEO & Co-Founder EasyDMARC.