DMARC in Healthcare: Lots of Work to Be DoneStudy: Little Adoption of Standard So Far to Fight Phishing Threat
Adoption of the Domain-based Message Authentication, Reporting & Conformance - or DMARC - standard is very low in the healthcare sector, and broader use could greatly reduce phishing risks, according to a new study.
Several healthcare security experts say the study shows just how much work needs to be done. And they say boosting the use of DMARC could, for example, reduce the risk of ransomware attacks, a growing threat in the healthcare sector.
The study, jointly issued by National Health Information Sharing and Analysis Center, the Global Cybersecurity Alliance and Agari, a cybersecurity technology vendor, found that only 23 percent of healthcare sector organizations surveyed are using DMARC in any way.
The analysis found that just 2 percent of entities are using DMARC for protecting their external users, such as patients, from phishing and spoofing by using quarantine or reject policies on their domains. Another 21 percent have deployed DMARC to monitor unauthenticated emails, but are not blocking phishing emails.
The DMARC email authentication standard helps to eliminate phishing emails that impersonate domains, NH-ISAC says in a statement issued in collaboration with its study partners.
Agari analyzed in November the DMARC "authentication posture" of 549 large organizations in the healthcare and pharmaceuticals sectors, comparing those findings to a similar analysis performed six months ago.
In October, NH-ISAC began urging its members to adopt the DMARC standard after the Department of Homeland Security issued a directive mandating federal agencies adopt DMARC within 90 days (see DHS Imposes Email Security Measures on Federal Agencies).
DMARC is designed to fit into an organization's existing inbound email authentication process by helping email receivers determine if the purported message aligns with what the receiver knows about the sender, according to Dmarc.org. If not, DMARC includes guidance on how to handle the non-aligned messages.
More widespread adoption of DMARC could, indeed, help prevent some phishing and other email schemes, some security experts say.
"By design, DMARC validates an email sender and based on how DMARC records are configured in DNS, email messages not aligning with DMARC could be quarantined for further inspection or outright rejected," says Keith Fricke, principal consultant at tw-Security. "Therefore, phishing attacks would likely become less successful. A reduction in phishing attacks would correlate to a decrease in ransomware, malware-infected attachments and links to malicious web sites."
Mac McMillan, CEO of security consulting firm CynergisTek, says adoption of DMARC "is a basic common sense measure that should be fully supported in healthcare or any industry." Many fraudulent emails impersonate domains, so eliminating or reducing this threat lowers the risk healthcare organizations face, he notes.
"If everyone used one or more types of DNS records like SPF, DKIM or DMARC to verify the authenticity of sending mail servers, it would cut down significantly on the number of fraudulent emails received and the amount of spam traffic," he says. "This could significantly reduce all forms of malware attacks associated with email, email attachments, etc. It would cut down on spam traffic and could potentially cut down on bandwidth costs."
Fricke offers a similar assessment. "All sectors would benefit from more widely embracing DMARC. ... A bigger adoption of DMARC would help reduce fraudulent email within an industry and between industries."
Jim Routh, CISO of Aetna and NH-ISAC board member, claims the insurer was the first healthcare entity to adopt DMARC in 2014.
"The primary benefit is that consumers/members know that email that comes from Aetna is legitimate and so they trust the email is from Aetna," he says. "This has improved the "click-through rate" of member response by 10 percent annually, which improves the healthy behaviors of our members."
DMARC is an ad-hoc standard for email authentication and there is no capital expense necessary, he says. "It simply requires governance over how domains are registered and configured, and third party governance applied to vendors that send email out on behalf of the enterprise," Routh says. "The latter is the most challenging, and the larger the enterprise, the more third parties that send email out on behalf of the enterprise. All of the third parties sending email must authenticate their email services, which requires following a standard configuration. "
Many email vendors offer services to help enterprises adopt DMARC, Routh notes.
Why Is Adoption So Low?
Adoption of DMARC in healthcare is lagging for several reasons, McMillan says.
"For the most part, it's because we look at the problem from the wrong angle - meaning we treat everything as a point issue rather than addressing root causes," he says.
"So if I have a spam problem I need a spam filter. If I have a phishing problem I need to train users. If I have a malware problem I need anti-virus. It's not that these are necessarily obviated by implementing DMARC, but their reliance is decreased and they are complimented, so better security is achieved overall."