Healthcare is the most exploited industry via fraudulent email

It shouldn’t come as a surprise that the healthcare sector has a target on its back given the trove of sensitive data healthcare organizations deal with daily. However, the healthcare industry often falls short when it comes to protecting themselves from brand impersonation, BEC and other phishing methods. Investing in your healthcare organization’s cybersecurity can truly be a matter of life or death — a 2020 hospital ransomware incident saw the first reported death as a direct result of a cyberattack. While most attacks don’t have such an extreme outcome, they can still result in severe financial and reputational loss. Enforcing a DMARC policy will help ensure that patients, partners and staff only see emails that authentically come from your organization while also increasing email deliverability and enabling streamlined communication. DMARC is therefore a must for every domain owner in healthcare looking to protect and empower their organization.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email validation system designed to protect organizations’ email domains from exploitation via email spoofing, phishing scams and other cyberattacks. Created by PayPal, Yahoo! and Microsoft, DMARC leverages existing email authentication techniques SPF and DKIM to improve and monitor protection of the domain from fraudulent use. DMARC adds an important capability for domain owners — reporting. When publishing a DMARC record into their DNS record, domain owners gain insights regarding who is sending email using their domain, allowing them to increase control over emails sent on their behalf.


How DMARC Benefits Your Healthcare Organization

Patients put their trust in the hands of healthcare providers and their IT systems, making it absolutely vital to secure all channels of communication. DMARC empowers your organization to take control of its email domain and to experience the following benefits.

Protect your online brand:
No matter the size or scope of your organization, cybercriminals will attempt to impersonate your domain and online presence for malicious purposes. DMARC helps keep your brand out of their arsenal of spoofed email domains, thus protecting your brand’s integrity.

Increase email deliverability:
Even legitimate emails can end up in spam folders and email quarantines, which can be a problem when emails contain important healthcare information. DMARC serves as extra proof that email from your organization is legitimate, increasing deliverability to the inbox while also knocking out fraudulent mail.

Gain greater visibility into cyber threats:
DMARC enables you to monitor all authorized third parties that send emails on your behalf – as well as those that are not authorized — helping to ensure compliance with security best practices.

Publish a policy that instructs ISPs and other email receivers to deliver, quarantine, or delete emails:
With DMARC, you can decide if potential abuses of your email domain are quarantined for further review, automatically deleted, or just reported back to you. Emails that pass the DMARC checks are delivered without hindrance.

Email is Not Inherently Secure and Never Has Been

Email is the backbone of professional communication globally. Unfortunately, it’s also the starting point for 95% of cyberattacks. Though cybersecurity technologies have made great advancements, it has been historically difficult to remedy an inherent security weakness that came with the democratization of email: anyone can create an email account and send emails under a false identity as well as false domain. This fundamental structure of email has allowed cyber criminals to send spam, phishing emails and malware using the brands and identities of the world’s most admired healthcare and public health brands. In doing so, these bad actors can inflict direct losses on patients and tarnish brand equity established over years of trustworthy service.

Not Enough Healthcare Organizations Are Using DMARC to Protect Their Brands

Healthcare organizations are the biggest victims of brand impersonation. Why? In addition to being targeted for highly coveted sensitive (and lucrative) information, the healthcare industry is behind when it comes to enforcing DMARC. According to a public DNS record analysis, only 2% of healthcare organizations globally have set up a DMARC policy to quarantine or reject emails that do not pass DMARC authentication checks. That leaves 98% of healthcare organizations unprotected from having their brands used in phishing and fraudulent email. Mimecast’s 2020 State of Email Security Report found that 57% of healthcare organizations believed it was inevitable or likely that they would be negatively affected by an email-borne cyberattack in the next 12 months. Luckily for those organizations, brand impersonations and phishing attacks don’t have to be inevitable — DMARC is here to help.

Protect Against BEC attacks

Business email compromise (BEC) attacks are inbound threats wherein cybercriminals impersonate company executives and send deceptive emails requesting wire transfers to fraudulent accounts, or utilize a number of other social engineering centric tactics. More than 400 businesses are targeted by BEC scams every day, and one in three companies have fallen victim to CEO fraud emails. According to the Anti-Phishing Working Group, the average amount requested during wire transfer BEC attacks is $48,000. When configured successfully, DMARC helps combat inbound threats like BEC attacks where the attacker sends an email with a ‘from’ address that appears to originate from a trusted business partner.


How to be DMARC Compliant

Now that you understand why DMARC is important for your healthcare organization, let’s get started on the “how.” Though DMARC is a key part of any cybersecurity program, it is not a standard that can be deployed, configured, activated and then forgotten. To correctly implement and then leverage your investment in DMARC, domain owners must kick off and manage a DMARC project which includes performing a series of steps, including discovering all of your owned domains, learning what legitimate services are sending email on your behalf, properly configuring those services from an SPF and DKIM perspective, and of course publishing a DMARC record (try our DMARC Record Generator). It’s also imperative that after DMARC has been successfully implemented – set to “reject” for all of your domains – that your organization establishes a program of ongoing monitoring, as DMARC is not a set-it-and-forget-it standard. In 2020, Mimecast embarked on our own journey to use DMARC across all of our owned domains. The project was documented in a three-part blog series for other organizations to use as a resource.