Healthcare Companies Slow to Adopt DMARC

May 28, 2018


By applying the Domain-based Message Authentication, Reporting and Conformance (DMARC) Standard, healthcare companies can identify and limit electronic mail deceiving and misuse of their domains; nevertheless, comparatively few healthcare groups are utilizing DMARC, as per the outcomes of a new study carried out by the electronic mail authentication seller Valimail.

DMARC is an open standard that implies a domain can only be used by certified senders. If DMARC is not adopted, it is easy for a hacker to send an electronic mail that has a company’s domain in the From field of the electronic mail.

Safety consciousness programs teach staff to avoid clicking on hyperlinks or open attachments contained in electronic mails from strange senders. Nevertheless, when the electronic mail appears to have been sent from a contact or known individual, the messages are regularly opened, links are clicked and attachments are copied.

Research finished by Cofense suggests over 91% of all cyberattacks begin with a phishing electronic mail and the bulk of successful phishing attacks use electronic mail impersonation methods. If controls are not put in place to obstruct electronic mail impersonation, businesses will be vulnerable to phishing attacks.

DMARC is among the most effective anti-phishing controls. When a DMARC record is established for a domain, the receiving server verifies to decide whether the sender of the message is cleared to use the domain. If the message is authentic, it will be sent. If the verification fails, the accepting server will take the action recorded in the DMARC record. If lenient controls are in place, the message will still be sent even though policies can be set to broadcast the message to the isolation (spam) folder or at the most hostile level, the message will be disallowed.

For the study, Valimail studied the domains of 928 healthcare businesses all over the world with yearly incomes of more than $300 million, including pharmacies, medical equipment suppliers, physicians, hospitals and health doctors. Only 121 of those companies (13%) have adopted DMARC to secure their domains and stop electronic mail deceiving.

Even when DMARC is in place, most healthcare businesses set permissive monitor-only policies. Although those groups will be warned to electronic mail impersonation attacks, the messages will not be obstructed. Few healthcare groups have adopted DMARC at the enforcement stage, which is needed to protect against electronic mail impersonation attacks. Generally, just 1.7% of healthcare groups have policies in place that reject electronic mails transmitted by illegal senders.

Although some healthcare companies have applied DMARC, the study indicated a majority – 60% – have adopted the Sender Policy Framework (SPF) standard. Although SPF is an effective control step, it just confirms the return-path field. It doesn’t stop hackers from executing electronic mail impersonation attacks and using a company’s domain in the from field.

DMARC adoption is on the increase, even though the operation is clearly a hurdle for several healthcare groups. Valimail remarks in its report that it is usually only the biggest healthcare groups that successfully put in place DMARC, indicating DMARC application is a resource problem for smaller companies.