Most U.S. Hospitals Have Not Deployed DMARC To Protect Their Email Systems


​​Flickr Photo by ​Naoki Takano

Most U.S. Hospitals Have Not Deployed DMARC To Protect Their Email Systems

​Only six of the 50 largest U.S. public hospitals are protecting their email domains from being seized by hackers attempting to trick patients into giving up their personal information, a new survey finds. 

The survey from the Global Cyber Alliance (GCA), a partnership started by law enforcement and research organizations, looked at 100 hospitals in the United States and surveyed them on their email security. It found that for-profit hospitals fared somewhat better as 22 of the top 48 have deployed Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol in a limited capacity. 

DMARC is an email-validation system designed to prevent email spoofing. The protocol is free to use, and prevents unauthorized users from creating fraudulent email accounts on an organization’s website domain.

“Only one of the hospitals using DMARC has it deployed at a level that prevents spam from being delivered to inboxes,” GCA said in a press release. “The remaining 27 hospitals using DMARC are still at the lowest level of deployment which monitors emails from their domain but does not prevent spam from being delivered to inboxes. Reasons for this can vary, including that these hospitals are early in the process of DMARC implementation. In the end, not one of the 100 hospitals scanned is experiencing the full benefits of DMARC implementation.”

This and the fact that healthcare providers have terabytes of personal data from patients means they are vulnerable to hackers, who often use email to gain access to organization’s networks. 

“Specifically, attackers are using phishing emails with malicious attachments to target valuable medical records stored on hospital networks,” GCA said. “These records include personally identifiable information such as home address and Social Security numbers.”

To help hospitals combat this threat, GCA released a new DMARC Setup Guide that walks security professionals through a step-by-step process to install DMARC. 

“As cyber threats mount against healthcare providers, deploying DMARC is an essential solution to protecting their patients’ data privacy,” said Philip Reitinger, president and CEO of GCA. “The protocol has been proven effective, and deployment can reasonably be done by organizations of all sizes, making it an invaluable resource for hospitals who need to protect their patients’ digital health.”

For more on DMARC, read “Spoofing the CEO” from the October 2016 issue of Security Management.