Only 13% of Healthcare Companies Using DMARC Implement it Effectively


Healthcare companies could implement DMARC, the Domain-based Message Authentication, Reporting and Conformance Standard, to identify email spoofing and prevent it. The thing is only some healthcare companies use DMARC, as reported by Valimail, an email authentication vendor.

DMARC operates by ensuring that a domain is being used only by authenticated senders. A company that is not using DMARC will not filter out the email sent by hackers using the domain of a company indicated on the From field. Employees required to attend security awareness programs are told never to click links or open attachments in emails which are from unknown senders. However, when an email appears to have been from a known contact, they won’t think twice on clicking links and opening attachments.

Based on a study by Cofense, about 91% of cyberattacks are due to a phishing email. A lot of the successful phishing attacks are associated with impersonated emails. Therefore, companies with no controls for blocking email impersonation are vulnerable to phishing attacks.

DMARC is effective as an anti-phishing product. It creates a file for a domain and tests all the email communications using the domain. When the sender is an identified user of the domain, the message is going to be delivered and received. If not, it’s going to be marked on the DMARC record. The receiving server could take a step as noted. Message delivery depends on the set controls. The message will be sent however it could end up in the junk folder or it’ll be delivered.

Valimail analyzed the domains of 928 healthcare organizations with yearly earnings of more than $300 million. Only 121 organizations or 13% implemented DMARC to shield their domains from email spoofing. Although using DMARC, a lot of healthcare companies configure permissive controls, consequently they get alerts of email impersonation however the messages aren’t blocked. Just 1.7% of healthcare companies have configured their controls to refuse emails from unidentified senders.

A lot more healthcare companies (60%) utilize the Sender Policy Framework (SPF) standard. It is effective, however it simply validates the return-path field.  It does not stop email impersonation attacks and doesn’t assess the domain indicated on the message’s From field.

Though healthcare companies are taking on DMARC, implementation is challenging. Only the big healthcare companies are successfully implementing it, reported by Valimail.