DMARC in Healthcare: Lots of Work to Be Done

Adoption of the Domain-based Message Authentication, Reporting & Conformance – or DMARC – standard is very low in the healthcare sector, and broader use could greatly reduce phishing risks, according to a new study.
See Also: IoT is Happening Now: Are You Prepared?
Several healthcare security experts say the study shows just how much work needs to be done. And they say boosting the use of DMARC could, for example, reduce the risk of ransomware attacks, a growing threat in the healthcare sector.
The study, jointly issued by National Health Information Sharing and Analysis Center, the Global Cybersecurity Alliance and Agari, a cybersecurity technology vendor, found that only 23 percent of healthcare sector organizations surveyed are using DMARC in any way.
The analysis found that just 2 percent of entities are using DMARC for protecting their external users, such as patients, from phishing and spoofing by using quarantine or reject policies on their domains. Another 21 percent have deployed DMARC to monitor unauthenticated emails, but are not blocking phishing emails.
The DMARC email authentication standard helps to eliminate phishing emails that impersonate domains, NH-ISAC says in a statement issued in collaboration with its study partners.
Agari analyzed in November the DMARC “authentication posture” of 549 large organizations in the healthcare and pharmaceuticals sectors, comparing those findings to a similar analysis
performed six months ago.
In October, NH-ISAC began urging its members to adopt the DMARC standard after the Department of Homeland Security issued a directive mandating federal agencies adopt DMARC within 90 days (see DHS Imposes Email Security Measures on Federal Agencies).
DMARC is designed to fit into an organization’s existing inbound email authentication process by helping email receivers determine if the purported message aligns with what the receiver knows about the sender, according to Dmarc.org. If not, DMARC includes guidance on how to handle the non-aligned messages.
Fighting Phishing
More widespread adoption of DMARC could, indeed, help prevent some phishing and other email schemes, some security experts say.
“By design, DMARC validates an email sender and based on how DMARC records are configured in DNS, email messages not aligning with DMARC could be quarantined for further inspection or outright rejected,” says Keith Fricke, principal consultant at tw-Security. “Therefore, phishing attacks would likely become less successful. A reduction in phishing attacks would correlate to a decrease in ransomware, malware-infected attachments and links to malicious web sites.”
Mac McMillan, CEO of security consulting firm CynergisTek, says adoption of DMARC “is a basic common sense measure that should be fully supported in healthcare or any industry.” Many fraudulent emails impersonate domains, so eliminating or reducing this threat lowers the risk healthcare organizations face, he notes.
核心的机密数据外泄会造成公司的竞争力丧失,严重到威胁生存和发展,所以有必要考虑部署数据防漏洞系统,降低可能从各个渠道泄密造成的损失。
“If everyone used one or more types of DNS records like SPF, DKIM or DMARC to verify the authenticity of sending mail servers, it would cut down significantly on the number of fraudulent emails received and the amount of spam traffic,” he says. “This could significantly reduce all forms of malware attacks associated with email, email attachments, etc. It would cut down on spam traffic and could potentially cut down on bandwidth costs.”
Security-Frontline-安全前线
Fricke offers a similar assessment. “All sectors would benefit from more widely embracing DMARC. … A bigger adoption of DMARC would help reduce fraudulent email within an industry and between industries.”

Jim Routh, CISO of Aetna and NH-ISAC board member, claims the insurer was the first healthcare entity to adopt DMARC in 2014.
“The primary benefit is that consumers/members know that email that comes from Aetna is legitimate and so they trust the email is from Aetna,” he says. “This has improved the “click-through rate” of member response by 10 percent annually, which improves the healthy behaviors of our members.”
DMARC is an ad-hoc standard for email authentication and there is no capital expense necessary, he says. “It simply requires governance over how domains are registered and configured, and third party governance applied to vendors that send email out on behalf of the enterprise,” Routh says. “The latter is the most challenging, and the larger the enterprise, the more third parties that send email out on behalf of the enterprise. All of the third parties sending email must authenticate their email services, which requires following a standard configuration. ”
Many email vendors offer services to help enterprises adopt DMARC, Routh notes.
Why Is Adoption So Low?
Adoption of DMARC in healthcare is lagging for several reasons, McMillan says.
“For the most part, it’s because we look at the problem from the wrong angle – meaning we treat everything as a point issue rather than addressing root causes,” he says.
“So if I have a spam problem I need a spam filter. If I have a phishing problem I need to train users. If I have a malware problem I need anti-virus. It’s not that these are necessarily obviated by implementing DMARC, but their reliance is decreased and they are complimented, so better security is achieved overall.”
信息安全领域最突出的问题是信息安全产业发展严重滞后,信息安全科研和教育严重滞后,而其关键是信息安全人才极度匮乏。

猜您喜欢

狂~AKiTiO艾客优品雷电3磁盘阵列 即日起买一送一!
如何防范智能手机LBS地理位置信息泄露
网络安全法培训短片
“悟空”卫星新发现:可能揭开一个大秘密
VKGRAM ACEMARKING
信息安全成了各大公司进行全员培训的热点课程