The overwhelming majority of large healthcare organizations worldwide are still susceptible to spoofing of their own email domains, also known as impersonation attacks, which are a leading vector for cyberattacks.

Why? In part because they have not adopted the Domain-based Message Authentication, Reporting and Conformance, or DMARC standard, which detects and prevents email spoofing.

New research from Valimail, an email authentication automation vendor, finds that DMARC is rarely used in any capacity among the health systems surveyed. Of the domains in the sample, 807 have not published DMARC records at all. Another 19 domains have published DMARC records that are invalid in some way. Of the organizations with valid DMARC records, 86 have permissive monitor-only policies, and just 1.7 percent, were at enforcement level and therefore protected from impersonation, according to the research.

"In other words, 98.3 percent of the healthcare companies we analyzed are susceptible to being impersonated by phishing attacks directed at employees, partners, patients or others," according to the report. "Phishing emails are cited as the initial point of entry in 91 percent of successful cyberattacks, and the majority of successful phish use impersonation techniques. As a result, the lack of protection against impersonation represents a major risk for healthcare organizations."

Illegitimate e-mails are a scourge on the healthcare industry, slipping into organizations and delivering malware that ultimately can freeze information systems, lock down data and endanger patient safety.

Ransomware is ever-evolving and continues to bedevil healthcare organizations. It pummeled the healthcare sector in the early part of 2018, with attacks on Hancock Health that drove the Indiana provider to pen and paper, and the high-profile SamSam attack on EHR vendor Allscripts.

The Department of Health and Human Services recently warned that the SamSam variant is targeting healthcare and "the ransomware risk to the sector is expected to continue for the foreseeable future."

The California-based Center for Orthopaedic Specialists recently notified 85,000 of its current and former patients that a ransomware attack on its IT vendor may have breached the center's data. Hackers launched the attack on COS computer systems, which impacted three of its locations in West Hills, Simi Valley and Westlake Village on Feb. 24. Hackers had locked down its system and encrypted patient data.

Once discovered, the Center for Orthopaedic Specialists IT vendor took the system offline in an attempt to limit the damage and implemented preventative measures to prevent a future attack. Impacted information included demographic data, medical records, insurance information and Social Security numbers. The investigation could not rule out whether data was exfiltrated, but officials said it doesn't appear the hacker was able to do so.

Overseas, meanwhile the U.K. National Health Service just signed an agreement with Microsoft to upgrade its legacy computer systems to Windows 10 to improve its cyber resilience after the global WannaCry ransomware cyberattack shut down one-third of its health trusts last June. The hope in updating all NHS devices to Windows 10, according to officials, is to improve its cybersecurity posture and improve the health system's ability to respond to attack.

In the Valimail research, the company analyzed the primary domains for 928 healthcare organizations around the world – including hospitals, medical equipment and supply makers, pharmaceutical manufacturers, pharmacies, and physician practices – with revenues of at least $300 million annually. 

It found that 121 of these organizations (just 13 percent) have begun to protect themselves by using DMARC, but clearly that's a number that should keep rising.

"With 80 percent failure rates, successful deployment of DMARC – known as enforcement – is clearly a challenge for all companies using manual authentication approaches, not just those in healthcare," said Valimail CEO and Co-founder Alexander García-Tobar, in a statement.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com