Markus Jakobsson, Chief Scientist at Agari, comments: “The theft of 30,000 medical records from a database in Florida is only the latest in a long line of incidents showing how vulnerable the healthcare sector is to deceptive emails.
Our research has found that the healthcare sector is targeted by more deceptive email than any other, with 92 per cent of all email domains carrying fraudulent emails. While email security training should be encouraged, with so many malicious emails using deceptive identities, organisations should not be relying on their staff to successfully sort the fakes from legitimate messages.
Instead, healthcare organisations need to work to prevent malicious emails from reaching their employees’ inboxes in the first place. One of the most effective ways of preventing email spoofing is the free-to-use Domain-based Message Authentication, Report & Conformance (DMARC) email authentication standard.
However, after examining 5,000 NHS email domains, we found just 1 per cent were currently using DMARC, and only five per cent of UK healthcare organisations had any DMARC policy in place.
Until DMARC is adopted as standard, cyber criminals will have free reign to impersonate domains and use trusted identities to target both employees and patients themselves. I implore all organisations to take this first step in protecting their private medical data from falling into criminal hands.”