Around three-quarters of hospitals in the United Arab Emirates and South Africa have not adopted the strongest form of the Domain-based Message Authentication, Reporting and Conformance (DMARC) email validation protocol.
According to a DMARC analysis by Proofpoint, 28% of hospitals in those regions have implemented the strictest and recommended level of DMARC protection to "reject." There are three levels of protection: monitor, quarantine, and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.
Only 69% of UAE hospitals have published a basic DMARC record, meaning 31% are taking no steps to protect users from potential email fraud.
Healthcare Under Attack
Emile Abou Saleh, regional director for Middle East and Africa at Proofpoint, said that with the healthcare industry rapidly becoming a target for cybercriminals due to the sensitive patient data these institutions hold, and healthcare organizations being high-value targets for ransomware attacks, "a broader security strategy will be crucial to secure the future of the healthcare sector in the UAE and South Africa, which has been identified as a priority area under the respective national agendas of both countries."
Ryan Witt, healthcare cybersecurity leader at Proofpoint, says that DMARC adoption remains around 25% for the healthcare industry for several reasons:
- Complexity: DMARC implementation can be complex, especially in medium to large health systems. It requires coordination among multiple departments, careful configuration of email servers, and ongoing monitoring and management.
- Resource limitations: Implementing DMARC effectively often requires dedicated cybersecurity resources at a time when staffing challenges plague the industry, especially for IT and infosec personnel.
- COVID: The healthcare industry was particularly challenged by COVID, and it took a tremendous amount of resources to pivot from the office to a work-from-anywhere environment. This occurred at a time when healthcare was under acute challenges for providing patient care, elective surgeries (the most profitable form of patient care) were significantly interrupted, and resources were, in certain instances, needed to establish makeshift/overflow care facilities.
"Healthcare has made significant strides in better protecting the industry, in part because hospital executives increasingly see cybersecurity as a core component of patient care," Witt says. "In other words, there have been many examples of where a cyber event has directly impacted patient care — delayed procedures, patient records not being available, increased complications for treatment, patient having to be moved to a different care facility, etc. — and hospital executives better appreciate that more investment is needed to secure their health systems."
How Can Organizations Improve?
Witt says there are options to better assist healthcare organizations, such as the Health Information Sharing and Analysis Center (H-ISAC), which has encouraged the healthcare industry to adopt DMARC as a fundamental security control for many years.
"In addition," he says, "the US Department of Health and Human Services, through its 405d program, has provided a best-practices document for cybersecurity preparedness that covers the importance of DMARC when safeguarding against cyberattacks in healthcare."