Fifty-Seven Percent of Email “From” Healthcare Industry is Fraudulent

NH-ISAC Members Pledge Improved Security in Healthcare Industry;
GCA Challenges All Organizations to Implement DMARC

SCOTTSDALE, Ariz. – NH-ISAC FALL SUMMIT – November 27, 2017 – The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and Agari, a leading cybersecurity company, today announced the publication of a security research report that reveals the healthcare industry is at the highest risk of fraudulent email, with 57 percent of email “from” the healthcare industry being fraudulent or unauthenticated. In an effort to reduce this fraud, NH-ISAC is urging its members pledge to implement DMARC in 2018, and GCA has issued a “90 Days to DMARC” challenge.

The report, “Agari Industry DMARC Adoption Report for Healthcare,” reveals that 98 percent of top healthcare providers have not implemented enforcement policies for DMARC (Domain-based Message Authentication, Reporting & Conformance), an email authentication standard, which virtually eliminates phishing emails that impersonate domains.

“The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email which reduced the risk of phishing, resulting in more email engagement and healthier lives for members,” said Jim Routh, CSO, Aetna.

On October 16, 2017, the US Department of Homeland Security (DHS) issued Binding Operational Directive 18-01, which mandated federal agencies to adopt DMARC within 90 days. NH-ISAC responded that same week, asking its members to pledge to adopt DMARC; a call that it repeats this week at the NH-ISAC Fall Summit. To date, more than 57 percent of NH-ISAC members have pledged to implement DMARC or to research DMARC for implementation.

Additionally, GCA has issued its “90 Days to DMARC” challenge, which begins December 1. Each month, the challenge offers new webinars, guides and additional resources for organizations to plan, implement, analyze and adjust DMARC.

“Agari Industry DMARC Adoption Report for Healthcare” Overview

Agari analyzed the DMARC policies of more than 500 domains in the healthcare and pharmaceutical sectors, using the Agari DMARC Lookup Tool. Additionally, Agari analyzed more than 800 million emails and more than 1,900 domains from its Email Trust Network. Key findings include:

Healthcare Adoption of DMARC is in Critical Condition – More than 77 percent of the healthcare industry has not deployed DMARC to protect its email. Only two percent are protecting their patients from phishing and spoofing by using quarantine or reject policies on their domains. The remaining 21 percent have deployed DMARC to monitor unauthenticated emails, but are not blocking phishing emails. Adoption was slightly better with NH-ISAC members, but 70 percent of NH-ISAC members have not deployed DMARC.
The Healthcare Industry is at Highest Risk of Being Targeted by Fraudulent Email – During the past six months, 92 percent of healthcare domains have been targeted by fraudulent email and 57 percent of emails sent claiming to be from the healthcare industry are fraudulent or unauthenticated.
DMARC Eliminates Millions of Phishing Emails Overnight – DMARC emerged in 2007 from a pilot program between PayPal and Yahoo! to eliminate phishing emails. As a founding member of DMARC, Agari has worked with the largest email providers (AOL, Comcast, Google, Microsoft and Yahoo!) to protect the receipt of email since January 2012. Agari has protected more than 12 trillion emails and blocked more than 350 Billion phishing emails.

Supporting Quotes

“The recent directive from the U.S. Department of Homeland Security requiring all federal agencies to implement DMARC within 90 days will positively transform security for the government and its citizens,” said Phil Reitinger, President and CEO of the Global Cyber Alliance (GCA). “GCA is challenging organizations in all sectors to follow the path set forward by DHS. We applaud NH-ISAC for calling upon its members to implement DMARC.”

“Organizations that have deployed DMARC have seen significant lift in email click-through rate, as they minimize the phishing and spam emails that erode trust in their brand,” said Patrick Peterson, founder and executive chairman of Agari. “By heeding the guidance of NH-ISAC leaders, healthcare companies will improve security for themselves, their healthcare providers and their patients. Successful DMARC implementations from Aetna, Blue Shield of California and Spectrum Health are leading the way for other healthcare industry organizations to restore trust in communications.”

Links for additional information:

Download the full report: Agari Industry DMARC Adoption Report for Healthcare

Learn more: GCA “90 Days to DMARC” Challenge

Watch: Aetna CSO Jim Routh discusses DMARC.

About NH-ISAC
National Health Information Sharing and Analysis Center, (NH-ISAC), is a global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating and sharing vital Physical and Cyber Threat Intelligence and best practices with each other. Members use this information to extend their security operations team and to create situational awareness, inform risk-based decision-making and mitigate against threats. Membership is open to private & public hospitals, ambulatory providers, health insurance payers, pharmaceutical/biotech manufacturers, laboratory, diagnostic, medical device manufacturers, medical schools, medical R&D organizations and other relevant health care stakeholders. Joining NH-ISAC is one of the best ways health care and public health firms can actively participate to protect the industry and its vital role in critical infrastructure. Visit www.nhisac.org and find us on LinkedIn.

About GCA
The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. Learn more at www.globalcyberalliance.org.

About Agari
Agari, a leading cybersecurity company, protects people and businesses against cyber criminals who use false identities to commit fraud, steal information and undermine trust in digital business. The Agari Email Trust Platform is the industry’s only artificial intelligence (AI) driven defense system that models authentic, trustworthy communications to protect humans from being deceived by cyberattacks such as phishing, ransomware and business email compromise (BEC). Some of the world’s best-known companies—including six of the top 10 banks, the top five social networks, leaders in healthcare, shipping and cloud providers—trust Agari to recognize and block these attempts at digital deception in ways other security providers can’t. Agari is a recipient of the JPMorgan Chase Innovation Award, and is recognized by Gartner as a Cool Vendor in Security and by Forbes as a Cloud 100 Rising Star. The company is backed by Alloy Ventures, Battery Ventures, First Round Capital, Greylock Partners, Norwest Venture Partners and Scale Venture Partners. Learn more at http://www.agari.com and follow us on Twitter @AgariInc.