Health-care group pushes for tighter email security amid fears over fraud

An organization that focuses on sharing information relating to cybersecurity threats in the health-care sector is making its members pledge to implement an email security standard amid growing concerns over fraud.

The announcement on Tuesday from the threat-sharing group the National Health Information Sharing & Analysis Center (NH-ISAC) was made in concert with the release of a study it conducted with the email security firm Agari and the cross-industry advocacy group Global Cyber Alliance showing more than half of emails that appear to be from health-care providers are fraudulent.

{mosads}

The email protocol was not designed to check if the return address on a message is accurate. Anyone using email can place any name or email address on a message.

NH-ISAC will make its members pledge in 2018 to use DMARC, an add-on protocol that ensures unauthorized people cannot send emails from a particular domain. DMARC checks with the listed sender’s server to see if an email is authentic. If not, the listed sender can request the fake message be deleted or moved to a spam folder. 

Agari found that just under 57 percent of the emails purporting to be from any of the more than 1,911 health-care websites it protects were fraudulent. 

According to Agari’s data, health care is the most targeted sector for fake emails. Government comes in second.

DMARC is not widely used in any industry. Earlier this year, the Department of Homeland Security announced it would require all federal agencies to begin using the service.   

Agari checked DMARC usage across the health-care industry in firms with revenue over $1 billion. Only 2 percent of companies had both installed DMARC and set DMARC to either delete fraudulent messages or send them to spam.