New Research: Healthcare Company Emails Put Patients at Risk
In a recent study, Return Path found that only 12% of the top healthcare brands in the US are being proactive when it comes to protecting their customers, brand reputation, and bottom line from email attacks. This is especially troubling given how heavily the healthcare industry is targeted by cybercriminals.
Medical data—worth 10 times more than a credit card number on the black market—is extremely valuable to fraudsters. The average payout for a medical identify theft is about $20,000, compared to $2,000 for a regular identity theft, according to RSA.
Greater value means more attacks. Just consider these stats:
- There have been 1,282 attacks affecting more than 143.3 million individuals since 2009 (source: US Department of Health and Human Services)
- Cyber attacks are up 125% since 2010, with the average data breach costing a hospital $2.1 million (source: Ponemon Institute)
- Cyber attacks cost the U.S. healthcare system $6 billion every year (source: Ponemon Institute)
Phishers often capitalize on the breaking news of a massive data breach. Anthem, for instance, experienced a flood of phishing scams targeting their customers just hours after they publicly announced the data breach we are now all familiar with.
Healthcare companies can’t rely on unassuming customers to spot fraudulent emails like these; 97% of people around the globe cannot identify a sophisticated phishing message.
But healthcare companies can prevent these malicious emails from ever reaching their customer’s inbox in the first place. The problem is, they’re not.
Only 12% of top US healthcare brands are securing email
Return Path analyzed 1,192,786 total messages from 40 of the top healthcare brands in North America, looking specifically at email authentication standard implementation for SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Reporting and Conformance).
79% of the messages we analyzed did not have an SPF record published for the primary sending domains, which means fraudsters can use it to send malicious messages to unsuspecting customers. Of those that did have an SPF record, only 21% passed SPF, which indicates that these brands lack visibility and control over their email authentication and/or emails are being sent from IP addresses not authorized by the brand.
Only 12%—five out of the 40 brands—had implemented a DMARC record. This means cybercriminals can spoof any owned sending domain not protected by DMARC in the “From” field, tricking customers into giving up confidential personal and health information.
This trend holds true around the globe. Back in February 2015, Return Path analyzed over 1,000 of the world’s largest brands across 31 countries to look at DMARC adoption rates by region and industry sector. The healthcare industry’s DMARC adoption rate was remarkably lagging, the lowest of all sectors at 8%.
The bottom line is that healthcare organizations simply aren’t doing enough to protect their customers. That’s why we wrote The Healthcare Guide to Email Fraud. In it, we’ll dive into best practices for securing outbound email and protecting patients, brand reputation, and business outcomes.
About Estelle Derouet
Estelle Derouet is Vice President of Marketing, Email Fraud Protection at Return Path. In her role, Estelle leads a fabulously talented team of experienced B2B marketers, tasked with driving awareness and generating demand. Prior to joining Return Path in 2010, Estelle led the EMEA and APAC marketing function at enterprise mobility provider iPass for eight years. Follow her on Twitter @ederouet.