What is the NH-ISAC 90-Day DMARC Challenge?

Healthcare organizations are more vulnerable to phishing attacks as the average maturity of security controls and training is less than that of other industries, such as banking. Successful phishing attacks rely heavily on emails with either spoofed or similar-looking domain names. Emails originating outside of an organization’s domain but with similar domains can be flagged as an external email to alert the end-user. Unfortunately, emails with spoofed domains require technical controls to identify and divert to a spam folder.

To address this, the US Department of Homeland Security (DHS) released a binding directive in mid-October of 2017 that mandated federal agencies to adopt Domain-based Message Authentication, Reporting and Conformance (DMARC) technology within 90 days. More simply, DMARC is an email-validation system that detects and prevents email spoofing designed to combat techniques used in phishing and spam, such as emails with forged sender addresses that appear to originate from legitimate organizations. That same week the National Health Information Sharing and Analysis Center (NH-ISAC) responded with a 90-day challenge of their own. The NH-ISAC challenge is called the 90-day DMARC challenge.

NH-ISAC reports that 57% of emails that purport to originate from a healthcare entity are fraudulent. This presents a problem larger than is generally realized inside of healthcare organizations. If any organization takes the time to dig into this issue they will quickly realize the advantage to protecting the organization from fraudulent emails impersonating their domains. This gives your organization the ability protect both patients and employees, as well as dramatically reduce the effectiveness of phishing and spam campaigns.

Why Should I Use DMARC?

The protections provided by DMARC can eliminate or at least severely reduce many of the threats that healthcare organizations face. For example, in conjunction with tools already in place like anti-virus, email filters, and others, DMARC can vastly improve the effectiveness of these tools. On top of all of these advantages, DMARC is free and relatively simple to implement.

Using DMARC to verify the authenticity of servers sending mail can significantly reduce malware and ransomware attacks as they are most often distributed via email. Additionally, the utilization of DMARC technology can also significantly reduce spam and phishing emails, which leads to saved time and possible cost savings on storage and bandwidth.

What is Missing?

Despite the alarming number of fraudulent emails and the obvious benefits, NH-ISAC estimates that over 77% of the healthcare industry is not using DMARC to protect their email. Significantly fewer, only 2%, are actively protecting their patients from phishing and spoofing through the use of protective policies on their domains. Almost equally alarming, nearly a quarter of organizations with DMARC technology still are not blocking phishing emails.

The biggest drawback to the use of DMARC or other similar Domain Name System (DNS) record such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or DMARC is it needs to be used by a majority of the industry for it to be most effective. The larger the percentage of the industry that is using DMARC protections the more effective it becomes. This is because it only protects the target organization but those protections rely on DMARC working everywhere else.

It Ain’t Broke…

Because of the nature of the DMARC service, it has been traditionally very difficult to encourage healthcare organizations to adopt this type of protection. Unfortunately, there is little impact on day-to-day operations and certainly, nothing is broken without DMARC or similar DNS record verification in place.

The biggest reason we are not seeing more broadly implemented DMARC is caused by the knee-jerk remediation methods used by most of the sector. For example, in the scenario that malware or a virus affects an organization’s network, many upgrade their anti-virus software rather than address the root cause such as email authentication and user awareness. This same lack of vision can be applied to almost any issue that arises.

We need to, as an industry, come together and commit to implementing this free and relatively simple technology to significantly improve the privacy and security of not our organizations and more importantly, our patients and customers.

December 4th, 2017|

About the Author:

John Nye
John Nye is Senior Director of Cybersecurity Research and Communication for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).