How the healthcare sector is waking up to phishing threats [Q&A]
The healthcare sector is a popular target for phishing attacks, yet it's failing to adopt simple measures like DMARC that could offer protection to both patients and staff.
A new report from cyber security company Agari reveals that fewer than 10 percent NHS Trusts and Boards in the UK have self-certified as using DMARC. Globally 77 percent of healthcare organizations don't have a DMARC policy.
Agari analyzed the DMARC policy status of 40 UK healthcare organizations, including hospital groups and healthcare insurers, and 5000 known NHS domains. It finds, worryingly that 92 percent of domains are carrying fraudulent email.
We spoke to Patrick Peterson, founder and executive chairman of Agari to find out why the sector is particularly at risk and what it can do to build trust among its users.
BN: Where are we in terms of healthcare data safety?
PP: When it comes to medical and patient safety we've invested a lot over the past two years. Much of that has been in medical and patient safety, but we also have a cyber threat. What organizations are learning is that it's equally important to act in a digitally as well as medically safe way.
What we're seeing now, starting with the UK government's digital services and moving to the US government is a clear message that you should make sure digital content and messages the healthcare constituency is receiving is safe and trusted.
Sadly we still have a long road ahead of us when it comes to the medical profession, at least in the United States. Criminals have found impersonating healthcare brands to be a very successful way to steal information or get fraudulent monetary gains.
BN: Won't this be a hard sell for medical professionals who would prefer to spend their money treating patients?
PP: Healthcare is currently one of the weakest industries when it comes to this topic. In reality concerns about an adverse effect that could injure or even cause the death of a patient have been where the medical profession has been focused for hundreds of years. The digital side has been seen very much as a second priority. But while the medical side is still focused on the patient the business side and operations teams are starting to realize they can’t reliably deliver patient outcomes without a secure environment. We're therefore starting to see security teams getting more power, bigger budgets and being recognized as an important partner.
BN: Is healthcare being particularly targeted compared to, say, finance?
PP: What's happened is as the finance industry has been in the thick of it for many years they have developed sophisticated controls and protections with huge budgets and teams. That makes them a hard target. Meanwhile healthcare has been lagging, so they are a much softer target. Also as a phishing target when people are talking about health conditions and treatment it's wonderful social engineering material.
BN: Does the requirement for extra security need to be sold to the consumer as well as the industry?
PP: This is one of the things we love about DMARC technology. It's designed to work the way security should work, like when you get into your car you don't need to know how it works or how safety systems like anti-lock brakes work, as long as there’s common sense behind the wheel you should know you'll be safe. DMARC is designed to not need consumer interaction or education and not need people to change how they do business. It simply ensures that if a brand is doing the right thing you won’t see malicious messages seeming to come from their domain.
BN: What do we need to see to drive more adoption, are we nearing a tipping point?
PP: I think the tipping point is now, we saw the UK government just over a year ago say it required greater security for government services. That was a catalyst that got people thinking about things more seriously. In the US we've seen senators asking questions of the government. Now the Department of Homeland Security is requiring government departments to adopt DMARC in the next year. And now we've seen the National Health Information Sharing and Analysis Center (NH-ISAC) come up with similar requirements.
BN: Does this tie in with other legislation like GDPR?
PP: Yes, the importance of these areas has hit a level that people are now realizing how vital security and email safety are to any business and that these are basic steps to make the internet a safer place.
BN: How proactive is healthcare being in making changes?
PP: Three years ago it was very much in the dark ages, focused on patient safety, but budgets, awareness and infrastructure for digital safety were barely registering. The sector is still in early stages but we are seeing a sea change in how the problem is being thought about, in the resources being allocated. While healthcare is still lagging now I would expect in three to five years it will have caught up with industries like finance and government.
The UK has a tremendous advantage in that health is run by a centralized body. In the US there's a huge challenge when it comes to healthcare security, you may interact with many device manufacturers, physicians, specialists, insurers, clinics, labs... Literally you may have no idea who is providing your care on any given day. While there's certainly a big challenge in the UK once things get underway they should happen much faster. You've also had things like the WannaCry arrack earlier this year which drew people's attention to the vulnerability of the sector.
You can get the full report on UK healthcare DMARC adoption from the Agari website.