DMARC Adoption Study Reveals Healthcare Industry Lags Behind Other Industry Sectors

A recent DMARC adoption study by Agari has revealed the healthcare industry lags behind most other industry sectors on email authentication. Most of the top healthcare firms in the United States are failing to protect their customers and partners from phishing threats.

Domain-based message authentication, reporting and conformance (DMARC) protects domains and stops domain abuse by phishers. While DMARC is highly effective at authenticating messages and preventing spoofing, 98% of top healthcare operators have not yet implemented DMARC. In the UK, virtually none of the domains used by NHS Trusts are protected by DMARC, leaving them exposed to phishing attacks. 99% of NHS Trust domains are not protected by DMARC.

For the study, Agari analyzed domains used by 549 large healthcare and pharmaceutical firms. Overall, 77% of all healthcare firms have not yet implemented DMARC. According to the report, out of the organizations that have already implemented DMARC, only 2% have an enforcement-based policy to protect customers from receiving phishing emails. 21% have a none – or monitor – policy in place that allows them to identify phishing attacks that abuse their brands. Just 1% have a quarantine policy in place that directs potentially malicious messages into a spam folder. Only 1% have a reject policy to block phishing emails.

Many organizations are reluctant to implement DMARC as implementation can be complex and is a time-consuming process; however, the level of domain abuse in the healthcare industry makes DMARC implementation a worthwhile exercise. 92% of all domains used by healthcare have carried fraudulent emails, and overall, 57% of all healthcare emails are either unauthenticated or fraudulent.

The National Health Information Sharing and Analysis Center (NH-ISAC) is encouraging all of its members to implement DMARC or to at least to research DMARC for implementation. To date, 57% of members have pledged to implement DMARC.

The Global Cybersecurity Alliance (GCA) is also taking steps to improve DMARC adoption in the healthcare industry in the United States. Yesterday, GCA launched a “90 Days to DMARC” challenge to encourage DMARC adoption. To make the process as easy as possible, each month GCA will be conducting webinars and releasing guides and a range of resources to help healthcare organizations plan, implement, analyze, and tweak DMARC.

“Organizations that have deployed DMARC have seen significant lift in email click-through rate, as they minimize the phishing and spam emails that erode trust in their brand,” said Patrick Peterson, founder and executive chairman of Agari. “Successful DMARC implementations from Aetna, Blue Shield of California and Spectrum Health are leading the way for other healthcare industry organizations to restore trust in communications.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of