A recent analysis of hospitals in the United Arab Emirates (UAE) and South Africa has revealed that a significant number of healthcare institutions in these regions have not implemented the strongest form of email validation protocol called Domain-based Message Authentication, Reporting and Conformance (DMARC). According to the analysis conducted by Proofpoint, a leading cybersecurity company, around 75% of hospitals in the UAE and South Africa have not adopted the recommended level of DMARC protection known as “reject.” This highlights the potential risk of email fraud that patients and healthcare organizations in these countries may face.
DMARC is an essential security measure that helps prevent suspicious and fraudulent emails from reaching users’ inboxes. It operates on three levels of protection: monitor, quarantine, and reject. Of these levels, the “reject” level provides the highest level of security, effectively blocking suspicious emails from reaching the intended recipients.
The analysis revealed that only 28% of hospitals in the UAE and South Africa have implemented the “reject” level of DMARC protection. This means that the majority of healthcare institutions in these countries are not taking adequate measures to protect users from potential email fraud. In the UAE specifically, only 69% of hospitals have published a basic DMARC record, indicating that 31% of hospitals are not taking any steps to safeguard against email fraud.
Emile Abou Saleh, the regional director for the Middle East and Africa at Proofpoint, emphasized the need for a comprehensive security strategy to protect the healthcare sector in these countries. As healthcare institutions increasingly become targets for cybercriminals due to the valuable patient data they hold, ensuring robust cybersecurity measures is crucial. Healthcare organizations need to prioritize securing their systems by adopting advanced protection measures like DMARC.
Ryan Witt, a healthcare cybersecurity leader at Proofpoint, identified several reasons why the adoption of DMARC remains relatively low in the healthcare industry, with only around 25% adoption rate. One of the challenges is the complexity of implementing DMARC, which requires coordination among multiple departments, careful configuration of email servers, and ongoing monitoring and management. Additionally, resource limitations pose a significant obstacle, as dedicated cybersecurity resources are often lacking in healthcare organizations. The COVID-19 pandemic has further exacerbated these challenges, diverting resources and attention away from implementing robust cybersecurity measures.
To assist healthcare organizations in improving their cybersecurity posture, Witt suggested seeking support from organizations like the Health Information Sharing and Analysis Center (H-ISAC). H-ISAC has been actively promoting the adoption of DMARC as a fundamental security control within the healthcare industry for years. Furthermore, the US Department of Health and Human Services has provided a best-practices document through its 405d program, which highlights the importance of DMARC in safeguarding against cyberattacks in healthcare.
In conclusion, the low adoption rate of DMARC in UAE and South African hospitals raises concerns about the security of patient data and the risk of email fraud. With healthcare organizations increasingly becoming targets for cybercriminals, implementing advanced security measures like DMARC becomes crucial. The healthcare industry needs to prioritize cybersecurity and allocate dedicated resources to protect patient information effectively. Collaborations with organizations like H-ISAC and following best-practice guidelines from government agencies can further support healthcare organizations in strengthening their security defenses and safeguarding against cyber threats.