NHS DMARC Fail Leaves Patients Exposed to Phishing

Written by

Some 98% of UK healthcare organizations, including nearly all NHS domains, are unprotected by the DMARC protocol, leaving them exposed to phishing attacks, according to a new report from Agari.

The cybersecurity vendor analyzed 40 UK healthcare organizations and almost 5000 NHS domains to compile its new UK Healthcare: DMARC Adoption Report.

It found extraordinarily low take-up of the protocol, which is designed to authenticate messages and detect and prevent spoofing.

Only 5% of the 40 HCOs analyzed had DMARC in place, dropping to just 1% for the NHS domains covered in the report.

In comparison, more than three-quarters (77%) of global HCOs don’t have a DMARC policy, and of those that do, just 2% have an enforcement-based policy in place, the report claimed.

The industry is in dire need of DMARC: Agari claimed that over 50% of emails patients receive from ‘healthcare organizations’ are in fact fake.

The sector was the second most targeted after financial services, according to the most recent Verizon Data Breach Investigations Report.

Things are moving at a typically glacial pace in the NHS: the health service adopted version 2.0 of the Secure Email Requirements Specification (SCCI1596) in January 2017. The spec mandates the use of DMARC by all NHS organizations and related private contractors.

However, Agari claimed that despite warnings from NHS Digital, less than 10% of NHS Trusts and Boards have self-certified as having met the standard, while 99% of domains it studied have no DMARC in place.

DMARC implementation can be complex and time consuming, with the vendor admitting that a hotchpotch of legacy NHS systems could make the task even more challenging.

The government issued an order back in 2016 mandating the use of DMARC, HSTS and HTTPS for all departments from October 1 that year.

However, research from a year later in October 2017 revealed that only 16% of English local councils had followed through.

The NCSC claimed that by the end of March, 613 .gov domains were registered with the service, up 35% on January.

What’s hot on Infosecurity Magazine?