Research finds that Australia’s private hospitals more vulnerable to email fraud and domain spoofing

SYDNEY, Australia – 12 December 2023 – Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research showing that more than one out of three of Australia’s top-ranked public and private hospitals are lagging behind on basic cybersecurity measures, subjecting patients, healthcare professionals and stakeholders to a higher risk of email-based impersonation attacks.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 70 Australian public and private hospitals. DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender's identity before allowing a message to reach its intended destination. DMARC has three levels of protection¹ – monitor, quarantine and reject with reject being the most secure for preventing suspicious emails from reaching the inbox. Proofpoint’s research reveals that 36% of the Australian public and private hospitals have not implemented the recommended and strictest level of DMARC protection, leaving these organisations open to email fraud and domain spoofing attacks.  

“Hospitals are uniquely at risk due to the highly sensitive patient data they store, which includes everything from a person’s identifying information like their date of birth, gender, and address, through to their bank account details and, of course, medical history. These details make hospitals a prime target for threat actors,” said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint. “With email-based phishing attacks remaining one of the most common techniques used by cyber criminals, hospitals should prioritise tightening email security.”

Whilst Proofpoint’s research showed that 97% of the Australia’s top hospitals have adopted a DMARC protocol, only 64% are properly implementing DMARC to the recommended and highest level by blocking suspicious emails. Public hospitals were significantly better protected than private healthcare organisations, with 77% of these organisations having properly implemented DMARC to the recommended and highest level by blocking suspicious emails. Worryingly, less than half (44%) of the Australian private hospitals had adopted the email authentication protocol to this same level.

Earlier this year, Proofpoint warned that healthcare was one of Australia’s most vulnerable sectors to threat actors, citing the industry’s focus on investing technology spend on devices and digitising medical records, rather than on security, as a cause for concern. According to Proofpoint’s 2023 State of the Phish Report, Australian organisations are the most likely to experience successful phishing attacks (94% vs 84% global average), with email remaining the favoured attack method for cyber criminals.

Against this backdrop, Google and Yahoo! recently announced that from February 2024, they will require email authentication to be able to send messages from their platforms, signaling that important steps are being taken to prevent spam and scams. These security requirements will apply especially to accounts that send large volumes of emails per day, such as healthcare organisations, which will have to have the DMARC authentication protocol deployed, amongst other measures. Failure to comply will significantly impact the deliverability of legitimate messages to customers with Gmail and Yahoo accounts.

“Hospitals are organisations that all Australians, at some point in their lives, will engage with and share their sensitive, personal information with. Threat actors know this and can prey on the people in our society who need to be cared for, as well as the doctors, nurses and other staff providing this care. Implementing email authentication protocols such as DMARC provides a crucial line of defence to strengthen protection against email fraud and ensure the safety of patients and their families, as well as employees and other stakeholders from potentially harmful cyber threats,” concluded Moros. 

The full findings of Proofpoint's DMARC analysis of Australia’s top-ranked hospitals show: 

• 36% of Australia’s top public and private hospitals currently do not enforce the recommended strictest level of DMARC, while 3% do not have any DMARC record and are wide open to email fraud and domain spoofing attacks. 
• 77% of Australia’s public hospitals had properly implemented DMARC to the recommended and highest level by blocking suspicious emails, while only 44% of private hospitals had adopted the email authentication protocol to this same level.
• 97% of Australia’s hospitals implement some form of DMARC, yet the DMARC policy levels employed vary as follows: 
  • 64% use DMARC – Reject (the highest level of protection) 
  • 2% use DMARC – Quarantine 
  • 31% use DMARC – Monitor  

Below are some best practices for patients, staff, and other stakeholders:

• Check the validity of all email communication and be aware of potentially fraudulent emails impersonating colleagues, suppliers, and stakeholders.  
• Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
• Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.

This analysis was conducted in October 2023 using data from the World’s Best Hospitals 2023 – Australia rankings.

###

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube 

###

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.

¹Monitor (allows unqualified emails to go to the recipient's inbox or other folders), Quarantine (directs unqualified emails to go to the junk or spam folder) and Reject, the highest level of protection, (blocks unqualified emails from getting to the recipient).