Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

UAE and South African Hospitals Fail on DMARC Implementation

Only a quarter of hospitals have implemented the strongest level of DMARC, with a third running any version of the email validation protocol.

DMARC letters over a motherboard
Source: Borka Kiss via Alamy Stock Photo

Around three-quarters of hospitals in the United Arab Emirates and South Africa have not adopted the strongest form of the Domain-based Message Authentication, Reporting and Conformance (DMARC) email validation protocol.

According to a DMARC analysis by Proofpoint, 28% of hospitals in those regions have implemented the strictest and recommended level of DMARC protection to "reject." There are three levels of protection: monitor, quarantine, and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.

Only 69% of UAE hospitals have published a basic DMARC record, meaning 31% are taking no steps to protect users from potential email fraud. 

Healthcare Under Attack

Emile Abou Saleh, regional director for Middle East and Africa at Proofpoint, said that with the healthcare industry rapidly becoming a target for cybercriminals due to the sensitive patient data these institutions hold, and healthcare organizations being high-value targets for ransomware attacks, "a broader security strategy will be crucial to secure the future of the healthcare sector in the UAE and South Africa, which has been identified as a priority area under the respective national agendas of both countries."

Ryan Witt, healthcare cybersecurity leader at Proofpoint, says that DMARC adoption remains around 25% for the healthcare industry for several reasons:

  • Complexity: DMARC implementation can be complex, especially in medium to large health systems. It requires coordination among multiple departments, careful configuration of email servers, and ongoing monitoring and management.

  • Resource limitations: Implementing DMARC effectively often requires dedicated cybersecurity resources at a time when staffing challenges plague the industry, especially for IT and infosec personnel.

  • COVID: The healthcare industry was particularly challenged by COVID, and it took a tremendous amount of resources to pivot from the office to a work-from-anywhere environment. This occurred at a time when healthcare was under acute challenges for providing patient care, elective surgeries (the most profitable form of patient care) were significantly interrupted, and resources were, in certain instances, needed to establish makeshift/overflow care facilities. 

"Healthcare has made significant strides in better protecting the industry, in part because hospital executives increasingly see cybersecurity as a core component of patient care," Witt says. "In other words, there have been many examples of where a cyber event has directly impacted patient care — delayed procedures, patient records not being available, increased complications for treatment, patient having to be moved to a different care facility, etc. — and hospital executives better appreciate that more investment is needed to secure their health systems."

How Can Organizations Improve?

Witt says there are options to better assist healthcare organizations, such as the Health Information Sharing and Analysis Center (H-ISAC), which has encouraged the healthcare industry to adopt DMARC as a fundamental security control for many years.

"In addition," he says, "the US Department of Health and Human Services, through its 405d program, has provided a best-practices document for cybersecurity preparedness that covers the importance of DMARC when safeguarding against cyberattacks in healthcare."

About the Author

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights