A new study from global cybersecurity firm Proofpoint has disclosed alarming gaps in the cybersecurity measures of Australia's top-ranked public and private hospitals. The research reveals that over a third of these institutions have failed to implement the necessary protection to safeguard against email fraud and domain spoofing attacks.

The study employed Domain-based Message Authentication, Reporting and Conformance (DMARC) to analyse 70 Australian hospitals. DMARC is an email validation system aimed at safeguarding domain names from misuse by cyber criminals. It verifies the sender's identity before the message is delivered.

Despite 97% of Australia's top hospitals having a DMARC protocol, the findings show that just 64% apply DMARC to the recommended levels by blocking suspicious emails.

The research also revealed that public hospitals have a higher level of cybersecurity measures than private ones. While 77% of public health institutions have properly adopted DMARC, only 44% of private hospitals have done the same. Consequently, this makes private healthcare facilities more open to cyber-attacks.

Steve Moros, Senior Director of the Advanced Technology Group for Asia Pacific and Japan at Proofpoint, emphasised the critical nature of the situation, particularly highlighting the heightened risk hospitals face. He pointed out that hospitals housing highly sensitive patient data, encompassing personal identification and medical history, are prime targets for threat actors.

Moros urged hospitals to make email security a top priority, underscoring the prevalent use of email-based phishing attacks as one of the most common tactics employed by cybercriminals.

Steve Moros commented, "Hospitals are uniquely at risk due to the highly sensitive patient data they store, which includes everything from a person's identifying information like their date of birth, gender, and address, through to their bank account details and, of course, medical history."

"These details make hospitals a prime target for threat actors. With email-based phishing attacks remaining one of the most common techniques used by cybercriminals, hospitals should prioritise tightening email security."

Earlier this year, Proofpoint had warned that the healthcare sector was vulnerable due to its focus on investing in technology to digitise medical records and devices, often overlooking security aspects. With Australian organisations more likely to experience successful phishing attacks than the global average, these new findings underline the necessity for hospitals to preserve the safety of patients and their data by fortifying their digital defences.

These alarming revelations are further underlined by recent requirements announced by tech giants Google and Yahoo! Starting in February 2024; both companies will demand email authentication to send messages from their platforms, particularly from accounts that send out high volumes of emails daily. If they fail to comply, such requirements would severely impact healthcare organisations' ability to deliver critical messages.

Moros concluded that email protection protocols such as DMARC represented "a crucial line of defence to strengthen protection against email fraud and ensure the safety of patients and their families, as well as employees and other stakeholders from potentially harmful cyber threats."