Quarter of Australian hospitals lack strong cyber measures

The cybersecurity firm, Proofpoint, has revealed that nearly 23% of Australia's leading hospitals are still lacking basic cybersecurity measures, thereby leaving patients and healthcare professionals at increased risk of email fraud.

The analysis by Proofpoint examined Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols of 70 hospitals to determine their effectiveness against potential cyberattacks. DMARC is an email validation protocol that helps in authenticating sender identities before messages are delivered. The strongest level of DMARC protection, known as 'Reject', prevents suspicious emails from ever reaching inboxes.

According to Steve Moros, Senior Director of Advanced Technology Group at Proofpoint for the Asia Pacific and Japan, the healthcare industry is particularly susceptible to cyber threats. "The healthcare industry has become one of the most targeted sectors for cyber criminals due to the highly valuable data it stores, including patient identities, bank account details, and medical history, combined with limited resources focused on staying operational to provide patient care," Moros stated.

The findings follow significant cyber incidents such as the Genea IVF data breach and the MediSecure attack, highlighting vulnerabilities in the sector. The Australian Security Intelligence Organisation (ASIO) has also warned of a severe threat landscape, marking these concerns a growing reality.

"Recent research supports this trend, with the 2024 Ponemon Healthcare Cybersecurity Report finding that 92% of healthcare organisations experienced a cyberattack in 2024, up from 88% in 2023," Moros noted. He pointed out that email continues to be a primary vector for cyber threats, with the COVID-19 pandemic further expanding these vulnerabilities as the healthcare sector increasingly adopted telehealth solutions.

Moros emphasised the importance of implementing DMARC to its fullest capacity: "With more large-scale cyberattacks affecting Australian healthcare organisations, including MediSecure and most recently Genea, implementing robust email security protocols like DMARC adds a critical layer of protection."

While Proofpoint's 2023 analysis showed that 97% of top hospitals used some DMARC protection, only 64% had adopted the strongest policy. In its latest analysis, 100% of hospitals analysed now use DMARC protection, but only 77% have implemented DMARC to the recommended 'Reject' level.

Moros stated, "We're encouraged by the improved DMARC adoption across Australian top hospitals, but a significant security gap remains. For healthcare institutions, strong cybersecurity isn't just about protecting patient data, it directly impacts the quality of care Australians receive."

The latest data highlights that while there is an improvement in DMARC implementation, 23% of Australia's hospitals operate with insufficient protection: 3% use DMARC – Quarantine, and 20% use DMARC – Monitor. This data underscores the ongoing need for improvement within the sector.

Proofpoint recommends best practices for patients, staff, and stakeholders, including verifying the authenticity of all email communications, being wary of fraudulent attempts impersonating trusted contacts, and adopting phishing-resistant multifactor authentication.