IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Data Protection
#
Phishing
#
Email Security

Major healthcare providers leave email systems open to phishing risk

Yesterday
Author image
By Shannon Williams, Journalist

More than a third of the world's largest healthcare providers are yet to implement essential email security measures against phishing and spoofing, according to research conducted by EasyDMARC.

The report analysed the adoption of DMARC, an email authentication protocol, across 4,100 prominent hospitals and clinics in both the United States and Europe, including the 100 highest-ranked healthcare organisations worldwide. The research revealed that while the proportion of top providers using DMARC increased marginally from 62% in 2024 to 65% in 2025, a substantial 35% still operate without DMARC protection altogether.

Of those that have put DMARC in place, the study found that nearly half are not fully utilising its protective capabilities. Just 18% of the top 100 global providers have enforced DMARC to actively block suspicious emails, whilst 48% are using the weakest setting-known as 'p=none'-which merely monitors email activity and does not prevent fraudulent messages from reaching inboxes.

Ongoing cyber threats

The findings come against a backdrop of significant cyberattacks targeting the healthcare sector in recent years. This includes a notable breach at the UK's National Health Service (NHS) in 2024, where almost 400GB of patient data was illicitly obtained, as well as disruptions experienced by Yale New Haven Health in Connecticut. The report highlights that the sensitive nature of healthcare data and the sector's vital societal role make it an attractive target for cybercriminals.

Healthcare organisations, which are heavily reliant on digital communication and critical infrastructure, are especially susceptible to cyber threats such as phishing attacks. Such incidents not only threaten financial loss but can also impact patient safety and healthcare delivery.

DMARC functions by verifying whether incoming emails originate from approved sources, allowing organisations to block potentially fraudulent emails before they reach users. Full enforcement requires setting DMARC to 'p=reject', which rejects unverified emails outright rather than simply monitoring them.

Regional differences in protection

EasyDMARC's analysis of 2,000 of the largest European healthcare providers indicated that only 48% have DMARC implemented, and of those, over half have the setting at 'p=none'. This approach fails to block harmful messages, leaving significant vulnerabilities. In the United States, DMARC adoption reaches 55%, but nearly 40% of these providers also operate with the weakest monitoring-only policy.

The research indicates that, despite an increase in awareness of email security, many healthcare providers remain exposed and have not moved towards policies that fully block phishing attempts. With over 90% of all cyberattacks said to originate via email phishing, the lack of comprehensive DMARC enforcement is highlighted as a substantial and ongoing risk.

Industry-wide changes in policy from major email providers, including Google, Yahoo, and Microsoft, have made it mandatory for bulk email senders to enforce DMARC, reflecting the protocol's place as an industry standard. Microsoft's requirements came into force in early May.

Call for stricter enforcement

Gerasim Hovhannisyan, CEO of EasyDMARC said: "The healthcare sector is under constant pressure to protect patients, keep services running, and manage sensitive data, but too many organisations are still stopping short of full protection. DMARC only works when it's configured properly and enforced, and that means setting it to 'p=reject'. Anything less leaves inboxes open to impersonation and phishing attacks. For healthcare providers, the risk isn't just financial; it's operational and deeply human. Every unprotected email domain is another opportunity for attackers to disrupt care and put lives at risk."

Data from the report also breaks down DMARC deployment within each region. In Europe, 955 of the 2,000 largest healthcare domains have valid DMARC records, but only 241 are set to 'p=reject' and 229 to 'p=quarantine', with the remainder on monitoring only. In the United States, 1,103 of 2,000 have DMARC records, 170 set to 'p=reject', and 501 to 'p=quarantine'. For the top 100 global providers, 65 domains have DMARC, with just 12 set to enforcement and 22 to quarantine.

Healthcare providers are being encouraged by security experts to review their DMARC configurations and move toward full enforcement settings to better safeguard sensitive information and maintain the continuity of essential services in the face of increasingly sophisticated cyber threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Thai organisations face surge in cyberattacks after border clash
Fortinet expands AWS Marketplace suite to boost cloud security
Secureframe unveils Custom Integrations for complex IT compliance
Seeing Machines wins USD $1.2m deal for driver monitoring tech
C-suite divisions slow GenAI adoption due to security worries
Top stories
AI model boosts road safety & legal awareness for Australians
TCS & Council of Europe Development Bank automate reconciliation
Agentic AI adoption in application security sees cautious growth
Gigamon set to lead USD $880 million deep observability market
HPE launches Nonstop Compute NS5 X5 & NS9 X5 for high reliability