Email Security for the Healthcare Industry: Time for a Checkup?
 

Any regular reader of Mimecast’s Cyber Resilience Insights blog site has likely come across my quarterly Email Security Risk Assessment (ESRA) blogs. These blogs summarize and draw conclusions from our aggregated ESRA test results that we have accumulated.

Up until now, however, I have not analyzed the test results from the point of view of any particular industry. With this blog I provide analysis pulled specifically from ESRA tests of healthcare organizations and compare those results to the entire set of ESRA data.

What do you think I found? Are healthcare organizations better or worse protected from email-borne threats when compared with a large cross section of other industries? Read on to find out!

How does the ESRA work?

The healthcare analysis is pulled from the same aggregate data set that we published in the December 2018 ESRA release.

In an ESRA test the Mimecast service reinspects a participating organization’s emails that were deemed safe by their incumbent email security system. This is based on actual inbound email traffic into that organization, not on crafted or test email. It doesn’t get much more “real” than that! Mimecast runs this test over a period of time, usually between a week and a month at each participating organization.

A Mimecast ESRA test passively inspects and records the results of real emails that have been delivered to an organization’s employees and determines if they are legitimate or unwanted (spam, phishing, impersonations, or contain malware). In security terms an ESRA test is a false negative hunting initiative, where the Mimecast email security service inspects delivered emails looking for those unwanted ones that have passed through their existing email security net and landed at the organization. 

But what isn’t in the December report is a cut of data that is specifically pulled from tests run at healthcare organizations. Here’s what I found when I pulled that data:

What do the results say about healthcare cybersecurity?

Are healthcare organizations better or worse protected against email-borne threats than the rest of the tested organizations? Perhaps they are more attacked than the average organization, and this would explain their higher rate of false positives?

My sense, based on this testing and my own educated guess based on years of security experience, is that healthcare organizations are no more or less attacked via email than other organizations, but that their email security defenses, for whatever reason, are lagging behind the others—although a 11.7% false negative rate for the entire test pool is nothing to be proud of!

Here’s an action plan: those healthcare organizations that have not conducted a serious review of their email focused security controls in the last year or two should make doing so a high priority! Both attackers and email security best practices have moved far over the past few years. It is important that the defenders in healthcare do the same.