See where healthcare cybersecurity is falling short.


Any regular reader of Mimecast’s Cyber Resilience Insights blog site has likely come across my quarterly Email Security Risk Assessment (ESRA) blogs. These blogs summarize and draw conclusions from our aggregated ESRA test results that we have accumulated.

Up until now, however, I have not analyzed the test results from the point of view of any particular industry. With this blog I provide analysis pulled specifically from ESRA tests of healthcare organizations and compare those results to the entire set of ESRA data.

What do you think I found? Are healthcare organizations better or worse protected from email-borne threats when compared with a large cross section of other industries? Read on to find out!

How does the ESRA work?

The healthcare analysis is pulled from the same aggregate data set that we published in the December 2018 ESRA release.

In an ESRA test the Mimecast service reinspects a participating organization’s emails that were deemed safe by their incumbent email security system. This is based on actual inbound email traffic into that organization, not on crafted or test email. It doesn’t get much more “real” than that! Mimecast runs this test over a period of time, usually between a week and a month at each participating organization.

A Mimecast ESRA test passively inspects and records the results of real emails that have been delivered to an organization’s employees and determines if they are legitimate or unwanted (spam, phishing, impersonations, or contain malware). In security terms an ESRA test is a false negative hunting initiative, where the Mimecast email security service inspects delivered emails looking for those unwanted ones that have passed through their existing email security net and landed at the organization. The latest report from December can be found here.

But what isn’t in the December report is a cut of data that is specifically pulled from tests run at healthcare organizations. Here’s what I found when I pulled that data:

Categories of Emails Passed Through the Incumbent Email Security System

Healthcare ESRAs


Total # of email inspected

2.2M (1.2% of the total)


Total # of unwanted emails (False Negatives)

352K (16.2% of 2.2M)

21.3M (11.7% of 181.9M)

Total # of emails with malware

580 (1 in every 3741 emails contain malware)

34K (1 in every 5350 emails contain malware)

Total # of emails flagged as impersonations

6206 (1 in every 350 emails are impersonations)

42.4K (1 in every 4290 emails are impersonations)

What do the results say about healthcare cybersecurity?

Are healthcare organizations better or worse protected against email-borne threats than the rest of the tested organizations? Perhaps they are more attacked than the average organization, and this would explain their higher rate of false positives?

My sense, based on this testing and my own educated guess based on years of security experience, is that healthcare organizations are no more or less attacked via email than other organizations, but that their email security defenses, for whatever reason, are lagging behind the others—although a 11.7% false negative rate for the entire test pool is nothing to be proud of!

Here’s an action plan: those healthcare organizations that have not conducted a serious review of their email focused security controls in the last year or two should make doing so a high priority! Both attackers and email security best practices have moved far over the past few years. It is important that the defenders in healthcare do the same.


Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Cybercriminals Love Healthcare

Here's why this industry is now a top at…

Here's why this industry is now a top attack target. In gen… Read More >

Boris Vaynberg

by Boris Vaynberg

VP and GM for Advanced Threat Detection

Posted Jan 17, 2019

Mimecast Discovers Microsoft Office Product Vulnerability CVE-2019-056…

Understand the security implications of …

Understand the security implications of the latest patched M… Read More >

Matthew Gardiner

by Matthew Gardiner

Principal Security Strategist

Posted Jan 08, 2019

What’s Going to Change in Cybersecurity in 2019 (and What Won’t)

Many things in cybersecurity that should…

Many things in cybersecurity that should happen in 2019 won&… Read More >

Marc French

by Marc French

CISO and Managing Director

Posted Dec 18, 2018