• Matthew Gardiner

    Matthew Gardiner is a Director of Enterprise Security Campaigns at Mimecast and is currently focused on email security, phishing, malware and cloud security. With more than 15 years focused in security, Matthew’s expertise in various roles includes threat detection & response, network monitoring, SIEM, endpoint threat detection, threat intelligence, identity & access management, Web access management, identity federation, cloud security, and IT compliance at RSA, Netegrity, and CA Technologies. Previously he was President and a member of the board of trustees of the security industry non-profit, the Kantara Initiative. Matthew has a BS in Electrical Engineering from the University of Pennsylvania and an SM in Management from MIT's Sloan School of Management.

    Comments:0

    Add comment
Matthew Gardiner

Email Security for the Healthcare Industry: Time for a Checkup?

Content
See where healthcare cybersecurity is falling short.

Any regular reader of our blog site has likely come across my quarterly Email Security Risk Assessment (ESRA) blogs that summarise and draw conclusions from aggregated test results we’ve accumulated.

Up until now, however, I have not analysed the test results from the point of view of any particular industry. However, there is evidence that the global healthcare sector is increasingly under cyberattack, as described in our recent blog, Cybercriminals Love Healthcare. In Australia, recent victims of data breaches include Victoria’s Emergency Services, Melbourne’s Cabrini Hospital and HealthEngine.

In early 2019 I pulled the ESRA tests of healthcare organisations, comparing those results to the entire set of ESRA data – and what do you think I found? Are healthcare organisations better or worse protected from email-borne threats when compared with a large cross section of other industries? Read on to find out!

How does the ESRA work?

In an ESRA test, the Mimecast service reinspects a participating organisation’s emails that were deemed safe by their incumbent email security system. This is based on actual inbound email traffic into that organisation, not on crafted or test email. It doesn’t get much more ‘real’ than that! We run this test over a period of time, usually between a week and a month at each participating organisation.

A Mimecast ESRA test passively inspects and records the results of real emails that have been delivered to an organisation’s employees and determines if they are legitimate or unwanted (spam, phishing, impersonations, or contain malware). In security terms, an ESRA test is a false negative hunting initiative, where the Mimecast email security service inspects delivered emails looking for those unwanted ones that have passed through their existing email security net and landed at the organisation. The report from March 2019, for example, can be found here.

But what was’nt in the December 2018 report or any other is a cut of data specifically pulled from tests run at healthcare organisations. Here’s what I found when I pulled that data:

Categories of Emails Passed Through the Incumbent Email Security System

Healthcare ESRAs

All ESRAs

Total # of email inspected

2.2M (1.2% of the total)

181.9M

Total # of unwanted emails (False Negatives)

352K (16.2% of 2.2M)

21.3M (11.7% of 181.9M)

Total # of emails with malware

580 (1 in every 3,741 emails contain malware)

34K (1 in every 5,350 emails contain malware)

Total # of emails flagged as impersonations

6,206 (1 in every 350 emails are impersonations)

42.4K (1 in every 4,290 emails are impersonations)

What do the results say about healthcare cybersecurity?

Are healthcare organisations better or worse protected against email-borne threats than the rest of the tested organisations? Perhaps they are more attacked than the average organisation, and this would explain their higher rate of false positives?

My sense, based on this testing and my own educated guess based on years of security experience, is that healthcare organisations are no more or less attacked via email than other organisations, but that their email security defenses, for whatever reason, are lagging behind the others – although a 11.7% false negative rate for the entire test pool is nothing to be proud of!

Here’s an action plan for healthcare security teams 

If you have not conducted a serious review of their email focused security controls in the last year or two, doing so should be a high priority! Both attackers and email security best practices have moved far over recent years – so it’s critical that defenders in healthcare do the same.
 

Director of Enterprise Security Campaigns, Mimecast

Matthew Gardiner is a Director of Enterprise Security Campaigns at Mimecast and is currently focused on email security, phishing, malware and cloud security. With more than 15 years focused in security, Matthew’s expertise in various roles includes threat detection & response, network monitoring, SIEM, endpoint threat detection, threat intelligence, identity & access management, Web access management, identity federation, cloud security, and IT compliance at RSA, Netegrity, and CA Technologies. Previously he was President and a member of the board of trustees of the security industry non-profit, the Kantara Initiative. Matthew has a BS in Electrical Engineering from the University of Pennsylvania and an SM in Management from MIT's Sloan School of Management.

User Name
Matthew Gardiner