Health companies flunked an email security survey—except Aetna. Why? by Robert Hackett @FortuneMagazine February 19, 2015, 3:15 PM EST E-mail Tweet Facebook Google Plus Linkedin Share icons The health care industry is still reeling after two companies announced big data breaches in the past year. Earlier this month hackers stole up to 80 million customer records from Anthem ANTM , the second largest health insurer in the U.S. In August hackers stole up to 4.5 million patient records from Community Health Systems CYH , a Tennessee hospital operator. So how seriously are such companies taking their customers’ security? Agari, an email security company, released results from a survey assessing the security of 147 businesses’ email communications. The poll found that the health care industry severely lags—except for one company: Aetna AET . An email purportedly sent from a typical health insurance company is, for instance, four times likelier to be fraudulent than an email that claims to be from a social media company. “The poor folks in health care have traditionally not had much digital interaction. They’re the ones furthest behind by a country mile,” says Patrick Peterson, Agari founder and CEO. The “state of email trust” survey, which ranks businesses based on their implementation of email security protocols, found that Aetna scored a perfect 100%. (Of the banks, Chase and Capital One also scored perfectly.) None of the other 13 health care companies surveyed even broke out of the “vulnerable” category, all falling below the middle mark. In fact, the average score for the sector was a pitiful 17%. “If it wasn’t for Aetna the score would be half or quarter of that,” Peterson says, adding: “Anthem, quite unsurprisingly, did very poorly.” In comparison, the industry with the highest ranked email security practices was social media at 67%. On the other hand, the second lowest scoring industry was European megabanks, which scored 33%. Each percentage presented by the survey reflects a weighted score for an industry’s or company’s email authentication practices. These consist of three standard email security protocols: Sender Policy Framework, or SPF, which checks emails against a list of authorized senders (servers approved for a given domain); DomainKeys Identified Mail, or DKIM, which verifies the authenticity of a sender through encrypted digital signatures; and Domain-based Message Authentication, Reporting, and Conformance, or DMARC, which checks emails against a published record on a company’s servers, notifies the company of any potentially spoofed emails, and rejects suspicious emails as spam. Of the three protocols, the last is the most important, Peterson says. DMARC, a three-year-old technology pioneered by PayPal EBAY —which had been the most phished brand in the world for years, according to Peterson—relies on an information-sharing partnership between businesses (like banks and health insurers) and email providers like Google, Microsoft, Yahoo, and AOL (which are a few who have so far adopted it). Whereas before such companies relied on customers to report fishy emails, now they can effectively cross-check the emails themselves. “It gives visibility from the inbox in realtime to what criminals are trying to do in realtime to defraud customers,” says Peterson. Although adopting better email security practices such as these protocols would not prevent a breach like Anthem’s, they would contribute to a safer web. And if more companies opted in, the threat of phishing—counterfeiting emails in order to obtain sensitive personal information from recipients—would, so the idea goes, plummet. Email phishing continues to be a major problem. The proportion of espionage incidents incorporating targeted phishing attacks—known as “spear phishing”—is 67% according to a 2014 Verizon data breach investigations report. Retailer Target’s breach was likely the result of a phishing attack. The FBI maintains that Sony’s breach was the result of a phishing attack. And though it is unconfirmed, Peterson and others in the security community believe Anthem’s breach was the result of a phishing attack as well. “Something that highly trained spies used to spend a great deal of time infiltrating at great risk, they’ve basically vacuumed up in one fell swoop,” Peterson said of the Anthem hackers. “In that data set of 80 million are CEOs, government officials. I think they’re going to go through and figure out espionage targets now that they have the personal information they need.” Aetna, the most secure health care company in terms of email according to the survey, stands out among its peers in its pursuit of best practices. “What Aetna is doing is protecting all members and consumers from receiving fraudulent email some of which is phishing attempts,” said Jim Routh, Aetna’s chief information security officer. “In our case, 60 million fraudulent emails are not going to be delivered to consumers or members this year because of DMARC,” he said, extrapolating from the number of spam emails the company has seen in the past. Routh, former global head of application and mobile security at J.P. Morgan, which experienced its own data breach last year, likens the process of implementing DMARC to “herding cats,” given the number of third parties that send emails on behalf of big organizations. Each third party sender has to register as a subdomain and implement the implement and enforce the authentication protocols. Routh says it cost very little to set up compared to other labor and resource-intensive initiatives—like securing and monitoring every network endpoint, or training software developers to embed security controls in their products during the development process—but would not divulge an exact amount. Peterson and Routh both agree that the reason more companies have not adopted DMARC sooner is because of a kind of corporate inertia—a tendency to stick to tradition. They also believe that the people in these organizations who understand these emails protocols typically have less political clout to drive change. A third reason for stalling is because even when a company opts in, customers may not realize it. “It’s not like one day you say, ‘Oh, I didn’t get phished today!'” Routh says. “It’s more gradual, and so a consumer frankly doesn’t know it.” In the long term, though, the protections afforded by DMARC may protect customer’s relationships with brands. Adoption of better security measures and the prosecution of high profile botmasters, among other things, have contributed to a decline in the volume of spam in the past couple years—though spam still accounts for two thirds of global mail, according to the November 2014 McAfee Labs threats report. Still, the severity of the phishing threat is on the rise as campaigns become more highly targeted and well-crafted. And health care data is becoming more valuable, especially for nation states that can exploit it in campaigns for espionage. The health care industry should take a cue from Aetna. “You don’t realize how much gold and treasure you have until criminals or foreign state or hacktivists get hands on it,” Peterson says.