Healthcare Cybersecurity Tweaks to Reduce Attack Surfaces
Skip to content

Healthcare Cybersecurity Tweaks to Rapidly Reduce Attack Surfaces

Healthcare organisations are at high risk of suffering cyberattacks, so the industry must stay up-to-speed when it comes to fortifying digital defences.  

No sector is impervious to cyberattacks, but given the huge amount of confidential patient data that they deal with, it’s no surprise that healthcare organisations are at greater risk than those working in government or retail.

So, at the ground level, what can be done to mitigate that risk? Most healthcare cybersecurity resiliency projects rightly focus on wholesale transformation and board-led strategic change. That said, healthcare organisations can take advantage of many effective, safe and free cybersecurity quick wins. 

Here, we explore three accessible healthcare cybersecurity security infrastructure changes that can rapidly reduce your attack surface, data loss and downtime vulnerability.  


In the early days of the pandemic, the World Health Organisation had its email domain spoofed en masse. Perhaps your organisation received messages containing false COVID-19 information? If you weren’t targeted, many of your patients certainly were.  

Although the WHO promptly confirmed they’d been spoofed and released official email guidance, spoofers had already inflicted damage. The WHO suffered an unwelcome hit to credibility while patients were exploited and extorted – at the worst possible time.  

So, why did this happen? It transpired that the WHO did not have Domain Message Authentication Reporting (DMARC) configured. As a result, hackers hijacked their email domain. Although cybercriminals are evolving from shameless opportunists to meticulous strategists, they’ll never turn down an easy target.  

DMARC helps to protect business email from compromise and is particularly effective at preventing hackers from spoofing an organisation’s domain – when an email address is forged. DMARC is a free and open technical specification, so, in theory, it should be widely implemented. Yet, one of the world’s largest healthcare organisations found itself wanting.  

Node4 recommends that you urgently instruct your email administrator to check or configure DMARC. It’s a free and easy way to significantly reduce your attack surface and take control of patient care communications.  


UK Government research found that phishing risk levels are higher than ever, revealing that organisations are struggling to administer effective security training.

Take advantage of our knowledge, structure, and content ideas for running tailored security awareness training sessions in this free guide.



Protective Domain Name Service (PDNS) is another free security solution to bolster healthcare cybersecurity defence instantly. The UK’s very own National Cyber Security Centre (NCSC) created it to hamper the use of malware distribution via email.  

PDNS will be music to the ears of every healthcare professional – from clinicians to the c-suite. Email-borne attacks are a constant stressor, being the sector’s second-largest cyberattack vector and the reason for a quarter of all data breaches. And we don’t need to spell out [the risks] of a patient or operational data breach or infrastructure downtime caused by ransomware (often delivered by malicious email).  

PDNS is what’s known as a recursive resolver. It finds answers to DNS queries and prevents access to domains known to be malicious by refusing to resolve them. And with phishing emails being the leading cause of ransomware infection, preventing infection directly at the source makes sense.  

So, check out the NCSC’s website to register for PDNS and rapidly increase your network’s resiliency to one of the biggest healthcare cybersecurity woes.  

3. awareness training

As mentioned, email-borne threats command a significant proportion of healthcare cyberattacks. Every healthcare organisation is a sprawling network of communication. Adding to the fact that the sector lags in security maturity, it’s easy to understand why hackers find healthcare such an irresistible target.  

That said, 2022 research has found that security awareness training can significantly reduce the likelihood of successful phishing email attacks against healthcare organisations.  

  • The study analysed improvements to email-threat resiliency using a “phish-prone-percentage” metric.  
  • Healthcare, starting with the second highest PPP of 36.6%, was able to reduce its PPP to 17.2% after 90 days of using KnowBe4 simulated phishing tests.  
  • The decrease in risk to data integrity, patient safety and operational resiliency in such a short time is remarkable.  

With these results, if you’re not already using KnowBe4, we encourage you to start. 

At Node4, we’ve partnered with Proofpoint and Mimecast to bring you active phishing training and passive phishing vulnerability assessment. Combined with PDNS and conventional technology this gives you a technical firewall and a “biological firewall” [your people] between you and the criminals.  

Do you suspect you aren’t utilising healthcare cybersecurity tools to their full potential? Arrange a free, no-obligation consultation with an experiencedNode4 security expert.  

We’ll help discover where free or easy-to-implement solutions can quickly make a real difference to your security posture. Email or call 0345 123 2229.