A new survey of U.S.-based clinics and hospitals has revealed less than one in five institutions have correctly implemented basic phishing and spoofing protection.

The new research EasyDMARC reviewed the security policies of 2,000 clinics and hospitals based in the U.S. It found that only 359, or 18% of the researched 2,000 facilities, have correctly implemented and configured security policies to flag, report and remove outbound phishing emails.

The survey reviewed the deployment of the Domain-based Message Authentication, Reporting and Conformance (DMARC) standard among U.S. healthcare domains. First published in 2012, the DMARC standard enables the automatic flagging and removal of receiving emails which are impersonating senders’ domains, which is a way to prevent outbound phishing and spoofing attempts.

The new research found that 42% of the reviewed U.S. domains had implemented the DMARC standard, of those institutions, only 18% had implemented a “reject” policy that automatically rejects emails imitating a legitimate domain. More organizations that deployed DMARC had configured it to do nothing about impersonating emails, with 19% of domains having no policy and 5% had configured DMARC to send impersonating emails into quarantine. Adoption is similar on the international stage, with DMARC adoption among the top 100 global clinics and hospitals sitting at 54%.