Abstract
The recent transformation of healthcare medical records from paper-based to digital and connected systems raises concerns regarding patients' security and online privacy. For instance, sensitive personal information, such as patients' names, addresses, and social security numbers, may be targeted due to the lack of proper security and privacy mechanisms. Using a total of 4,774 hospitals categorized as government, non-profit, and proprietary hospitals, this study provides the first measurement-based analysis of hospitals' websites and connects the findings with data breaches through a correlation analysis. We study the security attributes of three categories, collectively and in contrast, against domain name-, content-, and SSL certificate-level features. We find that each type of hospitals has a distinctive characteristic of its utilization of domain name registrars, top-level domain distribution, and domain creation distribution, as well as content type and HTTP request features. Security-wise, and consistent with the general population of websites, only 1% of government hospitals utilized DNSSEC, in contrast to 6% of the proprietary hospitals. Alarmingly, we found that 25% of the hospitals used plain HTTP, in contrast to 20% in the general web population. Alarmingly too, we found that 8%-84% of the hospitals, depending on their type, had some malicious contents, which are mostly attributed to the lack of maintenance. We conclude with a correlation analysis against 414 confirmed and manually vetted hospitals' data breaches. Among other interesting findings, our study highlights that the security attributes highlighted in our analysis of hospital websites are forming a very strong indicator of their likelihood of being breached. Our analyses are the first step towards understanding patient online privacy, highlighting the lack of basic security in many hospitals' websites and opening various potential research directions.
Original language | English |
---|---|
Title of host publication | ICCCN 2023 - 2023 32nd International Conference on Computer Communications and Networks |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
ISBN (Electronic) | 9798350336184 |
DOIs | |
State | Published - 2023 |
Event | 32nd International Conference on Computer Communications and Networks, ICCCN 2023 - Honolulu, United States Duration: 24 Jul 2023 → 27 Jul 2023 |
Publication series
Name | Proceedings - International Conference on Computer Communications and Networks, ICCCN |
---|---|
Volume | 2023-July |
ISSN (Print) | 1095-2055 |
Conference
Conference | 32nd International Conference on Computer Communications and Networks, ICCCN 2023 |
---|---|
Country/Territory | United States |
City | Honolulu |
Period | 24/07/23 → 27/07/23 |
Bibliographical note
Publisher Copyright:© 2023 IEEE.
Keywords
- Healthcare
- Measurement
- SSL Certificates
- Web security