TY - GEN
T1 - Understanding the Security and Performance of the Web Presence of Hospitals
T2 - 32nd International Conference on Computer Communications and Networks, ICCCN 2023
AU - Alkinoon, Mohammed
AU - Alabduljabbar, Abdulrahman
AU - Althebeiti, Hattan
AU - Jang, Rhongho
AU - Nyang, Dae Hun
AU - Mohaisen, David
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - The recent transformation of healthcare medical records from paper-based to digital and connected systems raises concerns regarding patients' security and online privacy. For instance, sensitive personal information, such as patients' names, addresses, and social security numbers, may be targeted due to the lack of proper security and privacy mechanisms. Using a total of 4,774 hospitals categorized as government, non-profit, and proprietary hospitals, this study provides the first measurement-based analysis of hospitals' websites and connects the findings with data breaches through a correlation analysis. We study the security attributes of three categories, collectively and in contrast, against domain name-, content-, and SSL certificate-level features. We find that each type of hospitals has a distinctive characteristic of its utilization of domain name registrars, top-level domain distribution, and domain creation distribution, as well as content type and HTTP request features. Security-wise, and consistent with the general population of websites, only 1% of government hospitals utilized DNSSEC, in contrast to 6% of the proprietary hospitals. Alarmingly, we found that 25% of the hospitals used plain HTTP, in contrast to 20% in the general web population. Alarmingly too, we found that 8%-84% of the hospitals, depending on their type, had some malicious contents, which are mostly attributed to the lack of maintenance. We conclude with a correlation analysis against 414 confirmed and manually vetted hospitals' data breaches. Among other interesting findings, our study highlights that the security attributes highlighted in our analysis of hospital websites are forming a very strong indicator of their likelihood of being breached. Our analyses are the first step towards understanding patient online privacy, highlighting the lack of basic security in many hospitals' websites and opening various potential research directions.
AB - The recent transformation of healthcare medical records from paper-based to digital and connected systems raises concerns regarding patients' security and online privacy. For instance, sensitive personal information, such as patients' names, addresses, and social security numbers, may be targeted due to the lack of proper security and privacy mechanisms. Using a total of 4,774 hospitals categorized as government, non-profit, and proprietary hospitals, this study provides the first measurement-based analysis of hospitals' websites and connects the findings with data breaches through a correlation analysis. We study the security attributes of three categories, collectively and in contrast, against domain name-, content-, and SSL certificate-level features. We find that each type of hospitals has a distinctive characteristic of its utilization of domain name registrars, top-level domain distribution, and domain creation distribution, as well as content type and HTTP request features. Security-wise, and consistent with the general population of websites, only 1% of government hospitals utilized DNSSEC, in contrast to 6% of the proprietary hospitals. Alarmingly, we found that 25% of the hospitals used plain HTTP, in contrast to 20% in the general web population. Alarmingly too, we found that 8%-84% of the hospitals, depending on their type, had some malicious contents, which are mostly attributed to the lack of maintenance. We conclude with a correlation analysis against 414 confirmed and manually vetted hospitals' data breaches. Among other interesting findings, our study highlights that the security attributes highlighted in our analysis of hospital websites are forming a very strong indicator of their likelihood of being breached. Our analyses are the first step towards understanding patient online privacy, highlighting the lack of basic security in many hospitals' websites and opening various potential research directions.
KW - Healthcare
KW - Measurement
KW - SSL Certificates
KW - Web security
UR - http://www.scopus.com/inward/record.url?scp=85173576879&partnerID=8YFLogxK
U2 - 10.1109/ICCCN58024.2023.10230186
DO - 10.1109/ICCCN58024.2023.10230186
M3 - Conference contribution
AN - SCOPUS:85173576879
T3 - Proceedings - International Conference on Computer Communications and Networks, ICCCN
BT - ICCCN 2023 - 2023 32nd International Conference on Computer Communications and Networks
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 24 July 2023 through 27 July 2023
ER -