In April, the Online Trust Alliance published the 11th annual Online Trust Audit assessing the security and privacy of 1,200 top organizations across several industry sectors. For the first time, this year’s Audit covered 100 of the top healthcare organizations, including lab testing companies, pharmacies, hospital chains, and insurance providers.
How did they do?
Since this is the first year these organizations were included, we do not have historical comparisons, but we can compare how healthcare sites fared against the other audited sectors. Overall, 57% of healthcare sites made this year’s Honor Roll, the lowest of all the sectors we studied. By far the most common reason for failure in the healthcare sector was weak email security (35%, nearly triple the overall average). Failure due to privacy was better than average, while failure due to site security was slightly worse than average.
Email Security
SPF and DKIM help protect against forged email. Overall 87% of healthcare organizations had SPF on their top-level domain and 67% had DKIM (the lowest of any sector, and the main source of healthcare’s failing scores). DMARC builds on SPF and DKIM results, provides a means for feedback reports, and adds visibility for receivers on how to process messages that fail authentication. Forty-eight percent of healthcare organizations had a DMARC record, which was slightly below the overall average.
To learn more, check out our email authentication and security resources.
Site Security
Here, healthcare sites did better, but still scored the lowest of all sectors. Healthcare sites averaged 86 points on site security (out of a possible 100 points, tied for lowest), with 82% forcing all sessions to be encrypted (the lowest of all sectors).
Some site security highlights for healthcare organizations were their higher-than-average adoption of TLS1.3, the latest encryption protocol, and the low reported rate of cross-site scripting vulnerabilities (8% versus an overall average of 21%). Lowlights were use of a web application firewall (the lowest by far at 30% versus an overall average of 71%), and lack of a vulnerability reporting mechanism (3% versus an overall average of 11%).
Privacy Statements
Healthcare sites had an above average score for both their overall privacy assessment (73 points out of 100), and their privacy statements themselves (29 of the available 55). Though these are not impressive scores, they are still better than many other sectors. For the other half of the overall privacy score – trackers – healthcare organizations scored well (44 of the available 45 points), slightly higher than the overall average. Finally, 80% of the sites had tag management systems, which is well above the overall average of 71%.
The most important aspect of any privacy statement is conveying to users how their data is collected and if it is shared with other organizations. 95% of healthcare sites had language saying that they do not share data with third parties, among the highest of any sector. In addition, 5% had language explicitly stating that they do not share with affiliates.
Another important aspect of data sharing is ensuring that an enterprise holds its third-party vendors to the same standards it holds itself. This is important because data breaches or unauthorized access to data often begin with a third party – 61% of healthcare sites had language conveying this, which is slightly above the overall average. A related concept to data sharing is data retention. Ideally any enterprise should have language indicating how long and for what purpose it retains any data it collects – 4% of healthcare sites had this statement, which is among the highest across sectors.
Some of the variables we track ensure that a privacy statement is easily readable by consumers. The first is if the statement is “layered,” which 44% of healthcare sites had. There are many ways to layer a statement, from a simple table of contents to a fully interactive statement with several layers. Using icons to indicate to consumers the information being conveyed in a non-text based way is another practice we advocate to help all consumers understand what they are reading; only 4% of healthcare sites used some kind of icon in their privacy statements (though only 6% of sites overall did this). Finally, we advocate that sites have the privacy statement available in multiple languages – 6% of healthcare sites had this option, slightly higher than sites overall (4%).
We also encourage some simple practices that can ensure consumers know the information on the privacy statement is up to date, and what has changed. Sites should have a date stamp, ideally at the top of the privacy statement page, which 29% of healthcare sites had. In addition there should be an archive to indicate somehow changes made to the privacy statement – just 2% of healthcare sites had this, among the lowest of any sector.
Room for Improvement
Healthcare sites did better than average in some areas, but there is room for improvement. Email authentication is one area where healthcare organizations lagged significantly, and adopting more of the Online Trust Alliance’s best practices would help improve this area. Another, though clearly healthcare is not unique in this, is improved privacy statements. Given the sensitivity of the data that healthcare organizations deal with, being both rigorous and open about their privacy practices is strongly encouraged.