In April, the Online Trust Alliance published the 11th annual Online Trust Audit
assessing the security and privacy of 1,200 top organizations across several
industry sectors. For the first time, this year’s Audit covered 100 of the top
healthcare organizations, including lab testing companies, pharmacies, hospital
chains, and insurance providers.
How did they do?
Since this is the first year these organizations were included,
we do not have historical comparisons, but we can compare how healthcare sites fared
against the other audited sectors. Overall, 57% of healthcare sites made this
year’s Honor Roll, the lowest of all the sectors we studied. By far the most
common reason for failure in the healthcare sector was weak email security
(35%, nearly triple the overall average). Failure due to privacy was better
than average, while failure due to site security was slightly worse than
average.
Email Security
SPF and DKIM help protect against forged email. Overall 87% of healthcare organizations had SPF on their top-level domain and 67% had DKIM (the lowest of any sector, and the main source of healthcare’s failing scores). DMARC builds on SPF and DKIM results, provides a means for feedback reports, and adds visibility for receivers on how to process messages that fail authentication. Forty-eight percent of healthcare organizations had a DMARC record, which was slightly below the overall average.
To learn more, check out our email authentication and security
resources.
Site Security
Here, healthcare sites did better, but still scored the lowest
of all sectors. Healthcare sites averaged 86 points on site security (out of a
possible 100 points, tied for lowest), with 82% forcing all sessions to be
encrypted (the lowest of all sectors).
Some site security highlights for healthcare organizations were
their higher-than-average adoption of TLS1.3, the latest encryption protocol,
and the low reported rate of cross-site scripting vulnerabilities (8% versus an
overall average of 21%). Lowlights were use of a web application firewall (the
lowest by far at 30% versus an overall average of 71%), and lack of a
vulnerability reporting mechanism (3% versus an overall average of 11%).
Privacy Statements
Healthcare sites had an above average score for both their
overall privacy assessment (73 points out of 100), and their privacy statements
themselves (29 of the available 55). Though these are not impressive scores,
they are still better than many other sectors. For the other half of the overall
privacy score – trackers – healthcare organizations scored well (44 of the
available 45 points), slightly higher than the overall average. Finally, 80% of
the sites had tag management systems, which is well above the overall average
of 71%.
The most important aspect of any privacy statement is conveying
to users how their data is collected and if it is shared with other
organizations. 95% of healthcare sites had language saying that they do not
share data with third parties, among the highest of any sector. In addition, 5%
had language explicitly stating that they do not share with affiliates.
Another important aspect of data sharing is ensuring that an
enterprise holds its third-party vendors to the same standards it holds itself.
This is important because data breaches or unauthorized access to data often begin
with a third party – 61% of healthcare sites had language conveying this, which
is slightly above the overall average. A related concept to data sharing is
data retention. Ideally any enterprise should have language indicating how long
and for what purpose it retains any data it collects – 4% of healthcare sites
had this statement, which is among the highest across sectors.
Some of the variables we track ensure that a privacy statement
is easily readable by consumers. The first is if the statement is “layered,” which
44% of healthcare sites had. There are many ways to layer a statement, from a
simple table of contents to a fully interactive statement with several layers.
Using icons to indicate to consumers the information being conveyed in a
non-text based way is another practice we advocate to help all consumers
understand what they are reading; only 4% of healthcare sites used some kind of
icon in their privacy statements (though only 6% of sites overall did this).
Finally, we advocate that sites have the privacy statement available in
multiple languages – 6% of healthcare sites had this option, slightly higher
than sites overall (4%).
We also encourage some simple practices that can ensure
consumers know the information on the privacy statement is up to date, and what
has changed. Sites should have a date stamp, ideally at the top of the privacy
statement page, which 29% of healthcare sites had. In addition there should be
an archive to indicate somehow changes made to the privacy statement – just 2%
of healthcare sites had this, among the lowest of any sector.
Room for Improvement
Healthcare sites did better than average in some areas, but
there is room for improvement. Email authentication is one area where
healthcare organizations lagged significantly, and adopting more of the Online Trust Alliance’s best practices
would help improve this area. Another, though clearly healthcare is not unique
in this, is improved privacy statements. Given the sensitivity of the data that
healthcare organizations deal with, being both rigorous and open about their
privacy practices is strongly encouraged.
The post Deep Dive: How Healthcare Organizations Practice Privacy and Security appeared first on Internet Society.