Study finds half of care-sector domain names have administrative issues

Many care-sector registrations need attention

As more and more aspects of health care are digitised, the focus is shifting from physical security to digital security. Patient data, communication between care practitioners, and even medical equipment are increasingly reliant on a trustworthy and secure online infrastructure. However, domain name-related security risks are often overlooked – even though recent data breaches have illustrated how vulnerabilities linked to domain names can play a decisive role in security incidents.

Our researchers found problems with nearly half of the care-sector domain registrations they looked at. The detected issues ranged from incorrect registration data to potentially malicious activities. In this article, we look at the problems most commonly identified, highlight the risks they bring, and explain how to deal with them.

Incorrect contact details

In about 7 per cent of cases, the contact details registered for the domain names were incorrect. Although the domain names were registered to the corresponding care organisations, the recorded contact details didn't match. For example, the contact e-mail was sometimes an employee's private address or the address of an external web design agency. In one case, it was even the address of a local sports club. Irregularities like that put security at risk, because they open the way for the domain name to be transferred or cancelled without the care organisation's knowledge or approval. Incorrect registrant details are a common issue: in the youth care segment, about 17 per cent of domain registrations had external contact data.

Registrations not in the right names

Roughly 30 per cent of the checked domain registrations weren't registered to the matching care organisations. Many were instead registered to IT service providers or marketing agencies, and some to individual practitioners or researchers. Such arrangements are often about convenience: it's quicker and easier for an employee or service provider to register a domain name themselves than to go through the organisation's IT department.

However, if the employee later leaves, or the care organisation switches to a new service provider, serious problems can arise. Internal mail servers and applications are likely to regard the domain names as trusted, for example. Consequently, if they lapse and get re-registered by malicious actors, they can be used to gain access to sensitive data.

Focus points for small organisations and hospitals

Smaller organisations – nursing homes, care homes and providers of home care and disability care, for example – are at particular risk in that context. About 35 per cent of those organisations' domain names are managed externally. Strikingly, 36 per cent of university medical centres have similar arrangements, probably because individual researchers and departments typically have a lot of independence and the UMCs have numerous domain names. Another factor is that hospitals of all types often have numerous 'ancillary' websites, such as sites for patients' associations, annual reports or fundraising initiatives (e.g. "Friends of…" sites). It's common for such sites to use the hospital's house style, despite being independently run and hosted.

Cutting corners and shadow IT

It's understandable that care organisations, especially the smaller ones, are sometimes tempted to cut corners. For example, an IT-savvy employee or an external web designer will register a domain name, without involving the IT department, because that's quicker and easier. However, it often leads to problems further down the line. The risks associated with well-intentioned 'shadow IT' solutions, and the trouble they can cause, are well known. In one case we came across, a hospital's domain name was registered by an external service provider, and subsequently wasn't renewed. It was then snapped up by an anonymous actor, who set up a copy of the hospital's website, with a portal for ordering unregulated medication.

Potentially malicious registrations

Our review also revealed some domain name registrations that could be malicious. Fortunately, the number of names involved was small: just over 2 per cent of all the names we found. Many of the detected cases involved a domain name that incorporated a care organisation's name, but had been registered by someone unknown to that organisation, typically using a foreign address and an anonymous e-mail account.

The suspicious registrations mainly leant on the names of UMCs and hospitals, presumably capitalising on such establishments' familiarity to the public and strong online presence.

Typosquats

Typosquatting is registering a domain name that looks very like a brand name or the name of a company or institution, except for a minor typo. For example, "cityhopital.nl". Domain names like that are often registered by 'domainers', in the hope of selling them on at a profit, whether to the relevant institution, or to a malicious actor.

Pending their resale, the domains are frequently used to host advertising content, which is sometimes a medium for malware distribution. Our study found that, in the care sector, the main targets of typosquatting were UMCs (10 per cent), hospitals and youth care organisations (roughly 7 per cent).

A lot needs to be done, but there's good news too

As well as flagging up a lot of issues, our analysis showed that various notable actors had very good domain name security. For example, we found care organisations of all sizes that had put one particular department in charge of domain name policy. That approach seems to work well, because we didn't see any issues with those organisations' domain names. Municipal health services also scored well: almost all their registration data was correct, and their domain names were registered to the organisations themselves.

Best practices

Care organisations often serve vulnerable client populations and handle sensitive patient information. It's therefore vital that their IT infrastructures work well and are reliable. Not everyone is confident navigating the increasingly complex digital landscape. Nevertheless, good organisational practices can prevent a lot of problems for clients and staff alike.

Here's what we advise:

• A care-sector domain name should always be registered to the organisation it relates to, using the contact details of that organisation's IT department, marketing & communication department or board.

• Define a domain name policy, especially if you're a large organisation with 10 or more domain names. Stipulate how and where domain names can be registered, who's responsible, and what the procedure is.

• Never allow a domain registration to lapse. Retaining the registration of an inactive .nl domain name only costs a few euros a year. Whereas letting the name go will open the way for someone else to pick it up and use it for a malicious purpose.

• Don't go for domain names that include year numbers. A name like www.healthyin2025.nl is only relevant for one year.

• Guard against domain name proliferation. Instead of registering another domain name for every new website, keep sites under the organisation's primary domain where possible. So www.cityhospital.nl/department, not www.department.nl. Alternatively, create a subdomain: department.cityhospital.nl. Then you won't lose your overview, and the sites will clearly belong to your organisation.

• Monitor domain name registrations so that you get to know about any potentially malicious activity, and about your own people registering names outside the official channels.

• Consider registering domain names very similar to your own. That's a relatively cheap way of cutting the risk of typosquatting.

If something does go wrong

Even if your organisation manages domain registrations well, someone may register a domain name with the aim of using your organisation's name for a malicious purpose. It therefore helps to proactively watch for lookalike registrations. You can do that by signing up for a service such as SIDN BrandGuard or another cybersecurity service. If a domain name seems to be registered using false personal data, you can ask SIDN to verify the registration data. If the registrant's identity can't be confirmed, SIDN will remove the domain name from the .nl zone within a few days.

SIDN can't disable domain names in other TLDs (e.g. .com or .eu). However, there are ways of getting something done about domain names outside the .nl zone. Start by trying to make direct contact with the person or organisation that registered the domain name or that hosts the domain's website. That's often the quickest way to find a solution.

If that doesn't work, you can start a WIPO procedure. You may be able to get control of a problematic domain name that way. A WIPO procedure typically costs a few thousand euros. You can do the same if you believe a .nl domain name infringes your copyright, in a situation where the registration data is correct, but the registrant refuses to give you control of the domain name. The focus points and best practices described in this article are of course important for organisations outside the care sector as well. We've zoomed in on the care sector and presented examples from that sector in order to highlight the importance of domain names and flag up the related risks. It's worth emphasising that most issues involving domain names can be resolved by administrative means. It only takes a moment to transfer ownership and control over a domain name to the care organisation it relates to. And, by doing so, to prevent many problems further down