Prevalence of DNSSEC for hospital websites in Illinois

The domain name system translates human friendly web addresses to a computer readable internet protocol address. This basic infrastructure is insecure and can be manipulated. Deployment of technology to secure the DNS system has been slow, reaching about 20% of all web sites based in the USA. Little is known about the efforts hospitals and health systems make to secure the domain name system for their websites. To investigate the prevalence of implementing Domain Name System Security Extensions (DNSSEC), we analyzed the websites of the 210 public hospitals in the state of Illinois, USA. Only one Illinois hospital website was found to have implemented DNSSEC by December, 2017.

💡 Research Summary

The paper investigates the prevalence of Domain Name System Security Extensions (DNSSEC) among hospital websites in the state of Illinois, United States. DNSSEC is a set of extensions that add cryptographic signatures to DNS data, creating a chain of trust that protects against spoofing, cache poisoning, and other attacks that exploit the inherent insecurity of the traditional DNS infrastructure. While roughly 20 % of all U.S. websites have adopted DNSSEC, the extent of its use in the health‑care sector—particularly among hospitals that handle sensitive patient information—has not been systematically examined.

To fill this gap, the authors compiled a comprehensive list of the 210 publicly funded hospitals operating in Illinois. For each institution they identified the official domain name and then employed automated DNSSEC validation tools (including open‑source validators and commercial analyzers) to query the DNS records. The validation process checked for the presence and correctness of DNSKEY, RRSIG, and DS records, ensuring that a complete chain of trust from the root zone to the target domain existed.

The results were strikingly low: only a single hospital, the University of Chicago Medicine, was found to have a fully functional DNSSEC deployment as of December 2017. The remaining 209 hospitals either lacked any DNSSEC signatures or exhibited incomplete configurations (e.g., missing DS records at the registrar level). This 0.5 % adoption rate is dramatically below the national average and underscores a substantial security gap in the health‑care web ecosystem.

The authors discuss several plausible explanations. First, DNSSEC implementation requires substantial technical effort: reconfiguring authoritative name servers, establishing key‑management policies, and performing regular key rollovers. Hospital IT departments are typically focused on clinical systems such as electronic health records, medical device integration, and patient portals, leaving limited resources for network‑layer security upgrades. Second, the perceived risk of service disruption during DNSSEC rollout, combined with the complexity of troubleshooting DNS failures, discourages administrators from adopting the technology. Third, despite stringent privacy regulations like HIPAA, there appears to be limited awareness of DNSSEC as a protective measure, with most security programs concentrating on application‑level controls rather than foundational infrastructure.

The study acknowledges its temporal limitation—data were collected at a single point in time (December 2017)—and suggests that adoption may have increased since then. Nevertheless, the finding that virtually all Illinois hospital websites remain unsigned at the DNS level indicates ongoing vulnerability to attacks that could redirect patients to fraudulent sites, intercept credential submissions, or undermine trust in online health services.

In conclusion, the paper calls for a strategic inclusion of DNSSEC in hospital cybersecurity roadmaps, supported by policy incentives, standardized implementation guidelines, and targeted training for IT staff. It also recommends further research to compare DNSSEC adoption across other states and countries, and to identify concrete barriers that prevent health‑care organizations from deploying this essential security layer.