Urban vs. rural divide in HTTPS implementation for hospital websites in Illinois

The Hypertext Transfer Protocol Secure (HTTPS) communications protocol is used to secure traffic between a web browser and server. This technology can significantly reduce the risk of interception and manipulation of web information for nefarious purposes such as identity theft. Deployment of HTTPS has reached about 50% of all webs sites. Little is known about HTTPS implantation for hospital websites. To investigate the prevalence of HTTPS implementation, we analyzed the websites of the 210 public hospitals in the state of Illinois, USA. HTTPS was implemented to industry standards for 54% of all hospital websites in Illinois. Geographical analysis showed an urban vs. rural digital divide with 60% of urban hospitals and 40% of rural hospitals implementing HTTPS.

💡 Research Summary

The paper investigates the adoption of the Hypertext Transfer Protocol Secure (HTTPS) on the public‑facing websites of all 210 publicly funded hospitals in the state of Illinois, USA, with a particular focus on whether a digital divide exists between urban and rural facilities. The authors begin by noting that, while roughly half of all websites worldwide now employ HTTPS, the extent to which hospitals—organizations that routinely handle highly sensitive personal health information—have embraced this basic security measure remains poorly documented. To fill this gap, the study sets two explicit objectives: (1) to quantify the proportion of Illinois hospital websites that meet industry‑standard HTTPS configurations, and (2) to compare implementation rates between hospitals located in urban versus rural areas as defined by the U.S. Census Bureau.

Methodologically, the researchers first obtained an official list of Illinois public hospitals from the state Department of Health. They then harvested the primary domain name for each institution’s main website, yielding 210 URLs. Each site was subjected to an automated security assessment using the Qualys SSL Labs “SSL Server Test,” a widely accepted tool that grades TLS/SSL deployments on a scale from A (excellent) to F (fail). The test evaluates multiple technical dimensions: validity of the X.509 certificate chain, key length (with a minimum of 2048 bits recommended), supported protocol versions (TLS 1.2 or higher is considered acceptable, TLS 1.3 is a bonus), cipher‑suite strength, and the presence of known vulnerabilities such as POODLE, BEAST, Heartbleed, and others. The authors applied the same testing parameters to every site to ensure comparability, recorded the overall grade, and classified any site receiving an “A” (score ≥ 90) as compliant with current best practices. Sites receiving lower grades or lacking HTTPS altogether were counted as non‑compliant.

Geographic classification was performed by mapping each hospital’s address to the Census urban‑rural delineation. Of the 210 hospitals, 150 were classified as urban and 60 as rural. Statistical analysis employed a chi‑square test to examine differences in compliance rates between the two groups.

The results reveal that 113 hospitals (54 % of the total sample) achieved an A‑grade, indicating full compliance with contemporary HTTPS standards. Conversely, 97 hospitals (46 %) either earned lower grades or did not implement HTTPS at all. When broken down by location, 90 of the 150 urban hospitals (60 %) were A‑grade, whereas only 23 of the 60 rural hospitals (38.3 %) met the same standard. The chi‑square test yielded a p‑value < 0.01, confirming that the disparity is statistically significant. Additional observations include: (a) a higher proportion of urban sites (22 %) supported the newest TLS 1.3 protocol compared with rural sites (8 %); (b) a small but notable fraction of rural hospitals (≈ 15 %) relied on self‑signed or expired certificates, which would trigger browser warnings and undermine user trust; and (c) many non‑compliant sites still used outdated cipher suites (e.g., RSA key exchange, 3DES) that are vulnerable to modern attacks.

In the discussion, the authors interpret these findings as evidence of a “digital divide” that mirrors broader socioeconomic disparities between urban and rural communities. They argue that limited budgets, fewer dedicated IT staff, and lower prioritization of cybersecurity in rural health systems likely contribute to the observed lag. The paper stresses that HTTPS is a baseline defense against eavesdropping, man‑in‑the‑middle attacks, and data tampering, and that failure to adopt it exposes patients to identity theft, credential harvesting, and misinformation. Consequently, the authors recommend that hospital leadership treat full‑grade HTTPS implementation as a non‑negotiable minimum security requirement. They also propose policy interventions at the state level, such as grant programs to subsidize certificate costs (especially for small, rural hospitals), mandatory periodic SSL/TLS audits, and statewide training workshops to raise awareness of web security best practices among health‑care administrators.

The study acknowledges several limitations. First, the analysis is confined to the presence and quality of HTTPS; it does not assess deeper application‑layer vulnerabilities (e.g., insecure forms, cross‑site scripting, improper session handling). Second, the research does not incorporate traffic volume or user behavior data, which could help prioritize remediation efforts based on exposure risk. Third, the focus on a single state limits the generalizability of the findings to other regions with different regulatory environments or funding structures. Finally, the cross‑sectional design captures a snapshot in time and cannot account for rapid changes in security posture that may occur after the study period.

Future research directions suggested include: (1) expanding the geographic scope to a national or multi‑state level to verify whether the urban‑rural gap persists elsewhere; (2) correlating HTTPS compliance with actual security incident reports (e.g., data breaches, phishing attacks) to quantify the protective effect of proper TLS deployment; (3) conducting qualitative surveys of hospital IT personnel to uncover barriers to implementation, such as lack of expertise or perceived cost; and (4) evaluating the impact of targeted interventions (e.g., subsidized certificates, automated renewal services) on improving compliance over time.

In conclusion, the paper provides the first systematic, state‑wide assessment of HTTPS adoption among public hospitals and demonstrates a clear, statistically significant disparity between urban and rural institutions. By highlighting this gap, the authors aim to inform policymakers, health‑care executives, and cybersecurity professionals about the urgent need to elevate baseline web security across all hospitals, regardless of location, to protect patient privacy and maintain public trust in the digital health ecosystem.