BlackSheep Security Research
The State of
Healthcare Cybersecurity
2026 Report
We scanned the public infrastructure of 4,827 HIPAA-covered healthcare organizations— hospitals, health systems, and behavioral health providers. 38% have critical vulnerabilities. The average score is 50 out of 100. Healthcare is the #1 ransomware target, and the front door is wide open.
By the numbers
What we found
Key findings
The #1 ransomware target has the weakest defenses
Healthcare is the most breached industry in America. The average healthcare data breach costs $10.9 million. And the public infrastructure of nearly 4 in 10 organizations has critical-severity security gaps.
Nearly half serve unencrypted pages
45.6% of healthcare organizations don't redirect HTTP to HTTPS. Patients visiting the website to schedule appointments, access portals, or submit intake forms can have their data intercepted in transit. For organizations handling Protected Health Information, this is a HIPAA Security Rule violation waiting for an OCR investigation.
6.1% have expired SSL certificates — browsers show an active security warning when patients try to visit. 1.0% use self-signed certificates. Combined, nearly half the industry has fundamental encryption problems.
Email spoofing is trivial
58.2% of healthcare organizations have no DMARC recordon their primary domain, and another 17.0% have it set to "none" (monitoring only). That means 75% have no effective email spoofing protection.
29.6% have no SPF record, and 29.4% use a weak "softfail" policy. An attacker can send a phishing email to any employee that appears to come from the organization's own domain — the most common initial access vector for ransomware attacks against hospitals.
Note: DMARC and SPF are measured on each organization's primary website domain. Organizations running email on a health system parent domain may have records configured elsewhere.
The data
Security gaps across 4,827 healthcare organizations
| Finding | Affected | % |
|---|---|---|
| No Content-Security-Policy header | 4,243 | 87.9% |
| No X-Frame-Options (clickjacking risk) | 3,880 | 80.4% |
| No HSTS enforcement | 3,472 | 71.9% |
| No privacy policy visible | 2,952 | 61.2% |
| No DMARC record | 2,809 | 58.2% |
| No HTTP-to-HTTPS redirect | 2,201 | 45.6% |
| No SPF record | 1,427 | 29.6% |
| Weak SPF (softfail only) | 1,421 | 29.4% |
| DMARC set to “none” (monitoring only) | 822 | 17% |
| Robots.txt exposes admin paths | 716 | 14.8% |
| Server version exposed | 370 | 7.7% |
| SSL certificate expired | 293 | 6.1% |
| Open CORS policy (data theft risk) | 221 | 4.6% |
| Self-signed SSL certificate | 48 | 1% |
Overall grades
Nearly 1 in 5 healthcare organizations scores D or F
The average score is 50 — a C. Healthcare has the lowest average of any industry we've assessed, and the highest proportion of failing grades.
2.4%
114 organizations
80-100 pts
31.9%
1,542 organizations
60-79 pts
47.6%
2,298 organizations
40-59 pts
5.2%
252 organizations
20-39 pts
12.9%
621 organizations
0-19 pts
By segment
Hospitals score lower than behavioral health
Hospitals — the largest and best-resourced segment — actually score slightly worse than behavioral health providers. Hospitals are also more likely to have expired SSL certificates and HTTPS redirect failures, despite handling the highest volume of patient data.
| Segment | Avg Score | No DMARC | Critical |
|---|---|---|---|
| Hospital | 50 | 58.6% | 39.6% |
| Behavioral Health | 51 | 56.3% | 32.1% |
Context: The average healthcare data breach costs $10.9 million (IBM/Ponemon 2025). Ransomware groups specifically target hospitals because downtime directly threatens patient safety, creating maximum pressure to pay.
Email infrastructure
Where we confirmed the platform, 23% still lack DMARC
MX records only show the first hop. We used autodiscover CNAME records, Microsoft TXT verification, SPF includes, and SMTP EHLO banner grabbing to identify the actual email platform. We confirmed the platform for 1,945 of 4,827 organizations.
31.4%
Microsoft 365
1,518 orgs confirmed
8.8%
Google Workspace
427 orgs confirmed
3.6%
Self-Hosted
Postfix, Exim, Sendmail
1.7%
GoDaddy
Shared hosting email
54.2%
Unknown
Health system / no MX
Confirmed-domain DMARC stats
Of the 1,945 organizations where we confirmed the email platform runs on the website domain: 22.9% have no DMARC and 7.3% have no SPF. The all-domain figure (58.2%) is significantly higher because many healthcare websites are marketing sites for organizations whose email runs on a parent health system domain.
Why 54% are unknown
Healthcare has the highest "unknown" rate of any vertical. Most are individual hospitals within health systems (HCA, CommonSpirit, Ascension) that run email on a parent domain. Their public website is facility-specific but email operates at the system level. Others are behind CDN proxies or have no MX records on their marketing domain.
Behind gateways: overwhelmingly Microsoft
Proofpoint: 96.0% Microsoft behind the gateway. Mimecast: 98.4% Microsoft. Barracuda: 94.4% Microsoft. Behind Google MX records: 33.8% are actually Microsoft (Google MX used for filtering, delivery to M365). Healthcare security gateways are a Microsoft shop.
Regulatory context
What OCR enforces under HIPAA
The HIPAA Security Rule (45 CFR 164) and HITECH Act give HHS Office for Civil Rights broad enforcement authority. OCR settlements regularly exceed $1 million, and criminal referrals are increasing. Here's what they evaluate:
Administrative safeguards
Security officer, workforce training, access management
Technical safeguards
Encryption, access controls, audit logs, integrity controls
Physical safeguards
Workstation security, device controls, facility access
Risk analysis
Comprehensive, documented, updated after changes
Breach notification
60-day notification to individuals, HHS, and media (500+ records)
Business associate agreements
Every vendor touching PHI must have a signed BAA
What an OCR enforcement action looks like
Recommendations
Five actions your organization can take this week
Force HTTPS on every page
46% of healthcare organizations don’t redirect HTTP to HTTPS. Any form collecting patient information over HTTP is a HIPAA violation. Fix this first.
Deploy DMARC with a “reject” policy
Phishing emails impersonating your organization are the #1 ransomware entry point. 30 minutes of DNS work blocks them.
Add HSTS, CSP, and X-Frame-Options headers
88% are missing CSP, 72% have no HSTS, 80% have no X-Frame-Options. These prevent the most common web attacks against patient portals.
Renew expired SSL certificates
6.1% of organizations have expired certificates. Browsers warn patients away. Fix immediately.
Document your HIPAA Security Rule compliance
Risk analysis, written policies, workforce training records, BAA inventory, incident response plan. OCR’s first request in every investigation is documentation.
Your turn
Find out where your organization stands
Enter your work email and we'll scan your organization's domain for the same gaps we found across the industry. Full report in your inbox in minutes.
Based on publicly accessible infrastructure only. No systems accessed or tested beyond what any internet user can observe.
Methodology
Behind the data
BlackSheep analyzed the publicly accessible infrastructure of 4,827 HIPAA-covered healthcare organizations across four categories: SSL/TLS security, email authentication (SPF, DMARC, DKIM), HTTP security headers, and technology configuration.
Organizations include hospitals, health systems, behavioral health providers, and other HIPAA-covered entities identified from CMS and HHS data sources. Each received a composite score (0–100) and letter grade (A through F). All data was collected from publicly accessible infrastructure only — no systems were accessed, penetrated, or tested beyond what any internet user can observe.
Email authentication statistics (DMARC, SPF) are measured on each organization's primary website domain. Healthcare organizations that are part of larger health systems may have email running on a parent domain with records configured there. Many organizations use EHR vendor portals (Epic MyChart, Cerner, etc.) on separate domains — our scans measured the organization's public marketing website, not the hosted patient portal.
This report covers 4,827 of the 5,000 HIPAA Tier 1 organizations in our dataset — the remainder had websites that could not be scanned (down, behind challenges, or no website found). Data collected April 2026. Individual organization results are not disclosed in this report.
This report was produced by BlackSheep, a cybersecurity compliance platform purpose-built for regulated industries. 21 frameworks. $249/month.
Copyright 2026 BlackSheep Security. This report may be shared freely with attribution.