Domain name management by hospitals and UMCs better, but problems remain

Hospitals have improved most

Just under half (49 per cent) of all the investigated domain names had no administrative issues, up a little on the 2025 figure of 46.9 per cent. Again, the improvement was mainly down to the hospitals, whose all-clear percentage rose from 53.7 per cent to 59 per cent. Interestingly, the rise was driven largely by a number of hospitals that carried out big domain name portfolio clean-ups last year. The hospitals in question updated their registrations so that all now have the hospital named as the registrant, and its IT department recorded as the primary contact.

Domain names with third-party registrants

Another common problem is domain names that aren’t owned by the hospital or medical centre they relate to, but by a third party – often an IT service provider or marketing agency, but sometimes an individual doctor or researcher. Such arrangements are often about convenience: it's quicker and easier for an employee or service provider to register a domain name themselves than to go through the organisation's IT department.

However, if the employee later leaves, or the care organisation switches to a new service provider, serious problems can arise. Internal mail servers and applications are likely to regard the domain names as trusted, for example. Consequently, if they lapse and get re-registered by malicious actors, they can be used to gain access to sensitive data. Another danger, which doesn’t always receive the attention it should, is that legally the domain names belong to the third party that registered them. If that’s a company that later goes under, control of the domain name passes to the official receiver.

Incorrect contact details

The percentage of investigated domain names with incorrect contact details has actually gone up since last year. The figure is now 11.3 per cent, with both hospitals and medical centres showing significant increases since 2025: hospitals from 9 to 13.9 per cent, and UMCs from 2.5 to 9 per cent.

For example, the contact e-mail was sometimes an employee's private address or the address of an external web design agency or other service provider. Irregularities like that put security at risk, because they open the way for the domain name to be transferred or cancelled without the care organisation's knowledge or approval. Again, the picture is much the same as last year. Many ‘friends of...’ websites and staff association websites aren’t owned or managed by the relevant institution, but do use the institution’s house style and logos. The researchers observed a significant increase in care quality survey websites and so-called ‘PROMS’ websites. The latter are sites used to investigate patients’ health, quality of life and/or functional status. They are often operated by external service providers, but use the institution’s house style throughout. That’s potentially problematic, because they aren’t under the supervision of the institution’s IT or security personnel, but they are trusted by patients and staff.

Gambling sites and sites selling steroids

SIDN’s researchers found various examples of the kind of undesirable situation that can arise from sloppy domain name management – including gambling sites with hospital names incorporated into their domain names. In many cases, the abused domain names used to belong to a care provider, before being let go. Illegal online casino operators often choose domain names with a history of legitimate use, because they tend to be trusted by search engines. The researchers even came across a website selling steroids, with a domain name that used to belong to a medical centre.

Typosquatting

Another finding of the survey was various domain names that appeared to have been registered for malicious purposes. Of the investigated domain names, 6.2 per cent showed the hallmarks of typosquats: domain names that look very like a brand name or the name of a company or institution, except for a minor typo. For example, "cityhopital.nl". Regular sweeps to look for domain names that resemble your brand name or institution name is a good way to protect against typosquatting. It’s important to be on guard, because typosquats are often used for malicious purposes.

Increased awareness

“It’s clear that there’s growing awareness amongst the hospitals,” says Martijn Sanders, SIDN BrandGuard Product Owner at SIDN. “Generally speaking, though, more needs to be done, especially by the UMCs. Where digital threats are concerned, organisations tend to think in terms of online data theft and compromised systems. However, domain names can be vulnerable, which makes them a popular target for malicious actors.”

Sanders recognises that the hospitals and medical centres that contacted SIDN after the 2025 survey have made considerable progress over the last year. “We can see that the institutions we spoke to have taken steps to retrieve domain names that weren’t under their direct control. And they’ve almost eliminated the problem.”

SIDN will be presenting the results of the survey to care institutions at the Zorg&ICT 2026 trade fair at Utrecht’s Jaarbeurs exhibition centre. Registrations are now open for Martijn Sanders’ presentations on Tuesday 14 and Wednesday 15 April, and visitors are welcome throughout the event at SIDN’s stand in the fair’s cybersecurity area.