An independent cybersecurity review across the largest hospital systems in the United States — the nation’s largest hospital operators and flagship academic medical centers including HCA Healthcare, CommonSpirit Health, and Ascension — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each hospital system’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 70% to 44% — 8 of 18 (44%) scored below 60%.
Cybersecurity Scores of Hospital Systems
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Hospital System | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | AdventHealth | adventhealth.com | 70% | Strong |
| 1 | Northwell Health | northwell.edu | 70% | Strong |
| 3 | Intermountain Health | intermountainhealthcare.org | 68% | Good |
| 4 | NYU Langone Health | nyulangone.org | 67% | Good |
| 5 | Universal Health Services | uhs.com | 66% | Good |
| 6 | Cleveland Clinic | clevelandclinic.org | 61% | Above Average |
| 7 | Providence | providence.org | 60% | Above Average |
| 7 | Trinity Health | trinity-health.org | 60% | Above Average |
| 7 | Tenet Healthcare | tenethealth.com | 60% | Above Average |
| 7 | Banner Health | bannerhealth.com | 60% | Above Average |
| 11 | HCA Healthcare | hcahealthcare.com | 54% | Below Average |
| 11 | Mass General Brigham | massgeneralbrigham.org | 54% | Below Average |
| 13 | Ascension | ascension.org | 50% | Below Average |
| 13 | Cedars-Sinai | cedars-sinai.org | 50% | Below Average |
| 15 | Mayo Clinic | mayoclinic.org | 48% | Weak |
| 16 | CommonSpirit Health | commonspirit.org | 44% | Weak |
| 16 | Kaiser Permanente | kp.org | 44% | Weak |
| 16 | Community Health Systems | chs.net | 44% | Weak |
What the Results Reveal
- Scores range from 70% (AdventHealth) down to 44% (Community Health Systems) — 2 systems reach a strong (70%+) posture, led by AdventHealth and Northwell Health.
- Three of the four largest U.S. hospital operators — CommonSpirit (44%), Kaiser Permanente (44%), and Community Health Systems (44%) — sit at the bottom of the field.
- Flagship academic centers are split: NYU Langone (67%) and Cleveland Clinic (61%) lead, while Mayo Clinic (48%) trails mid-tier community systems.
- Without an enforced DMARC policy, criminals can spoof a health system’s own domain to phish patients or redirect vendor and payroll payments.
Why This Matters for Hospital Systems
Hospital systems and academic medical centers are bound by HIPAA security rules, HHS breach reporting, and OCR enforcement. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against patient phishing, vendor impersonation, and business email compromise targeting payroll and supply-chain payments.
Check any hospital system’s posture at audit.emailmenow.com/?industry=healthcare-systems.
See also — state audits
- Texas Healthcare Systems
- California Healthcare Systems
- Florida Healthcare Systems
- Illinois Healthcare Systems
- New York Healthcare Systems
- Pennsylvania Healthcare Systems
- Ohio Healthcare Systems
- Georgia Healthcare Systems
- Michigan Healthcare Systems
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=healthcare-systems.
Contact EmailMeNow IT Consulting for help with HIPAA-aligned email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.