Towards more protected medical data: Assessing the security of Web and email infrastructures in SMEs in the Republic of Moldova

Abstract

The increasing digitalization of the healthcare sector has elevated the urgency of securing the web and email infrastructures used by small and medium-sized enterprises (SMEs). This paper presents the first comprehensive security assessment of 80 medical SME domains and subdomains in the Republic of Moldova. Using a passive OSINT-based methodology and an automated Python tool, the study identified critical misconfigurations, including outdated TLS versions, missing DNSSEC, weak or absent security headers, insecure cookies, and insufficient email authentication mechanisms. To address these challenges, we propose a Security Compliance Score (SCS) Model designed to quantitatively evaluate the security posture of SMEs. The model incorporates six key parameters—TLS configuration, DNSSEC deployment, secure cookies, security headers, email authentication, and server exposure—each scored and weighted based on technical benchmarks. The model enables comparative analysis and supports engineering decisions on risk prioritization. Results indicate that only 65% of the analyzed domains had valid TLS configurations, while DNSSEC was virtually absent. Email security remained highly inconsistent, with no DKIM or DMARC configurations on subdomains and frequent use of self-signed certificates. The findings underscore the need for structured remediation and informed security governance. The proposed SCS model and automated workflow offer a scalable, replicable framework for evaluating web security in medical environments, which can be extended to other national or regional contexts.