For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
On March 3, 2026, a Houston pediatric practice discovered their patient portal had been inaccessible for 11 hours because attackers had compromised their domain registrar account and redirected all traffic to a malicious clone site. The practice's IT provider had never implemented DNSSEC, registry locks, or multi-factor authentication on the domain account. The incident exposed 2,400 patient credentials entered into the fraudulent portal before detection and triggered a reportable breach investigation.
Domain Name System infrastructure has become a critical attack vector that most medical practices completely ignore. DNS translates human-readable domain names into network addresses, making it essential infrastructure for every online service your practice operates. In Q1 2026, healthcare domain hijacking incidents increased 178%, with Texas practices suffering disproportionate impact due to shared infrastructure vulnerabilities and inadequate DNS security configurations.
DNS infrastructure presents multiple attack surfaces that directly impact medical practice operations:
Domain Hijacking Through Registrar Compromise: Attackers target domain registrar accounts using credential stuffing, phishing, and password reuse attacks. Once they control the registrar account, they can modify DNS records to redirect traffic, transfer the domain to attacker-controlled accounts, or hold the domain for ransom. A Dallas cardiology practice lost their primary domain for 72 hours when attackers compromised their GoDaddy account using credentials exposed in a previous data breach.
DNS Cache Poisoning: Attackers inject false DNS records into resolver caches, redirecting traffic without modifying authoritative DNS servers. This attack can redirect patient portal traffic to malicious sites even when the practice's DNS configuration is correct. A Fort Worth dermatology practice discovered that regional ISP DNS servers had been poisoned to redirect their portal domain to a credential-harvesting site for three days before detection.
Subdomain Takeover: When practices discontinue cloud services but leave corresponding DNS records active, attackers can claim the abandoned subdomains and host malicious content. This exploits the trust relationship between parent domains and subdomains. An Austin practice's former telemedicine subdomain was claimed by attackers who used it to distribute malware disguised as patient portal updates.
Domain attacks create cascading security failures that extend far beyond website availability:
Patient Portal Credential Theft: When attackers redirect portal domains to cloned sites, patients enter credentials into attacker-controlled systems. These credentials enable immediate access to patient data and facilitate privilege escalation within practice networks. The Houston pediatric breach involved 2,400 credential sets that attackers used to access actual patient records after compromising the legitimate portal.
Email Interception and Business Email Compromise: Domain compromise enables attackers to modify MX records, redirecting practice email through attacker-controlled servers. This provides access to all incoming and outgoing communications without detection. A San Antonio surgical group discovered that six weeks of email correspondence with vendors had been intercepted after attackers compromised their domain and modified MX records to route through Eastern European servers.
SSL Certificate Abuse: Attackers can fraudulently obtain SSL certificates for compromised domains, creating convincing encrypted sites that bypass browser security warnings. Certificate transparency logs show 847 fraudulent healthcare domain certificates issued in Q1 2026, with 23% targeting Texas medical practices specifically.
Protecting domain infrastructure requires specific technical controls that most practices have not implemented:
DNSSEC (Domain Name System Security Extensions): DNSSEC adds cryptographic signatures to DNS records, enabling resolvers to verify record authenticity and detect tampering. Despite being a critical security control, only 12% of healthcare domains have deployed DNSSEC. The protocol prevents cache poisoning and man-in-the-middle attacks by establishing a chain of trust from root DNS servers through to authoritative servers.
Registry Lock Services: Domain registries offer lock services that prevent unauthorized transfers, updates, and deletions without multi-party approval. These services require out-of-band verification through multiple communication channels before any domain modification. A Georgetown practice prevented domain theft when attackers compromised their registrar account because registry locks required phone confirmation for any transfer attempt.
DNS over HTTPS (DoH) and DNS over TLS (DoT): These protocols encrypt DNS queries between clients and resolvers, preventing eavesdropping and manipulation by network intermediaries. Healthcare practices should configure endpoints to use encrypted DNS resolution rather than ISP or network-default resolvers that may be compromised or logged by attackers.
Subdomain Monitoring and Cleanup: Regular audits of DNS zone files should identify abandoned subdomains pointing to discontinued services. Practices should implement procedures to remove DNS records when services are decommissioned and monitor for unauthorized subdomain creation. Automated tools can scan for subdomain takeover vulnerabilities across complex DNS configurations.
The domain registrar account represents a critical concentration of risk that requires specific protection:
Multi-Factor Authentication: Domain registrar accounts must use hardware-based MFA rather than SMS or authenticator apps that can be bypassed. Recovery email addresses and phone numbers should be dedicated accounts not used for other purposes. A Tyler practice prevented domain compromise when attackers obtained the registrar password because hardware key authentication blocked unauthorized access.
Access Logging and Alerting: Registrar accounts should generate alerts for all configuration changes, particularly DNS modifications and contact information updates. Anomalous access from unexpected IP addresses or during unusual hours should trigger immediate notifications. A Corpus Christi practice detected ongoing domain compromise within minutes because their registrar sent alerts for DNS record changes initiated from an Eastern European IP address.
Segregated Administrative Access: Domain management should use dedicated accounts not shared with other services. Password managers should generate unique credentials for registrar access. Administrative email addresses for domain accounts should be separate from general practice email to reduce exposure to business email compromise attacks.
Following a series of domain-related breaches affecting Texas practices, the Texas Medical Association issued a security alert in March 2026 specifically addressing DNS infrastructure protection. The alert highlighted common configuration failures and recommended immediate remediation steps:
The alert identified that 67% of surveyed Texas practices used default DNS configurations provided by their ISPs or web hosts without implementing security extensions. Only 8% had enabled registry locks on their primary domains. The TMA recommended immediate audit of domain configurations and implementation of the security controls outlined in this article.
Medical practices should implement DNS security in phases based on operational criticality:
Immediate Actions (Within 7 Days): Enable MFA on all domain registrar accounts using hardware keys. Audit DNS zone files for abandoned subdomains and remove records pointing to discontinued services. Review and document current DNS configuration including all A, CNAME, MX, and TXT records.
Short-Term Implementation (Within 30 Days): Deploy DNSSEC for primary domains. Enable registry lock services through domain registrars. Configure monitoring and alerting for DNS changes and registrar account access. Implement DNS over HTTPS for practice networks and endpoints.
Ongoing Management: Quarterly DNS configuration audits. Annual registrar account security reviews. Regular testing of DNSSEC validation and registry lock functionality. Integration of DNS security into incident response procedures.
We assess your current domain and DNS security configurations and implement the controls that prevent hijacking, poisoning, and subdomain takeover attacks. Our evaluations include DNSSEC deployment, registry lock implementation, and ongoing monitoring solutions tailored to medical practice requirements.
Call 469-235-4144 or schedule online. We help Texas medical practices protect their critical infrastructure layers.