Earlier this year, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule. The notice focused on modernizing security practices to better guard electronic Protected Health Information (ePHI) from cybersecurity attacks by taking steps to strengthen key defenses. This includes areas such as risk analysis and management, access controls, audit controls and monitoring, incident response and reporting, and more.
These steps are important as healthcare organizations are under attack. The U.S. Department of Health and Human Services’ Office for Civil Rights has identified more than 725 major breaches in healthcare that impacted more than 180 million people in 2024. The steps introduced by HHS are a big step forward, but on closer inspection, they are insufficient.
That’s because there are still gaps that are not being addressed, which are impacting a growing number of healthcare organizations today, namely client-side vulnerabilities. Digital skimming attacks, unauthorized third-party scripts, and browser-based threats are successfully attacking healthcare organizations by targeting JavaScript-based vulnerabilities and third-party pixels.
Navina’s AI Copilot Eases the Value-Based Burden, Study Shows
A new independent study from Phyx Primary Care’s Innovation Lab points to measurable improvements in physician burnout, documentation efficiency, and key VBC metrics among primary care practices.
Take Novant Health as an example. In 2024, Novant Health settled a more than $6 million privacy breach lawsuit. At the case’s core was the use of pixel code, a piece of JavaScript code or an iframe, which helps websites track a person’s actions across the site. This includes everything from how many web pages they visit to what they click on, and more. Healthcare organizations like Novant use this data to help improve care and, in this case, virtual care. What went wrong with Novant is that the data of more than one million individuals was shared with a third-party technology company that had no authority to receive it.
Novant is far from alone. Today, virtually every organization with a website is a target, and 98 percent of them use JavaScript. In fact, healthcare websites — specifically hospital websites — use a median of 16 third-party tags (or third-party data transfers) per homepage.
The good news is that many of these organizations recognize that there is an issue and are taking action. Our research team conducted an analysis of the top 50 US-based healthcare companies, examining every website to determine if they were actively using Content Security Policies (CSPs) or a client-side protection agent to help mitigate threats. From there, they assessed the website risk based on solution implementation across each page of the site. In the end, the team found that 44 percent of the top 50 were relying on CSPs to mitigate digital skimming risks. CSPs are designed to help stop attacks by giving the security teams the power to assess which resources the company’s browser can trust and which it cannot. While the idea of blocking non-trustworthy resources is sound, the manual aspects of this approach, however, are not. This is due to the sheer number of third-party codes the team must sift through on a 24/7 basis. Even with those items that are successfully blocked, today’s sophisticated attacks can easily find other ways in.
The bottom line is that while recognizing there is an issue is vital, too many healthcare organizations are counting on solutions that cannot and will not provide a sufficient line of defense. This could spell trouble for many organizations. Of these 50 healthcare businesses, only 4 percent have recognized that more is needed and have taken action by implementing a comprehensive client-side protection agent-based solution. Now it’s time for the others to follow their lead.
Your Guide to the Best Vein Clinics in Orlando
Your varicose or spider veins may indicate an underlying problem, so finding the right vein specialist is crucial. Discover the best vein clinics in Orlando.
That is why the NPRM must be expanded by implementing measures that align with best practices of rules and regulations. One example is the Payment Card Industry Data Security Standard (PCI DSS). Developed by the PCI Security Standards Council, PCI DSS v4, and rules 6.4.3 and 11.6.1, provide enhanced security measures to ensure greater protection of payment card information.
By following guidance such as this, healthcare organizations can expand regulatory protections to include browser and client-side security measures. When done right, they can then mitigate emerging cyber risks, prevent data breaches, and strengthen compliance in an increasingly digital healthcare ecosystem.
What’s needed
Given the rise of digital skimming (e.g., Magecart) and third-party JavaScript exploits, as well as the ongoing reliance on CSP, organizations handling electronic Protected Health Information (ePHI) should consider expanding their security controls, starting with a review of their script inventory. Create a detailed list of all the third-party vendors (and third-party tags) and scripts that are being used on all web pages. This will help to sift out any unauthorized scripts that might be on the site. It also helps ensure compliance with key regulations, from PCI DSS to HIPAA.
Now, keep in mind that even approved scripts cannot be given carte blanche — restrictions must be implemented that limit their access to data as well. For example, form fencing allows healthcare providers to control which scripts can read and access data entered into forms, such as a payment, registration, or appointment booking form. Form fencing offers powerful and granular rule engines that give healthcare organizations full control over each script running on their website, including the ability to monitor and enforce as needed.
And it’s not just about what data these scripts can access. It’s also vital to control what they can exfiltrate from the site, including everything from PII and the EHR data to payment and insurance details and biometric information. Client-side solutions offer capabilities that can ensure this data remains secure.
The work does not end with script access. I recommend that NPRM calls on businesses to conduct regular reviews of all website components, with a particular focus on third-party integrations. For healthcare organizations, this would include payment and billing solutions, e-prescribing tools, and Electronic Health Record (EHR) integrations. Rather than conducting periodic reviews, I encourage healthcare organizations to implement an automated approach that keeps a close eye on all activities around the clock.
It is vital for healthcare organizations to protect the client side of the business. While the NPRM focuses primarily on server-side and administrative security controls, it fails to include these client-side vulnerabilities. While this could be a crucial next step in the evolution of HIPAA compliance, businesses cannot afford to wait and see when it comes to protecting their patient data. The best prescription is to take action now.
Photo: Ildo Frazao, Getty Images
Rui Ribeiro is the CEO and co-founder of Jscrambler. An entrepreneur and innovator, he has led the company from a start-up to a leader in client-side web application security. He has co-authored several application security patents and is passionate about helping companies innovate quickly while knowing that their applications are secure.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.