Earlier this year, the Department of Health and Human Services (HHS) issued a notice on the proposed rulemaking (NPRM) to modify HIPAA safety rules. The notice focuses on modern security practices to better protect electronically protected health information (EPHI) by taking measures to strengthen critical defense capabilities. This includes areas such as risk analysis and management, access control, audit control and monitoring, incident response and reporting.
These steps are important because healthcare facilities are under attack. The U.S. Department of Health and Human Services’ Office of Civil Rights has identified more than 725 major violations in health care that violated 180 million people in 2024. The steps introduced by HHS are a big step forward, but after careful inspection they are insufficient.
That’s because the gap is still not addressed, which affects more and more healthcare organizations today, namely client vulnerabilities. Digital plunder attacks, unauthorized third-party scripts and browser-based threats have successfully attacked medical organizations through targeting JavaScript-based vulnerabilities and third-party pixels.
Take Novant Health as an example. In 2024, Novant Health settled more than $6 million in privacy violation lawsuits. At the heart of the case is the use of pixel code, a piece of JavaScript code, or an iFrame, which helps the website track a person’s actions throughout the website. This includes everything from how many pages they visit to what they click on, etc. Medical organizations like Novant use this data to help improve care, in this case virtual care. The problem with the newbies is that more than one million individuals’ data are shared with a third-party technology company that has no right to receive.
Newcomers are far from lonely. Today, in fact, every organization with a website is a target, with 98% of them using JavaScript. In fact, healthcare websites (especially hospital websites) use the median (or third-party data transfer) of each home page.
The good news is that many organizations recognize that there are problems and are taking action. Our research team analyzed the top 50 healthcare companies in the U.S. and examined each website to determine whether they actively use Content Security Policy (CSP) or client protection agents to help mitigate the threat. From there, they assess the risk of the website based on the solution implementation of each page of the website. Finally, the team found that 44% of the top 50 rely on CSP to reduce the risk of digital plunder. CSP aims to help stop attacks by giving security teams an assessment of what resources a company’s browser can trust and what resources cannot be performed. While the idea of blocking untrusted resources is reasonable, the manual aspect of this approach is not the case. This is because the team must filter the number of third-party codes that must be filtered by 24/7. Even those projects that have been successfully blocked, today’s complex attacks can easily find other ways.
Most importantly, while it is crucial to recognize that there are problems, too many healthcare organizations rely on solutions that cannot and will not provide enough defense lines. This can cause trouble for many organizations. Of these 50 healthcare businesses, only 4% have recognized the need for more and have taken action by implementing a comprehensive client protection proxy solution. Now it’s time for others to follow their leadership.
This is why NPRM must be extended by implementing measures that are consistent with the best rules and regulatory practices. An example is the Payment Card Industry Data Security Standard (PCI DSS). Developed by the PCI Security Standards Committee (PCI DSS V4 and Rules 6.4.3 and 11.6.1), enhanced security measures are provided to ensure greater protection of payment card information.
By following such guidance, healthcare organizations can expand regulatory protections, including browser and client security measures. Once done correctly, they can mitigate emerging cyber risks, prevent data breaches and strengthen compliance with an increasing number of digital healthcare ecosystems.
What to need
Given the rise of digital plunder (e.g., Magecart) and third-party JavaScript utilization and ongoing reliance on CSPs, organizations that handle Electronic Protected Health Information (EPHI) should consider expanding their security controls, starting with reviewing their script lists. Create a detailed list of scripts used on all third-party vendors (and third-party tags) and on all web pages. This will help filter out any unauthorized scripts that may be on the website. It also helps ensure critical regulatory compliance from PCI DSS to HIPAA.
Now, remember that even approved scripts cannot get carte blanche – restrictions must be implemented to limit their access to the data. For example, the fenced form allows healthcare providers to control which scripts can read and access input data, such as payment, registration, or appointment booking forms. Form Fencing provides a powerful and granular rule engine that provides medical organizations with full control over every script running on the website, including the ability to monitor and execute as needed.
This is more than just the data that these scripts can access. It is also critical to control what they can penetrate from the website, including everything from PII and EHR data to payment and insurance details and biometric information. Client solutions provide functionality that ensures this data is secure.
This work does not end with script access. I recommend that NPRM calls on businesses to review all website components regularly and pay special attention to third-party integration. For medical organizations, this will include payment and billing solutions, electronic prescription tools, and electronic health record (EHR) integration. I encourage healthcare organizations to take an automated approach instead of conducting regular reviews to keep an eye on all activities around the clock.
For medical institutions, protecting business clients is crucial. Although NPRM focuses primarily on server-side and administrative security controls, it failed to include these client vulnerabilities. While this may be the next step in HIPAA compliance development, businesses cannot wait when and when to protect their patient data. The best prescription is to act immediately.
Photo: Ildo Frazao, Getty Images
Rui Ribeiro is the CEO and co-founder of Jscrambler. He is an entrepreneur and innovator, and he leads the company from a startup to a leader in client web application security. He has co-authored several application security patents and is passionate about helping companies innovate quickly while knowing their application security.
This article passed Mixed Influencer Programs. Anyone can post opinions on MedCity News’ healthcare business and innovation through MedCity Remacence. Click here to learn how.
