For healthcare organizations, addressing cybersecurity risks is paramount. In 2024, the U.S. Department of Health and Human Services reported a record-breaking 677 major healthcare data breaches, affecting over 182 million individuals. Hacking incidents dominated these breaches, with many emphasizing the critical need to secure client-side environments where attackers exploit end-user devices and web interfaces. Despite the growing sophistication of healthcare cybersecurity measures, client-side environments often receive insufficient attention in favor of server-side environments, leaving a significant gap in overall defense strategies.
Understanding Client-Side Risks
“Client-side” refers to what happens in a person’s browser when using a website on their device. It includes potential security breaches and incidents that may occur on users’ devices rather than on the business side (“server-side”).
According to the OpenJS Foundation, more than 98 percent of websites rely on JavaScript. The use of JavaScript and third-party code allows organizations to seamlessly transform online operations by leveraging analytics, payments, support chat functions and chatbots, performance measurement, social media, and more. However, this increased functionality comes at a cost, as modern web applications’ use of third-party code expands surface area risk, threatening data integrity by leaving organizations and end users exposed to data leakage and digital skimming attacks.
Data leakage may happen when organizations use third-party tags, inadvertently providing them with unrestricted access to all data and forms visible on website pages, including login and payment data forms. This access, as well as misconfigurations and vulnerabilities in third-party vendor software, can provide malicious actors with access to sensitive customer, patient, or user information. When a website integrates code from a third-party, the code can unintentionally collect and transmit user data to unauthorized third parties. With multiple tags from various vendors running on websites, the risk of data leakage grows exponentially.
But not all incidents are unintentional. Take digital skimming. This is a more intentional fraudulent process of capturing and transferring payment card data. Bad actors inject malicious code into third-party scripts on a website. The code then skims the credit card data when entered into payment forms.
Tracking Codes, Pixels, and Tags and HIPAA Compliance
Third-party tracking codes use cookies, web beacons or pixel tags, and other tracking technologies to identify users across different websites. The data collected can help healthcare providers gain insights into patient behavior, identify trends in health needs, optimize website usability, and deliver more personalized and proactive services. Data shows that third-party tracking technology is present on nearly 99% of hospital websites, which includes transfers to large technology companies, social media companies, advertising firms, and data brokers.
While helpful for customization and enhanced user experience, third-party tracking technologies can put patient privacy at risk. Meta Pixel, Google Analytics, LinkedIn Insight Tag, Snap Pixel, TikTok Pixel, X Pixel, and other custom tracking pixel tags implemented by a third-party ad network or marketing platform may share unauthorized data with technology providers. Additionally, a lack of transparency regarding how data is collected and utilized could also put healthcare providers in a precarious situation for both compliance and patient trust.
There is no shortage of recent examples of these risks.
- Novant Health settled a $6.6 million pixel privacy breach lawsuit in January 2024. The Lawsuit involved pixel code that collected personally identifiable information on their patient portal, aiming to improve care during virtual visits. In this case, the tracking pixels also transferred the data of more than 1.3 million individuals to third-party technology companies that were not authorized to receive the data.
- In April 2024, Kaiser Permanente disclosed that its use of tracking pixels led to the leak of 13.4 million people’s data to third parties,
- In December, Jefferson Health faced a class action lawsuit over its use of the Meta Pixel tracking tool which sent sensitive patient data to Meta Platforms without website users’ knowledge or consent.
- Advocate Aurora and NHS trusts, among others, have also disclosed breaches related to the use of tracking pixels in the last three years.
The US Department of Health and Human Services states that in order to comply with the Health Insurance Portability and Accountability Act, all HIPAA-regulated organizations must have a business associate agreement (BAA) in place with the provider of the code or authorization from patients. Despite this requirement, recent evidence of breached organizations, and the risk of lawsuits and fines for non-compliance with HIPAA, approximately one-third of healthcare websites analyzed still use Meta Pixel tracking code.
The Risk for Healthcare Organizations
The prevalence of third-party tags requires the healthcare industry to take proactive steps to protect patient data, mitigate data leakage, and prevent attackers from executing malicious code by injecting scripts or manipulating application functionality on the client side.
Even when small, data leaks can lead to legal issues, identity theft, financial loss, and disruption to operations. The theft of sensitive medical data opens organizations to the possibility of larger attacks, privacy violations, non-compliance, and financial losses. In addition to data leakage and digital skimming, client-side data breaches may negatively impact patient care and privacy through:
- Disruption of patient care: When healthcare data is compromised, it can lead to delays in treatment, difficulty accessing records, and disruption of essential medical procedures.
- Theft of sensitive data: Hackers exploit vulnerabilities in web applications to steal diagnoses, prescriptions, and insurance details—which can lead to privacy violations, identity theft, and potential lawsuits and settlements.
- Phishing attacks: Attackers create a fake website hosted on a fraudulent URL to try and trick end users into divulging personal and sensitive information.
- Damage to trust and reputation: A data breach can significantly damage a healthcare organization’s reputation, which could ultimately lead to lost patient trust and business.
Proactive Steps to Safeguard Against Client-Side Threats
Healthcare organizations must proactively prepare to prevent client-side attacks, minimize the risk of patient data leaks, and maintain regulatory compliance. The time to strengthen client-side protection against data loss, security weaknesses, and malicious threats is now. Here are several steps to take to close the loop of client-side threats.
- Establish a Third-Party Script Inventory
Managing risk begins by understanding the scope of your risk. Start by creating an inventory of all third-party partners and tools to understand potential data leakage risks. Use a script inventory management tool to automatically identify all third-party vendors and scripts used on each website page. Be sure to update this inventory as vendors and script versions change. When possible, leverage tools that provide a real-time inventory and automate the process to ensure your inventories remain current. - Leverage Behavioral Monitoring & Analysis
It’s important to monitor and analyze behavior in real-time, flagging any undesirable or suspicious activity. While Content Security Policy (CSP) is helpful to manage access for trusted resources, it is a static approach and quickly becomes outdated and unmanageable when scripts are updated.
- Implement Strict Access Controls
Identify and limit third-party vendors’ access to website pages, forms, and the data that is input into those forms. Client-side protections, such as form fencing, offer control over which scripts can read and access form data. These platforms offer powerful and granular rules engines that provide healthcare organizations with full control of each script running on their website. - Control Data Exfiltration
Similarly, by setting specific rules for how third-party tags can interact with data, healthcare organizations can restrict access to sensitive information and prevent unauthorized data transfer.
- Balance Protection and Business Enablement
Balance security with business processes. Proper fine-grained controls, automation, and security checks ensure that third-party JavaScript is verified and trusted. This allows the website to continue running securely without disrupting day-to-day business.
By prioritizing client-side security measures, healthcare organizations can better protect sensitive data, maintain compliance with regulatory standards, and ensure the continuity of care. Strengthening these often-overlooked defenses is not only a regulatory necessity but also a moral imperative to safeguard patient trust and well-being in an increasingly interconnected digital healthcare landscape.
About Rui Ribeiro
Rui Ribeiro is the CEO and Co-Founder of Jscrambler, the leader in client-side protection and compliance, responsible for executing the company’s growth strategy, as well as setting its vision and culture. With more than 15 years of experience in the information technology sector, prior to Jscrambler he held management roles in the financial sector and worked as a software analyst.
