For healthcare organizations, addressing cybersecurity risks is paramount. In 2024, the U.S. Department of Health and Human Services reported a record-breaking 677 major healthcare data breaches, affecting over 182 million individuals. Hacking incidents dominated these breaches, with many emphasizing the critical need to secure client-side environments where attackers exploit end-user devices and web interfaces. Despite the growing sophistication of healthcare cybersecurity measures, client-side environments often receive insufficient attention in favor of server-side environments, leaving a significant gap in overall defense strategies.
Understanding Client-Side Risks
"Client-side" refers to what happens in a person's browser when using a website on their device. It includes potential security breaches and incidents that may occur on users' devices rather than on the business side ("server-side").
According to the OpenJS Foundation, more than 98 percent of websites rely on JavaScript. The use of JavaScript and third-party code allows organizations to seamlessly transform online operations by leveraging analytics, payments, support chat functions and chatbots, performance measurement, social media, and more. However, this increased functionality comes at a cost, as modern web applications' use of third-party code expands surface area risk, threatening data integrity by leaving organizations and end users exposed to data leakage and digital skimming attacks.
Data leakage may happen when organizations use third-party tags, inadvertently providing them with unrestricted access to all data and forms visible on website pages, including login and payment data forms. This access, as well as misconfigurations and vulnerabilities in third-party vendor software, can provide malicious actors with access to sensitive customer, patient, or user information. When a website integrates code from a third-party, the code can unintentionally collect and transmit user data to unauthorized third parties. With multiple tags from various vendors running on websites, the risk of data leakage grows exponentially.
But not all incidents are unintentional. Take digital skimming. This is a more intentional fraudulent process of capturing and transferring payment card data. Bad actors inject malicious code into third-party scripts on a website. The code then skims the credit card data when entered into payment forms.
Tracking Codes, Pixels, and Tags and HIPAA Compliance
Third-party tracking codes use cookies, web beacons or pixel tags, and other tracking technologies to identify users across different websites. The data collected can help healthcare providers gain insights into patient behavior, identify trends in health needs, optimize website usability, and deliver more personalized and proactive services. Data shows that third-party tracking technology is present on nearly 99% of hospital websites, which includes transfers to large technology companies, social media companies, advertising firms, and data brokers.
While helpful for customization and enhanced user experience, third-party tracking technologies can put patient privacy at risk. Meta Pixel, Google Analytics, LinkedIn Insight Tag, Snap Pixel, TikTok Pixel, X Pixel, and other custom tracking pixel tags implemented by a third-party ad network or marketing platform may share unauthorized data with technology providers. Additionally, a lack of transparency regarding how data is collected and utilized could also put healthcare providers in a precarious situation for both compliance and patient trust.
There is no shortage of recent examples of these risks.
The US Department of Health and Human Services states that in order to comply with the Health Insurance Portability and Accountability Act, all HIPAA-regulated organizations must have a business associate agreement (BAA) in place with the provider of the code or authorization from patients. Despite this requirement, recent evidence of breached organizations, and the risk of lawsuits and fines for non-compliance with HIPAA, approximately one-third of healthcare websites analyzed still use Meta Pixel tracking code.
The Risk for Healthcare Organizations
The prevalence of third-party tags requires the healthcare industry to take proactive steps to protect patient data, mitigate data leakage, and prevent attackers from executing malicious code by injecting scripts or manipulating application functionality on the client side.
Even when small, data leaks can lead to legal issues, identity theft, financial loss, and disruption to operations. The theft of sensitive medical data opens organizations to the possibility of larger attacks, privacy violations, non-compliance, and financial losses. In addition to data leakage and digital skimming, client-side data breaches may negatively impact patient care and privacy through:
Proactive Steps to Safeguard Against Client-Side Threats
Healthcare organizations must proactively prepare to prevent client-side attacks, minimize the risk of patient data leaks, and maintain regulatory compliance. The time to strengthen client-side protection against data loss, security weaknesses, and malicious threats is now. Here are several steps to take to close the loop of client-side threats.
Similarly, by setting specific rules for how third-party tags can interact with data, healthcare organizations can restrict access to sensitive information and prevent unauthorized data transfer.
By prioritizing client-side security measures, healthcare organizations can better protect sensitive data, maintain compliance with regulatory standards, and ensure the continuity of care. Strengthening these often-overlooked defenses is not only a regulatory necessity but also a moral imperative to safeguard patient trust and well-being in an increasingly interconnected digital healthcare landscape.
About Rui Ribeiro
Rui Ribeiro is the CEO and Co-Founder of Jscrambler, the leader in client-side protection and compliance, responsible for executing the company's growth strategy, as well as setting its vision and culture. With more than 15 years of experience in the information technology sector, prior to Jscrambler he held management roles in the financial sector and worked as a software analyst.