vectorfusionart - stock.adobe.co

Shadow Code, Third-Party Scripts Pose Healthcare Cybersecurity Risks

Third-party scripts can enable enhanced functionality, but a new report suggests that these scripts may also introduce shadow code and healthcare cybersecurity risks.

Third-party scripts can facilitate digital transformation by allowing development teams to introduce enhanced functionality to web applications without having to create or maintain them. But these scripts may also make applications vulnerable to shadow code and healthcare cybersecurity risks, a new report conducted by Source Defense suggested.

Researchers analyzed 4,300 websites across a variety of industries during Q1 2022 to identify shadow code risks in the digital supply chain. The report revealed that the average website includes 12 third-party scripts and 3 fourth-party scripts.

A third-party script is a “JavaScript resource loaded into a webpage to provide functionality beyond the core functionality of the website,” Source Defense explained.

Healthcare was one of the most exposed verticals behind the financial services industry, both of which are highly regulated industries with access to sensitive data. The report found an average of 13 third-party scripts and 5 fourth-party scripts on healthcare sites.

“Today, extensive libraries of such scripts are available free or at low cost from open-source software organizations, individuals and allied groups of coders, and third parties such as cloud hosting providers, social media companies, digital advertising networks, web analytics firms, and content delivery networks,” the report noted.

“The benefits of third-party scripts are so overwhelming that it is rare to find a significant commercial enterprise or government agency that doesn’t use a large number in its web applications.”

However, the report suggested that third-party scripts can also open the door to shadow code, defined as code that was never inspected and validated by the site owner’s IT department.

“When a third-party script is called by a web page, it is loaded into a browser directly from a remote server belonging to the third party (say, a social media or marketing company or an analytics tool vendor), bypassing traditional security controls such as perimeter firewalls, web application firewalls (WAFs), and network monitoring tools,” the report explained.

“If a script has been hacked or compromised by a threat actor, the shadow code comes with it.”

The report said that a third-party script infected by shadow code could enable threat actors to change content on web pages, record keystrokes, monitor clicks, and capture and exfiltrate credentials.

These risks highlight the larger trend of supply chain risks across all sectors, including healthcare, especially since the 2020 SolarWinds cyberattack. A recent survey commissioned by Trellix and conducted by Vanson Bourne found that 74 percent of surveyed US healthcare organizations reported not having comprehensive software supply chain risk management policies. Many organizations reported finding it difficult to measure and implement supply chain risk management policies.

The pandemic accelerated digital transformation in many ways, forcing organizations to rely even more on digital technologies to maintain operations and prompting healthcare organizations to move more critical functions online, the report suggested.

In addition, Verizon’s 2022 Data Breach Investigation Report (DBIR) identified basic web application attacks as the most common cause of a data breach in healthcare in 2021.

“Our data represents a snapshot of third- and fourth-party scripts at a moment in time. But the situation is more dynamic and more challenging,” the report continued.

“Many organizations are continually transforming their web presence with new marketing, ecommerce, social media, customer support, and supply chain projects. They also rapidly replace existing digital suppliers and business partners with new ones. This churn means that over the course of a year the security team for an average website might need to monitor perhaps 50% or 100% more third- and fourth-party scripts than are on the site at any one time.”

As the cybersecurity workforce shortage continues, security risks may be more likely to fly under the radar.

In addition, as a recent cybersecurity advisory released by authorities from the US, the UK, Canada, the Netherlands, and New Zealand suggested, cyber actors are increasingly turning to poor security configurations and weak controls to gain initial access to victim systems and execute the aforementioned threats.

The Source Defense report suggested that organizations could use this data constructively to inform security priorities. For example, if an organization compares the number of third and fourth-party scripts on their site to the average, they may get a clearer picture of what needs to be done to mitigate risk, and how urgent that risk is.

The report suggested that security teams ask themselves whether the number of third-party scripts could be reduced, or whether some scripts could be removed from the pages that handle sensitive information.

Next Steps

Dig Deeper on Cybersecurity strategies