Why web security is non negotiable for ePHI
Healthcare runs on data that is uniquely sensitive and uniquely targeted. A stolen medical record sells for far more than a credit card number because it cannot be cancelled, and the public web is where attackers look first. Patient portals, scheduling pages, telehealth entry points, and provider logins all sit out in the open, and every one of them carries electronic protected health information, the ePHI that HIPAA exists to protect. When one of those pages serves over weak TLS, drops a security header, or loads a script from an origin nobody is watching, the door opens on the exact layer that is fastest to exploit and quickest to fix.
The HIPAA Security Rule technical safeguards at 45 CFR 164.312 are the part of the regulation that lands on your website. The transmission security standard at 164.312(e)(1) requires covered entities and business associates to implement technical measures that guard ePHI against unauthorized access while it is transmitted over an electronic network. On the web that means TLS, so nothing patient facing is ever sent in the clear. The same standard names an integrity controls specification, and the integrity standard at 164.312(c)(1) expects transmitted ePHI to be protected from improper alteration that would go undetected. Strong modern TLS delivers that protection on the wire. The Rule is written to be technology neutral, so it does not name a cipher, which puts the burden on you to prove your transport configuration is actually strong. That proof is what SiteSecurityScore produces.
Where SiteSecurityScore fits. HIPAA compliance is a whole program of agreements, access controls, training, and risk analysis. SiteSecurityScore owns the web and transport security technical controls inside that program, the TLS, headers, CSP, cookies, and DNS on your public sites and portals. It grades them, hands you the fix, and watches them every day. The administrative and organizational safeguards stay with your compliance and security teams.
HIPAA web requirements mapped to SiteSecurityScore checks
This table lines up the HIPAA Security Rule controls that touch your public web surface against what SiteSecurityScore actually checks. A green check means the scanner directly produces evidence for that control. An amber Partial means it covers the transport side of a control that also extends into systems a scanner cannot see. A red cross marks the administrative safeguards that live in your policies, agreements, and internal systems.
Transmission security and encryption in transit (164.312(e)(1))
| Control area | SiteSecurityScore |
|---|---|
| TLS and SSL configuration and cipher strength analysis | |
| Strict Transport Security (HSTS) enforcement | |
| Certificate validity and chain verification | |
| Mixed content detection on secure pages |
Integrity of transmitted ePHI (164.312(c)(1))
| Control area | SiteSecurityScore |
|---|---|
| Modern TLS protecting data from undetected alteration in transit | |
| Detection of downgrade exposure and weak protocol versions | |
| Information disclosure and version leak checks | |
| Database and at-rest integrity controls | Partial |
Secure configuration of patient-facing endpoints
| Control area | SiteSecurityScore |
|---|---|
| Security headers (CSP, X-Frame-Options, Referrer-Policy) | |
| Content Security Policy directive review | |
| Cookie security (HttpOnly, Secure, SameSite) | |
| CORS and cross-origin configuration | |
| DNS and email authentication (SPF, DKIM, DMARC, CAA) |
Ongoing evaluation and monitoring
| Control area | SiteSecurityScore |
|---|---|
| Automated daily scans of public configuration | |
| Email alerts on certificate or header changes | |
| Historical scan records between risk analyses | |
| Internal system and access log monitoring | Partial |
Administrative and organizational safeguards
| Control area | SiteSecurityScore |
|---|---|
| Business associate agreements and vendor governance | |
| Workforce security training and access management | |
| Audit logging inside applications and databases | |
| Contingency planning and incident response procedures |
The administrative safeguard rows are marked as not covered on purpose. No external scanner can read your business associate agreements, verify workforce training, or inspect the audit logs inside your applications. For a full walkthrough of the HIPAA safeguards and how the technical evidence fits the program, see the HIPAA compliance guide.
What SiteSecurityScore checks for healthcare sites
One free scan covers the whole public surface of a patient portal or healthcare site and returns a letter grade with a prioritized list of fixes. These are the checks that matter most when ePHI is in play.
Encryption in transit
TLS and SSL configuration, cipher strength, certificate validity, and HSTS enforcement, so ePHI never travels over a weak or plain connection. Mixed content is flagged where a secure page still pulls an insecure resource.
Secure headers and CSP
Content Security Policy, X-Frame-Options, Referrer-Policy, and the rest of the header set, with deep CSP directive review so a portal cannot be framed for clickjacking or loaded with unauthorized scripts.
Cookies, CORS, and DNS
Session cookies checked for HttpOnly, Secure, and SameSite, CORS reviewed for over-permissive cross-origin access, and SPF, DKIM, DMARC, and CAA records validated so patient communications cannot be easily spoofed.
Every finding comes with the exact header value, cookie attribute, or TLS setting to apply, so a developer can close the gap in minutes rather than researching what good looks like. Export the result as a PDF for your security documentation, or pull it through the REST API to scan a fleet of provider sites on a schedule. For authenticated pages behind a login, the browser extension runs the same checks on the page you are actually viewing.
Continuous monitoring keeps the posture compliant
A single scan proves one day. Certificates expire, a deploy can quietly remove a header, and a third party widget on an intake page can change without warning. HIPAA expects ongoing evaluation, not a single snapshot, which is why daily monitoring matters for healthcare.
SiteSecurityScore monitoring scans your TLS and SSL certificates, security headers, Content Security Policy, DNS records, and cookies every day, then emails you the moment anything changes or a new issue appears. The result is a continuous record that your transmission security and secure configuration stayed in place across the period between formal HIPAA risk analyses, and that your team caught and responded to drift quickly.
Automated daily scans
Every monitored portal and site is scanned once a day across TLS, headers, CSP, DNS, and cookies, building a standing record of posture.
Email alerts on changes
Get notified the moment a certificate nears expiration, a security header is removed, or your configuration drifts.
Scan your healthcare site and set up monitoring
Run a free scan to grade the encryption in transit and secure configuration on your portals and sites, then turn on daily monitoring so your web security posture holds between HIPAA risk analyses. No account required to start.
Frequently asked questions
What web security controls does the HIPAA Security Rule expect?
The HIPAA Security Rule technical safeguards at 45 CFR 164.312 are the part that touches your website. The transmission security standard at 164.312(e)(1) requires you to guard ePHI against unauthorized access while it moves across a network, which on the web means enforcing TLS so patient data is never sent in the clear. Its integrity controls specification, and the separate integrity standard at 164.312(c)(1), expect electronically transmitted ePHI to be protected from improper alteration that goes undetected, which strong modern TLS provides. SiteSecurityScore checks exactly these transport controls on your public endpoints, grading your TLS configuration, HSTS enforcement, certificate validity, and whether any page mixes insecure content.
Does SiteSecurityScore make my healthcare site HIPAA compliant?
HIPAA compliance covers your whole organization, including business associate agreements, access controls inside your systems, workforce training, audit logging, and risk analysis. SiteSecurityScore handles the web and transport security technical controls that sit on top of that program. It grades the encryption in transit, security headers, Content Security Policy, cookie protections, and DNS records on your public sites and patient portals, and gives you copy and paste fixes for anything weak. That is the layer attackers probe first when they go after a healthcare login page, and it is the layer SiteSecurityScore is built to keep tight.
Why does encryption in transit matter so much for ePHI?
Patient portals, appointment forms, intake flows, and provider logins all carry electronic protected health information across the public internet. If any of that travels over plain HTTP, or over an outdated TLS version with weak ciphers, it can be intercepted or tampered with in transit. The transmission security standard exists precisely to stop that. SiteSecurityScore flags weak protocol versions, weak ciphers, missing HSTS, expiring or invalid certificates, and mixed content where a secure page still pulls an insecure resource. Each finding comes with the exact configuration to fix it.
What does SiteSecurityScore check on a patient portal?
A single free scan covers the full public surface of a portal. It analyzes TLS and SSL configuration and certificate health, checks for HSTS to force encrypted connections, reviews security headers including Content Security Policy, X-Frame-Options, and Referrer-Policy, inspects session cookies for the HttpOnly, Secure, and SameSite attributes that keep them off the network and out of cross-site reach, looks at CORS configuration, validates SPF, DKIM, DMARC, and CAA DNS records, and reports any mixed content or information disclosure. You get a letter grade and a prioritized list of fixes.
How does continuous monitoring help between HIPAA audits and risk analyses?
A scan proves your posture on one day. Certificates expire, a deploy can drop a security header, and a third party script can quietly change. SiteSecurityScore runs an automated scan of your TLS, headers, CSP, cookies, and DNS every day and emails you the moment something drifts, such as a certificate nearing expiration or a removed header. That daily trail keeps your transmission security and secure configuration in place between formal HIPAA risk analyses and shows your safeguards held continuously, not just on the day someone checked.
Is SiteSecurityScore free for healthcare teams to use?
The core scanner is free with no account required. You can scan a patient portal or marketing site and get a full report on security headers, TLS and SSL, DNS records, Content Security Policy, cookies, CORS, and security.txt right away. Paid plans add continuous daily monitoring with email alerts, PDF report exports for your security documentation, REST API access to scan endpoints programmatically, a browser extension for authenticated pages, and an MCP connector. Those are the features healthcare teams reach for when they need a standing record of their web security posture.