Patient Data Behind Fragmented Walls
No single framework dominates healthcare. 17 sites scanned, 5 different frameworks detected. The fragmentation itself is the risk — no unified security posture, HIPAA compliance across a patchwork.
What keeps Healthcare CISOs awake
Patient portals processing PHI on frameworks with known critical CVEs
Appointment booking plugins handling PII with independent, often abandoned codebases
HIPAA 'reasonable safeguards' requirement increasingly difficult to defend on legacy CMS
EHR integrations via plugins creating unaudited data pathways
Telehealth intake forms collecting medical history on unpatched infrastructure
Typical vs Recommended
Compliance Exposure
Requires 'reasonable and appropriate safeguards.' Running patient services on 18,005 CVEs tests the definition of 'reasonable.'
Breach notification requirements. Cost per notification: $150+ per affected individual plus regulatory fines.
Healthcare classified as 'essential entity.' Mandatory security requirements tightening in 2026.
California, Colorado, Connecticut, Virginia — additional compliance layers for health data.

Healthcare Websites on WordPress: Patient Data Behind 18,005 CVEs
May 2026 · 6 min
Plugin Roulette: 27 Doors, and You Don't Know Which Ones Are Locked
May 2026 · 6 min
Year 1, Year 3, Year 5: What Happens to Sites That Don't Migrate
May 2026 · 7 min
WordPress Powers 43% of the Web (W3Techs). It Scores 45 Out of 100.
May 2026 · 6 min
When an AI Agent Checks Your Hospital's Website, It Sees Noise.
June 10, 2026 · 6 min