Leaps in healthcare technology continue to benefit humankind: from the advent of the X-ray in the 19th century to dialysis, CT, MRI, and other machines in the 20th century, to a new breadth of digital tools in this era. Perhaps the most auspicious of these is artificial intelligence (AI), with its wide-ranging applications for predictive analytics, drug development, personalized medicine, and robot-assisted surgery.
While the integration of AI into healthcare diagnosis and treatment holds unlimited potential to revolutionize the field – improving patient outcomes, reducing costs, and enhancing overall efficiency – that heady promise is not without peril. The more deeply that AI embeds into healthcare, the greater the cybersecurity risk it creates. Indeed, AI is already transforming the threat landscape across the entire medical profession.
Assessing AI Risks
Although artificial intelligence is seen as a disruptive force with unknown consequences, the International Association of Privacy Professionals estimates that over half of AI governance approaches are simply being built on top of existing privacy programs and that only 20% of established organizations have begun to initiate formalized AI practices and guidelines. While there are certainly foundational controls for underlying IT systems that power these AI models that are still completely relevant and necessary, we must also acknowledge the novel risks introduced by AI that potentially endanger patient privacy and health, as well as the safety and reputation of medical institutions. The advent of AI requires us to build new approaches to cybersecurity policies, strategies, and tactics on top of our already well-established foundation. Status quo is important, but not enough.
In dealing with still-nascent technology, health professionals must continuously remain aware of AI behavioral risks that could result in incorrect diagnoses or data hallucinations. AI systems are only as good as the quality and volume of their training data. Promoting transparency in AI models and deep testing, President Biden recently issued an executive order on Safe, Secure, and Trustworthy Artificial Intelligence. Along with tasking the Department of Health and Human Services with addressing unsafe healthcare practices and actual harms involving AI, the order seeks to set national standards for rigorous red-team testing to ensure that AI systems are safe before their public release and use.
Traditional security measures are better positioned to manage AI-related threats from cyber-criminals. Hospitals, for example, have increasingly been the target of malware and ransomware attacks. This past August, Prospect Medical Holdings took its main computer network offline after an incident affecting 16 hospitals and over 100 other medical facilities across the U.S. for nearly six weeks, an attack that exposed the private information of 24,000+ workers. AI-assisted security models must provide a counterweight to the use of the technology that helps attackers craft better social engineering attacks, more efficiently probe IT systems for weaknesses, and create malware that evades detection mechanisms.
Many healthcare organizations rely on third-party vendors for AI solutions. These vendors may unwittingly introduce vulnerabilities like the ones just described into healthcare systems, creating far-reaching consequences. This third-party dynamic that means less control by internal security teams is nothing new. Third parties have been the leading source of breaches in the healthcare ecosystem for several years. But the additional complexity of vendors’ use of AI, where data is going, and what controls are in place on it make an already complex problem even more so.
Implementing Security Measures
Healthcare organizations, proficient at preventing and quelling attacks on the human body, must concurrently embrace the need to strengthen their own systems by placing cybersecurity near the top of their overall AI integration strategies. These measures, constructed to harness the benefits of AI while safeguarding patient data and safety, include:
- Multi-Point Defense: Guided by the need for redundancy, institutions need to create and implement a cybersecurity strategy that considers incorporating defensive AI capabilities and includes multiple elements such as firewalls, intrusion detection systems, and advanced threat detection, a multi-pronged approach that can spot and mitigate threats at various levels.
- Data Encryption and Access Control: Protecting sensitive data and restricting access to authorized personnel begins with robust encryption protocols. Strong access control mechanisms should be implemented to prevent improper access to AI systems, underlying training models and infrastructure, and private patient records.
- Third-Party Vendor Assessment: Due diligence is required to thoroughly vet third-party vendors and their cybersecurity practices. At this stage of maturity in the AI risk management space, simply knowing if your third parties are deploying AI models in their solutions and how your company data is being used within that model is probably sufficient. More detailed depth of control implementation will come as standards bodies like HITRUST and NIST build AI-specific control frameworks.
- Incident Response Plans: AI systems should be a vital part of any organization’s incident response plans in order to identify the unknown that AI technologies might present in your standard DR/IR operations and to minimize downtime and data loss in the event of a cyberattack either using AI capabilities or against an AI system.
- Ongoing Security Audits and Updates: Conduct periodic security audits of AI systems and overall healthcare infrastructure to ensure your standard security controls are functioning.
- Employee Training and Awareness: Implement mandatory AI cybersecurity training for all healthcare staff, making them aware of the privacy and data loss risks of “off-the-shelf” AI technologies and of the advances in phishing techniques, deep fake capabilities, and other deceptive practices used by cyber attackers augmented by AI.
AI can be either a friend or foe of the healthcare sector, with the ability to improve lives or cause even further breach problems in an already reeling industry. By implementing robust security measures, raising staff awareness, and collaborating with trustworthy vendors, the industry can forge ahead with confidence and care.
About Morgan Hague
Morgan Hague is the Manager of IT Risk Management with Meditology Services, a top-ranked provider of information risk management, cybersecurity, privacy, and regulatory compliance consulting services exclusively for healthcare organizations.
About Britton Burton
Britton Burton is the Senior Director of TPRM Strategy with its sister company, CORL Technologies, tech-enabled managed services for vendor risk management and compliance.