Managing AI Risks in the Healthcare Industry

By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Managing AI Risks in the Healthcare Industry

Healthcare provider cybersecurity considerations

The Artificial Intelligence (AI) train is steaming ahead and getting faster every day. It is transforming businesses and AI companies are soaring in the stock markets. Our clients are exploring how to use AI to streamline processes, improve data analysis, and enhance customer experience.

Benefits of AI for healthcare providers

For healthcare providers, many are employing AI and are realizing the following benefits:

  • More efficient diagnosis and treatment
  • Predictive analytics leading to early disease detection
  • Workflow optimization resulting in cost reductions
  • Ability to reduce medical errors
  • Ability to continuously learn and improve outcomes

What are the AI risks?

While there are clear benefits associated with the use of AI, there are also real dangers. Recently, a finance employee was tricked into paying $25 million to fraudsters who employed deepfake technology to spoof the likeness of the employee’s coworkers during a video call. In healthcare, there are especially acute cybersecurity risks that providers cannot overlook. Some of these risks include:

  • Inadequate Data Access Policies

    Integrated AI systems often have access to vast amounts of corporate data. Poor data access policies may allow individuals in an organization to ask the AI questions to get information to which they would otherwise not have access. For example, one employee asks the AI about a patient’s health records. The employee does not have access to the patient’s health records in the EHR, but the AI does. When asked, the AI simply reveals sensitive information.

  • Data Breaches

    AI systems often deal with large datasets containing sensitive patient information. A data breach could result in the unauthorized access, theft, or exposure of this confidential data. Many healthcare providers are using cloud-based, third-party AI systems. In these cases, the healthcare provider should obtain assurances, via a Systems and Organization Controls 2 (SOC 2) or similar report, that the third-party service provider is adequately protecting their patient information.

  • Adversarial Attacks

    Attacks involve intentionally manipulating input data to deceive AI models. In healthcare, this could lead to incorrect diagnoses, altered patient records, or other malicious activities.

  • Insecure Interfaces and APIs (Application Programming Interfaces)

    AI systems often integrate with various healthcare applications and systems through APIs. Insecure interfaces could be exploited, leading to unauthorized access or data manipulation.

  • Insufficient Authentication and Authorization

    Weak authentication and authorization mechanisms can lead to unauthorized access to AI systems and patient data. Proper access controls must be in place to restrict system access based on roles and responsibilities.

  • Device Security

    The use of Internet of Things (IoT) devices and medical equipment connected to AI systems increases the attack surface. Security vulnerabilities in these devices could be exploited to compromise the overall system.

  • Ransomware Attacks

    Ransomware attacks targeting AI systems could disrupt operations, compromise patient care, and result in the loss of sensitive data. These attacks can be crippling to a provider organization and take months to recover from.

Prepare your healthcare practice for AI cybersecurity risks

Healthcare providers who want to improve service delivery through the use of AI must consider the cybersecurity risks that come with using these technologies.

Your IT team’s role in risk management

It is important to ensure your IT team is prepared for the additional cybersecurity risks of AI. IT teams should prepare in the following ways:

  • Be familiar with the AI technologies that are being used and how they interface with the business’s current systems,
  • Ensure that third-party service providers have adequate data security practices, and
  • Properly train employees on the new systems

Your company’s role in risk management

The following practices should be a priority for healthcare provider organizations:

  • Perform periodic, independent assessments of cybersecurity practices
  • Perform at least annual vulnerability assessments and penetration testing, and
  • Provide security awareness training to employees at least annually

For assistance meeting your practice’s cybersecurity governance needs, contact our Keiter Cybersecurity Specialists today.

Share this Insight:

About the Author

Scott M. McAuliffe

Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, cybersecurity and information technology consulting, Sarbanes-Oxley assistance and System and Organization Controls (SOC) Exams. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. In 2021, Scott achieved the Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) status in order to provide CMMC services to Department of Defense prime and subcontractors.

More Insights from Scott M. McAuliffe

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us