The AI Dilemma—A New Arms Race in Healthcare Cybersecurity

Artificial intelligence is becoming healthcare’s greatest disruptor. AI is improving how we optimize diagnostics, personalize care, and automate administrative tasks at a scale never seen before. But while hospitals and healthcare organizations rush to harness AI’s potential, cybercriminals are doing the same to exploit its weaknesses. 

The result is a new kind of arms race. How can healthcare leaders harness AI to improve patient care before attackers weaponize it to launch cyberattacks that are more effective, scalable, and difficult to detect than ever before?

AI’s Expanding Attack Surface

For years, the healthcare sector has been a primary cyberattack target due to the financial incentive of its sensitive data. Now, AI has supercharged this threat. AI-powered attacks are not theoretical concerns; they are active threats that reshape how security leaders must defend their organizations.

The challenge with AI security in healthcare is that the attack surface is evolving faster than counterdefenses. Many organizations also rushed to deploy AI-powered automation without fully considering its security implications. Take AI-driven clinical decision support tools, for example. If an attacker gains access to the underlying data models, they can manipulate recommendations, subtly altering dosage calculations or treatment protocols in ways that could harm patients without immediate detection.

Lack of Third-Party Oversight

Third-party AI integrations are another overlooked vulnerability. Hospitals frequently partner with AI vendors for services ranging from radiology interpretation to patient chatbots. Yet, these third-party solutions often rely on external API connections, which can serve as entry points for cybercriminals. A single weak link in the AI supply chain can expose an entire network to attack.

Third-party vulnerabilities were in focus in February 2024, when Change Healthcare fell victim to a ransomware attack by the ALPHV/BlackCat group. This breach had far-reaching consequences, affecting over 100 million patients and disrupting healthcare operations nationwide. The attackers exploited vulnerabilities within Change Healthcare’s systems, leading to a significant compromise of sensitive patient data and operational paralysis. 

Change Healthcare integrates AI-driven tools for billing, claims processing, and analytics. While the breach itself was not directly caused by AI, it exposed the risks of third-party healthcare technology providers that are increasingly using AI solutions. It will be essential to make sure these integrations are secure to protect against similar breaches in the future.

A New Approach to Healthcare Cybersecurity

Static security measures that rely on signature-based detection (techniques that identify threats by looking for known patterns or “signatures” of malicious activity) or pre-defined threat indicators cannot keep pace with AI-powered cyberattacks, which constantly adapt and evade traditional defenses. To stay ahead of these risks, Managed Detection and Response (MDR) services must evolve from reactive monitoring to proactive AI-driven threat hunting. They should also aim to build core resilience with robust security measures that ensure operations remain secure and intact after a breach. Organizations should leverage machine learning models that can identify anomalies, predict attacks, and neutralize emerging threats in real time to achieve these goals. 

While MDR is focused on real-time threat detection and response, Digital Forensics and Incident Response (DFIR) should also adapt to handle the complexities of AI-driven cyberattacks. Traditional forensic methodologies—such as signature matching, log analysis, and static code review—are inadequate for tracking AI-generated threats, which continuously evolve.

AI-driven ransomware attacks present unique challenges that align with the skills of advanced DFIR teams. Instead of following a single encryption pattern, AI-enhanced ransomware can dynamically adjust encryption algorithms, spread laterally across networks in unpredictable ways, and selectively target high-value data to maximize impact. This means forensic investigations must go beyond decrypting files and analyzing attack logs. DFIR teams can and must leverage machine learning models to reconstruct attack timelines, trace back AI-generated malware’s origin, and identify weak points in the attacker’s AI models to predict and prevent future attacks.

Where Healthcare Leaders Must Act Now

The future of AI in healthcare is bright, but its risks cannot be ignored. Healthcare executives should prioritize AI security at the same level as patient safety and regulatory compliance. Security teams must also work in tandem with AI developers to ensure models are trained on secure, tamper-resistant data. AI governance frameworks should also be established to enforce accountability for AI-driven decisions. The ability to rapidly analyze and mitigate AI-driven cyber threats will be essential in preventing widespread disruption across healthcare systems.

The battle for AI security in healthcare has already begun. It’s time to start fighting smarter.

About Shane Cox

Shane Cox is the Director of Cyber Fusion Center and Incident Response at Highspring. With over 20 years of experience in cybersecurity operations, Shane specializes in building and optimizing security teams and programs for detection and response, security platform management, EDR/MDR, threat intelligence, automation, incident response, and vulnerability management. At MorganFranklin, he is responsible for the strategic leadership, growth, optimization, and client satisfaction of Cyber Fusion Center services, and collaborates closely with cybersecurity leaders across various industry verticals.