Healthcare AI Security: 6 Key Guidelines for Safe Adoption

Amid persistent clinician shortages and the escalating costs of care, artificial intelligence tools are emerging as a compelling solution for healthcare organizations. These technologies promise to augment the capabilities of physicians, nurses, IT teams, and support staff, streamlining daily workflows and enhancing efficiency. However, the integration of AI into healthcare settings carries significant implications for patient data security, necessitating a rigorous approach to implementation to safeguard sensitive information and, critically, patient outcomes.

Clara Lin Hawking, cofounder and executive director at Kompass Education, emphasizes that AI security transcends traditional measures like firewalls or strong passwords. Instead, she highlights the imperative of a holistic understanding of the inherent risks, opportunities, and limitations associated with AI deployment, noting that this awareness must permeate every level of an organization.

One foundational strategy for securing AI in hospitals involves deploying private or highly controlled instances of AI tools. Pete Johnson, CDW’s artificial intelligence field CTO, advocates for in-house solutions that allow clinicians and staff to experiment with AI applications without exposing patient data to public platforms. Alternatively, organizations can leverage public cloud models from leading providers like Amazon, Microsoft, and Google, which often include robust data privacy agreements. Johnson points out that these agreements typically guarantee that user-provided data, such as prompts or queries, will not be used to retrain the underlying AI models, offering a layer of protection even when the AI program isn’t hosted directly on an organization’s premises.

Beyond preventative measures, a robust action plan for potential security incidents is paramount. This plan should meticulously detail responses to events such as data breaches or widespread phishing attempts aimed at financial fraud. Hawking underscores the critical need for IT professionals to thoroughly comprehend these evolving attack surfaces and to construct comprehensive frameworks for addressing them. Such frameworks must encompass all facets of the IT ecosystem—hardware, software, architecture—along with clear policies and regulations designed to mitigate these emerging threats.

As healthcare organizations embark on their AI journey, a measured, incremental approach is advisable. Rather than exposing vast repositories of sensitive data to new AI systems, Johnson suggests starting small and focusing on specific, well-defined problems. Examples include using ambient listening technologies or intelligent documentation systems, which can significantly reduce the administrative burden on physicians and clinicians without immediately integrating the entirety of an organization’s data holdings.

Another crucial security measure involves mandating the use of organizational accounts for all AI tool interactions. Hawking warns against the use of personal email accounts, as this can inadvertently create unauthorized entry points for data sharing, potentially allowing sensitive information to be used for model training without explicit consent or oversight.

Furthermore, a dedicated oversight team is essential for vetting all AI tools, regardless of where or how they are used within the organization. Hawking recommends that this team be multidisciplinary, incorporating stakeholders from IT, clinical departments, and even patient advocacy groups. The goal is not to stifle innovation by locking down all AI, but rather to ensure a deep understanding of precisely which tools are being used and why, fostering a culture of informed and responsible adoption.

Finally, a comprehensive risk assessment coupled with a full audit of AI systems forms the cornerstone of strong governance. This allows healthcare organizations to proactively identify potential regulatory compliance risks and to develop appropriate policies and procedures for the responsible use of generative AI and other advanced tools. Hawking asserts that such a thorough overview is the indispensable starting point for establishing effective AI governance within any healthcare institution.