For obvious reasons, healthcare facilities are meticulous about cleanliness and vigilant in scouring for bacteria, viruses, and other pathogens with regular, high-grade disinfection routines and robust air filtration. When it comes to cyber infections and attacks, however, the healthcare sector has been a significant target.
In 2024, the Department of Health and Human Services reported more than 700 healthcare data breaches in the United States, resulting in a total of over 180 million compromised records. Earlier this year, Yale New Haven Health System disclosed a hack that affected 5.5 million patients.
The appeal of the sector to bad actors is obvious: healthcare organizations contain troves of sensitive personally identifiable information (PII)—such as names and addresses, dates of birth, Social Security numbers, and details of medical conditions—that can be sold on or exploited to steal an identity.
A successful attack can hold a healthcare facility or entire system to ransom. Meanwhile, the interconnectedness between individuals, employers, healthcare providers, insurance companies, and third-party vendors means that a breach at one node can cascade throughout the entire ecosystem.
To their line-up of existing cyber threats, healthcare organizations must now add a new category: vulnerabilities in AI applications and agents. From automating patient intake processes to aiding in diagnostics and clinical decision-making, AI can unlock new efficiencies in healthcare, but each implementation also opens up new ‘attack surfaces’ for bad actors to target.
How healthcare facilities use AI
Since the Covid-19 pandemic strained healthcare systems to the breaking point, staff shortages have only worsened. Hospitals and health centers have been forced to prioritize efficiency and are looking for ways to optimize operations without compromising patient care.
In this context, healthcare administrators, nurses, and physicians are investing in AI applications and agents to streamline administrative work, freeing them up for face-to-face time with patients. Beyond administrative tasks, AI research tools can search across medical record databases and entire libraries of scientific literature to gather background information, assisting physicians in their diagnoses.
Ahead of an appointment, AI can be used to summarize a patient’s medical history and reason for visiting; doctors can also employ AI to listen in to an appointment and create a summary of next steps.
AI agents offer additional capability by accessing tools—digital and physical—and datasets to complete a task. Agents consist of three layers: a purpose, a ‘brain’ based on the underlying AI model(s), and tools to carry out tasks. Agents can be configured to carry out their purpose with little or no human intervention.
In healthcare settings, agents with access to internal systems and data can run staff “rotas,” automate appointments, catalogue paperwork, and even flag errors or important medical history. They can also streamline the referral process by finding doctors close to a patient for a subsequent consultation.
For claims, AI agents can correspond with insurance companies and provide research on coverage for appeals or help align treatment codes with payer guidelines for proper reimbursement. The first AI voice agent purpose-built to field patient billing questions was recently launched, reducing hold times and freeing healthcare providers up for other important work.
In the not-so-distant future, hospitals may task agents with managing building security systems and energy usage, as well as monitoring patients in specific cases, such as administering IV drips.
The agentic threat epidemic
Across all industries, 93% of IT leaders plan to adopt AI agents in the next two years, reflecting the promise of efficiency benefits. However, the introduction of agents brings increased security risks, given their ability to autonomously access internal systems, software tools, and datasets. In a sensitive setting such as healthcare, the stakes for success or failure are higher.
Think of an AI agent like a personal assistant in a secure vault—valuable and efficient but vulnerable to being exploited if it’s not up to speed in security terms. If bad actors gain control of an AI agent that has access to patient records, physician calendars, or a hospital’s operating systems, they can gain access to highly sensitive data as well as intel that can help them hack non-agentic systems.
Hackers exploit susceptibilities in the AI agents themselves, whether through poorly configured access controls, integration weaknesses, or unpatched third-party systems with which they communicate. Once they gain control, hackers use precisely engineered prompts to force agents to carry out data mining and systems infiltration tasks.
The primary difference between hacking an AI agent and traditional hacking methods is that an agent already has access to internal systems and can autonomously execute multiple operations simultaneously. As a result, by the time a company’s IT team realizes an AI agent has been compromised, it may have already mined every employee’s calendar, patient records, and financial databases.
Model Context Protocol hides dangers
The growing adoption of Model Context Protocol (MCP) as a framework for agents to interact with software tools and data across multiple platforms promises to make the deployment of AI agents easier and more effective. However, the interconnectivity MCP enables will also introduce new dangers.
Think of MCP as the circulatory system: just as the bloodstream can carry both nutrients and toxins to all parts of the body, the streamlined access that MCP allows can speed the transmission of adversarial prompts or poisoned data to agents, leading to system-wide disruptions.
If an AI agent has access to both patient databases and internal email systems through MCP, attackers could leverage these connections to exfiltrate private data through email or inject malicious content into databases. To counter the threats posed by AI agents, organizations must combine novel and time-tested security strategies for effective protection.
Strategies for securing AI
By conducting extensive cybersecurity audits on an agent before integration, organizations can prevent vulnerabilities from ever being introduced to their wider systems. This process involves probing data access points, testing for potential unauthorized interactions, and attempting to jailbreak the agent using engineered prompts through automated red teaming.
AI systems must also have multi-layered security defenses such as access controls and data encryption. For agents already installed, companies should limit access to sensitive data using “least privilege” principles to prevent overreach. This is especially important when using MCP to reduce the risk of malicious actions between agents.
While hackers can often still find ways to skirt around access controls, they provide a worthwhile first line of defense. Continuous red teaming comes into play here, enabling organizations to stay constantly ahead of new jailbreaking strategies and identify system weaknesses before they can be exploited.
Just as hospitals have plans in place for viral outbreaks, physical attacks, and cyber breaches, they must have comprehensive incident response frameworks for breaches carried out by or on AI systems. A clear roadmap should exist to mitigate damage and inform key stakeholders.
To keep IT systems healthy, security professionals in healthcare and beyond should safeguard the AI agents they install from emerging threats through preemptive stress testing and consistent threat monitoring. To paraphrase a popular saying, a red team a day keeps the hackers away.
