Full Report
At a time when tech companies want to make AI tools as standard-issue as stethoscopes, the technology is seemingly everywhere in the healthcare industry. But some of its use still remains in the shadows, so to speak—ungoverned by workplaces and rife with security and patient safety risks, experts said. This so-called “shadow AI” remains problematic,…
Analysis Summary
# Main Topic
The proliferation and security implications of "Shadow AI" within the healthcare industry, characterized by the use of ungoverned, unauthorized Artificial Intelligence tools that introduce significant security and patient safety risks.
## Key Points
- A significant portion (17%) of surveyed healthcare workers admitted to using unauthorized AI tools in the workplace.
- Two out of five healthcare workers surveyed encountered such unauthorized AI tools but refrained from using them.
- The primary driver for Shadow AI use appears to be a lack of clarity regarding which AI tools are permitted or understanding how input data is used by AI providers for training purposes.
- The use of Shadow AI exposes organizations to unspecified security risks and risks to patient safety standards.
## Threat Actors
- **Threat Actors:** Not explicitly named, but the risk originates from *healthcare workers* operating outside official governance structures by adopting **unauthorized third-party AI tools**.
## TTPs
- **Techniques Used:** Adoption and utilization of unvetted, unmanaged third-party AI tools in professional workflows (Shadow IT extension).
- **Data Handling Risk:** Data input into these unauthorized systems might be used by the external AI companies for training purposes, constituting a potential data leakage vector.
## Affected Systems
- **Affected Sector:** Healthcare Industry.
- **Scope:** Systems and workflows managed or utilized by healthcare workers leveraging unauthorized AI applications.
## Mitigations
- **Governance Clarity:** Organizations need to establish and clearly communicate policies detailing which AI technologies are authorized for workplace use.
- **Education:** Training efforts should focus on ensuring staff understand the risks associated with data inputted into external AI systems, particularly concerning use for training models.
## Conclusion
Shadow AI represents a critical, ongoing governance gap in healthcare technology adoption, contrasting with the industry's move toward standardized AI integration. The main threat is driven by operational uncertainty among staff, leading to the inadvertent exposure of sensitive workflows and data via ungoverned AI platforms. Prioritizing clear policy enforcement and robust staff education is essential to mitigate data security and patient safety hazards.