Healthcare faces an AI-fueled cybersecurity crisis. Attackers are increasingly using AI to enhance methods. Cybercrime has skyrocketed in recent years, leading to billions of dollars in losses for American’s. As global law enforcement agencies and the cyber community race to combat scam operations, cybercriminals’ methods are becoming increasingly sophisticated powered by AI.
At the same time AI use in healthcare is increasingly common. Not only does AI change how cyber-attacks are shaped, but also the way our medical devices are programmed, and a lack of security could cost human lives. Sixty-six percent of physicians are now using healthcare AI in 2024, up 78% from 38% in 2023. The top AI applications are within administrative, documentation of billing codes, and medical charts but AI is also being used within clinical procedures. That market is projected to grow from $26.57 billion in 2024 to $187.69 billion by 2030, with 79% of healthcare organizations utilizing AI. The bottom line is that AI adoption nearly doubled among physicians in one year.
However, while AI usage is exploding, healthcare organizations are struggling to secure their AI systems, creating unprecedented risks to patient safety and data privacy. Studies have suggested that AI generates 5-20% error rates. One AI risk in healthcare is AI hallucinations Clinical decision support systems have a 5-10% misdiagnosis rate, while those with hallucinations have an 8-20% rate. Medical errors are the third leading cause of death in the US. In addition, studies indicate that AI can perpetuate racial bias, create legal uncertainty, and threaten patient safety.
While healthcare positioners obviously need to keep abreast of the rapid technological changes and challenges they face, the issues raised by the AI revolution are systemic in nature. Corporate governance models need to adapt to the new environment embracing the” do no harm” mantra at an institutional level.
Healthcare facilities can best mitigate the risks of using AI by adapting the governance principles embedded in the Cyber Risk Oversight Handbooks produced by the National Association of Corporate Directors and the Internet Security Alliance and the special AI in Cybersecurity Special Supplement: the organizations produced in 2025. The handbooks are available free of charge from either NACD (www.nacdonline.org) or ISA (www.isallaince.org) The have been independently assessed by a variety of entities including PwC and MIT, and shown to enhance risk management and reduce negative cybersecurity incidents by up to 80%.
The key recommendations in the handbooks are for entities to treat AI as a strategic driver of care, not simply as an “IT issue.” This means that the healthcare institution needs to adopt an enterprises wide risk management approach to AI including developing a sophisticated risk assessment program that identifies risks in an empirical method tied to the business model of the institution. Only by following such a process can the facility accurately defines its risk appetite and develop strategies to eliminate, mitigate or transfer these risks in a fashion that will be sustainable for the organization allowing it to maintain appropriate standards of care.
Of course, the NACD-ISA publications were developed with respect to a traditional health care delivery model. AI also opens up new possibilities for healthcare to operate in a more decentralized model which may generate additional advantages. How the governance principles can be adapted to a more decentralized healthcare model will be the subject of our next post.
NOTE: I’M Delighted to be Key-Noting ConV2X: Blockchain and Emerging Tech in Healthcare and Life Sciences next week in Boston. My focus will be in board oversight of AI in healthcare and will build on the work the Internet Security Alliance and the National Association of Corporate Directors did earlier this year producing AI in Cybersecurity: Special Supplement to the NACD-ISA Director’s Handbook on Cyber Risk Oversight. In a series of posts, I will highlight some of the issues I intend to raise at next week’s conference.
