Data Poisoning Vulnerabilities Across Healthcare AI Architectures: A Security Threat Analysis

• URL: http://arxiv.org/abs/2511.11020v1
• Date: Fri, 14 Nov 2025 07:16:16 GMT
• Title: Data Poisoning Vulnerabilities Across Healthcare AI Architectures: A Security Threat Analysis
• Authors: Farhad Abtahi, Fernando Seoane, Iván Pau, Mario Vega-Barbas,
• Abstract summary: We analyzed eight attack scenarios in four categories: architectural attacks on convolutional neural networks, large language models, and reinforcement learning agents.<n>Our findings indicate that attackers with access to only 100-500 samples can compromise healthcare AI regardless of dataset size.<n>We recommend multilayer defenses including required adversarial testing, ensemble-based detection, privacy-preserving security mechanisms, and international coordination on AI security standards.
• Score: 39.89241412792336
• License: http://creativecommons.org/licenses/by-nc-sa/4.0/
• Abstract: Healthcare AI systems face major vulnerabilities to data poisoning that current defenses and regulations cannot adequately address. We analyzed eight attack scenarios in four categories: architectural attacks on convolutional neural networks, large language models, and reinforcement learning agents; infrastructure attacks exploiting federated learning and medical documentation systems; critical resource allocation attacks affecting organ transplantation and crisis triage; and supply chain attacks targeting commercial foundation models. Our findings indicate that attackers with access to only 100-500 samples can compromise healthcare AI regardless of dataset size, often achieving over 60 percent success, with detection taking an estimated 6 to 12 months or sometimes not occurring at all. The distributed nature of healthcare infrastructure creates many entry points where insiders with routine access can launch attacks with limited technical skill. Privacy laws such as HIPAA and GDPR can unintentionally shield attackers by restricting the analyses needed for detection. Supply chain weaknesses allow a single compromised vendor to poison models across 50 to 200 institutions. The Medical Scribe Sybil scenario shows how coordinated fake patient visits can poison data through legitimate clinical workflows without requiring a system breach. Current regulations lack mandatory adversarial robustness testing, and federated learning can worsen risks by obscuring attribution. We recommend multilayer defenses including required adversarial testing, ensemble-based detection, privacy-preserving security mechanisms, and international coordination on AI security standards. We also question whether opaque black-box models are suitable for high-stakes clinical decisions, suggesting a shift toward interpretable systems with verifiable safety guarantees.

Related papers

• A Practical Framework for Evaluating Medical AI Security: Reproducible Assessment of Jailbreaking and Privacy Vulnerabilities Across Clinical Specialties [11.500745861209774]
  Medical Large Language Models (LLMs) are increasingly deployed for clinical decision support across diverse specialties.<n>Existing security benchmarks require GPU clusters, commercial API access, or protected health data.<n>We propose a practical, fully reproducible framework for evaluating medical AI security under realistic resource constraints.
  arXiv  Detail & Related papers  (2025-12-09T02:28:15Z)
• Medical Malice: A Dataset for Context-Aware Safety in Healthcare LLMs [0.0]
  This work advocates for a shift from universal to context-aware safety.<n>It provides the necessary resources to immunize AI against the nuanced, systemic threats inherent to high-stakes medical environments.
  arXiv  Detail & Related papers  (2025-11-24T11:55:22Z)
• Adversarially-Aware Architecture Design for Robust Medical AI Systems [0.0]
  Adversarial attacks pose a severe risk to AI systems used in healthcare.<n>Our study explores these vulnerabilities through empirical experimentation on a dermatological dataset.<n>We conclude with a call for integrated technical, ethical, and policy-based approaches to build more resilient, equitable AI in healthcare.
  arXiv  Detail & Related papers  (2025-10-23T16:51:11Z)
• Beyond Benchmarks: Dynamic, Automatic And Systematic Red-Teaming Agents For Trustworthy Medical Language Models [87.66870367661342]
  Large language models (LLMs) are used in AI applications in healthcare.<n>Red-teaming framework that continuously stress-test LLMs can reveal significant weaknesses in four safety-critical domains.<n>A suite of adversarial agents is applied to autonomously mutate test cases, identify/evolve unsafe-triggering strategies, and evaluate responses.<n>Our framework delivers an evolvable, scalable, and reliable safeguard for the next generation of medical AI.
  arXiv  Detail & Related papers  (2025-07-30T08:44:22Z)
• Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition [101.86739402748995]
  We run the largest public red-teaming competition to date, targeting 22 frontier AI agents across 44 realistic deployment scenarios.<n>We build the Agent Red Teaming benchmark and evaluate it across 19 state-of-the-art models.<n>Our findings highlight critical and persistent vulnerabilities in today's AI agents.
  arXiv  Detail & Related papers  (2025-07-28T05:13:04Z)
• MedSentry: Understanding and Mitigating Safety Risks in Medical LLM Multi-Agent Systems [24.60202452646343]
  We introduce MedSentry, a benchmark 5 000 adversarial medical prompts spanning 25 categories with 100 subthemes.<n>We develop an end-to-end attack-defense evaluation pipeline to analyze how four representative multi-agent topologies withstand attacks from 'dark-personality' agents.
  arXiv  Detail & Related papers  (2025-05-27T07:34:40Z)
• CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations [53.036288487863786]
  We propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations.<n>It detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature.<n>We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs.
  arXiv  Detail & Related papers  (2025-05-14T13:37:07Z)
• Breaking the Flow and the Bank: Stealthy Cyberattacks on Water Network Hydraulics [3.360922672565235]
  Stealthy False Data Injection Attacks (SFDIAs) can compromise system operations while avoiding detection.<n>This paper presents a systematic analysis of sensor attacks against water distribution networks (WDNs)<n>We propose several attack formulations that range from tailored strategies satisfying both physical and detection constraints to simpler measurement manipulations.
  arXiv  Detail & Related papers  (2025-04-24T02:54:20Z)
• IDU-Detector: A Synergistic Framework for Robust Masquerader Attack Detection [3.3821216642235608]
  In the digital age, users store personal data in corporate databases, making data security central to enterprise management. Given the extensive attack surface, assets face challenges like weak authentication, vulnerabilities, and malware. We introduce the IDU-Detector, integrating Intrusion Detection Systems (IDS) with User and Entity Behavior Analytics (UEBA) This integration monitors unauthorized access, bridges system gaps, ensures continuous monitoring, and enhances threat identification.
  arXiv  Detail & Related papers  (2024-11-09T13:03:29Z)
• Illusory Attacks: Information-Theoretic Detectability Matters in Adversarial Attacks [76.35478518372692]
  We introduce epsilon-illusory, a novel form of adversarial attack on sequential decision-makers. Compared to existing attacks, we empirically find epsilon-illusory to be significantly harder to detect with automated methods. Our findings suggest the need for better anomaly detectors, as well as effective hardware- and system-level defenses.
  arXiv  Detail & Related papers  (2022-07-20T19:49:09Z)
• The Feasibility and Inevitability of Stealth Attacks [63.14766152741211]
  We study new adversarial perturbations that enable an attacker to gain control over decisions in generic Artificial Intelligence systems. In contrast to adversarial data modification, the attack mechanism we consider here involves alterations to the AI system itself.
  arXiv  Detail & Related papers  (2021-06-26T10:50:07Z)
• Can't Boil This Frog: Robustness of Online-Trained Autoencoder-Based Anomaly Detectors to Adversarial Poisoning Attacks [26.09388179354751]
  We present the first study focused on poisoning attacks on online-trained autoencoder-based attack detectors. We show that the proposed algorithms can generate poison samples that cause the target attack to go undetected by the autoencoder detector. This finding suggests that neural network-based attack detectors used in the cyber-physical domain are more robust to poisoning than in other problem domains.
  arXiv  Detail & Related papers  (2020-02-07T12:41:28Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.