Data Poisoning Vulnerabilities Across Healthcare AI Architectures: A Security Threat Analysis

TL;DR

Healthcare AI systems are highly vulnerable to data poisoning attacks from insiders and supply chain threats, often with minimal samples and long detection times, necessitating improved defenses and regulatory standards.

Contribution

This paper provides a comprehensive analysis of data poisoning vulnerabilities across diverse healthcare AI architectures and highlights the need for enhanced security measures and regulations.

Findings

Attackers can compromise AI with only 100-500 samples.

Detection of poisoning often takes 6-12 months or is not detected.

Supply chain attacks can affect 50-200 institutions.

Abstract

Healthcare AI systems face major vulnerabilities to data poisoning that current defenses and regulations cannot adequately address. We analyzed eight attack scenarios in four categories: architectural attacks on convolutional neural networks, large language models, and reinforcement learning agents; infrastructure attacks exploiting federated learning and medical documentation systems; critical resource allocation attacks affecting organ transplantation and crisis triage; and supply chain attacks targeting commercial foundation models. Our findings indicate that attackers with access to only 100-500 samples can compromise healthcare AI regardless of dataset size, often achieving over 60 percent success, with detection taking an estimated 6 to 12 months or sometimes not occurring at all. The distributed nature of healthcare infrastructure creates many entry points where insiders with routine access can launch attacks with limited technical skill. Privacy laws such as HIPAA and GDPR can unintentionally shield attackers by restricting the analyses needed for detection. Supply chain weaknesses allow a single compromised vendor to poison models across 50 to 200 institutions. The Medical Scribe Sybil scenario shows how coordinated fake patient visits can poison data through legitimate clinical workflows without requiring a system breach. Current regulations lack mandatory adversarial robustness testing, and federated learning can worsen risks by obscuring attribution. We recommend multilayer defenses including required adversarial testing, ensemble-based detection, privacy-preserving security mechanisms, and international coordination on AI security standards. We also question whether opaque black-box models are suitable for high-stakes clinical decisions, suggesting a shift toward interpretable systems with verifiable safety guarantees.