Clinicians using public AI tools without approval—cyber risks ahead


A growing trend reveals that clinicians are turning to readily available, public-facing AI tools and Large Language Models (LLMs) (such as general-purpose chatbots) for clinical assistance without formal institutional approval. This phenomenon, known as "Shadow AI," poses immediate and severe cybersecurity and compliance risks. When patient data is copied or pasted into a public LLM, that data is transferred to a third-party server that is not covered by a Business Associate Agreement (BAA) and is not HIPAA-compliant.

This practice results in an instant HIPAA violation and leads to accidental data exposure without triggering firewalls or alerts. Experts warn that Shadow AI has quickly become the most overlooked threat in digital health. Health systems must urgently implement clear governance policies to restrict the use of non-approved AI tools and instead offer validated, secure, and institutionally monitored LLM resources. The solution lies not in banning AI, but in integrating approved, privacy-compliant AI systems that keep all processing within secure data centers.

Read the original article at https://www.insurancejournal.com/news/international/2025/11/21/848596.htm


Our Opinion: This shows that clinicians are desperate for better and easily available tools, and the easiest tool they find now is the nearest publicly accessible chatbot. The solution is to make an AI-enabled, secure, and HIPAA-compliant alternative readily available. This gives them the convenience they crave while ensuring all data remains within the approved institutional firewall.


Follow us on Instagram, Twitter, and Facebook to stay up to date with what's new in healthcare all around the world.
 

Comments

Post a Comment

Popular posts from this blog

Cybersecurity in Healthcare insights: 27th Nov- 3rd Dec 2025

Image
  New US federal security standards prompt healthcare cybersecurity overhaul Proposed updates to federal healthcare cybersecurity standards, introduced in late 2024, represent the first major overhaul of the HIPAA Security Rule in decades. These changes, aimed at addressing modern threats like AI and quantum computing, mandate that HIPAA-covered entities implement rigorous measures such as data encryption, multifactor authentication, and regular security audits. Crucially, they also require written procedures to restore critical systems within 72 hours of an incident. While necessary, compliance comes with a steep price tag, HHS estimates first-year costs at approximately $9 billion. This financial burden poses a significant challenge for smaller hospitals lacking the resources of large health systems. To bridge this gap, experts suggest leveraging staff augmentation through managed service providers (MSPs) and adopting AI-driven threat detection tools to enhance security without e...
Read more

Cybersecurity in Healthcare Insights: 20th Nov- 26th Nov 2025

Image
  Texas Senate Bill 1188 adds data-localisation, AI transparency and access controls Texas has introduced a stringent new healthcare data law, Senate Bill 1188, which significantly expands data protection requirements beyond federal HIPAA standards. The bill mandates that all patient data be stored physically within the United States, effectively banning offshore cloud storage for Texas residents' health records. Additionally, it enforces stricter role-based access controls, ensuring that only employees with a direct need for treatment, payment, or operations can access sensitive files. The legislation also targets the growing use of artificial intelligence in medicine. Providers must now disclose to patients when AI is used in their diagnosis or treatment. The bill imposes severe financial penalties for non-compliance, with fines reaching up to $250,000 for intentional violations involving financial gain. These measures signal a shift toward more aggressive state-level privacy reg...
Read more

Healthcare vendor breach: 1.2 million files alleged stolen—patients exposed

Image
  A significant data security incident involving a healthcare technology firm, Doctor Alliance (a HIPAA business associate) , has allegedly led to the theft of over 1.2 million patient files . The breach, claimed by a hacker demanding a large ransom, reportedly involved the exfiltration of 353 GB of data, including highly sensitive Protected Health Information (PHI) such as names, medical record numbers, diagnoses, treatment plans, and Medicare numbers. The company provides document management and billing services to numerous healthcare organizations, which explains the large volume of compromised records. This incident is a critical reminder of the acute risk posed by third-party vendors in the healthcare supply chain. These business associates often have access to vast datasets while lacking the robust security controls of the hospitals they serve. The exposure of medical records poses severe long-term risks for patients, including medical identity theft and insurance fraud , a...
Read more