JMIR Publications

ABSTRACT

Background:

Healthcare artificial intelligence (AI) systems are increasingly integrated into clinical workflows yet remain vulnerable to data poisoning attacks. A small number of manipulated training samples can compromise AI models used for diagnosis, documentation, and resource allocation. Existing privacy regulations, including HIPAA and GDPR, may inadvertently complicate anomaly detection and cross-institutional auditing, thereby limiting visibility into adversarial activity.

Objective:

This study provides a comprehensive threat analysis of data poisoning vulnerabilities across major healthcare AI architectures. The goals are to (1) identify attack surfaces in clinical AI systems, (2) evaluate the feasibility and detectability of poisoning attacks demonstrated in prior security research, and (3) propose a multi-layered defense framework appropriate for healthcare settings.

Methods:

We synthesized empirical findings from 41 key security studies published between 2019 and 2025 and integrated them into an analytical threat modeling framework specific to healthcare. We constructed eight hypothetical yet technically grounded attack scenarios across four categories: (A) architecture-specific attacks on CNNs, LLMs, and reinforcement learning agents; (B) infrastructure exploitation in federated learning and clinical documentation pipelines; (C) poisoning of critical resource allocation systems; and (D) supply chain attacks affecting commercial foundation models. Scenarios were aligned with realistic insider-access threat models and current clinical deployment practices.

Results:

Multiple empirical studies across diverse model sizes and datasets suggest that attackers with access to as few as 100–500 poisoned samples can compromise healthcare AI systems regardless of dataset scale, with attack success rates typically ≥60%. We estimate that detection delays commonly range from 6–12 months and may extend to years in distributed or privacy-constrained environments. Analytical scenarios highlight that (1) routine insider access creates numerous injection points across healthcare data infrastructure, (2) federated learning amplifies risks by obscuring attribution, and (3) supply chain compromises can simultaneously affect dozens to hundreds of institutions. Privacy regulations further complicate cross-patient correlation and model audit processes, substantially delaying the detection of subtle poisoning campaigns.

Conclusions:

Healthcare AI systems face significant security challenges that current regulatory frameworks and validation practices do not adequately address. We propose a multi-layered defense strategy that combines ensemble disagreement monitoring, adversarial testing, privacy-preserving yet auditable mechanisms, and strengthened governance requirements. Ensuring patient safety may require shifting from opaque, high-performance models toward more interpretable and constraint-driven architectures with verifiable robustness guarantees. Clinical Trial: This study did not involve human subjects or the collection, use, or analysis of personal or patient data. The research presents an analytical examination of data poisoning vulnerabilities in healthcare AI systems through theoretical attack scenarios and defense frameworks. As no human participants were involved and no personal data was accessed or processed, ethical approval was not required for this work. All examples and scenarios presented are hypothetical constructs designed to illustrate potential security vulnerabilities and do not reflect actual patient data, clinical records, or identifiable health information.