ASTRO 2023: AI Cybersecurity in Healthcare

(UroToday.com) The 2023 ASTRO annual meeting included a session on exploring ethical and legal implications of artificial intelligence in medical practice, featuring a presentation by Dr. Rashimi Jaggard discussing artificial intelligence cybersecurity in healthcare.


John McCarthy defines artificial intelligence as “the science and engineering of making intelligent machines, especially intelligent computer programs. It is related to the similar task of using computers to understand human intelligence, but artificial intelligence does not have to confine itself to biologically observable methods.” Machine learning focuses on design and evaluation of algorithms and the use of data for extracting patterns to imitate the human learning process. Algorithms are trained on data to detect patterns and make predictions/recommendations by receiving explicit commands; efficacy can be trained over time. There are several examples of machine learning:

  • Fraud detection
  • Social media content and search engine results
  • Image recognition


Because of the use of big data, artificial intelligence/machine learning are at high risk. Healthcare cybersecurity is a strategic imperative for any organization in medical history – from healthcare providers to insurers to pharmaceutical, biotechnology, and medical device companies. It involves a variety of measures to protect organizations from external and internal cyber attacks and ensures availability of medical services, proper operation of medical systems and equipment, preservation of confidentiality and integrity of patient data, and compliance with industry regulations.

There are several institutions for general security and privacy:

  • US Department of Health and Human Resources and Healthcare and Public Sector Coordinating Councils: “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” provides a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to help healthcare organizations reduce cyber risk
  • The HIPPA Security Rule, 1996: this established national standards to protect individuals’ electronic personal health information (ePHI). The Federal Security Rule mandates compliance with administrative, physical, and technical safeguards to ensure ePHI’s confidentiality, integrity, and security, including, among others, access control
  • National Institute of Standards & Technology (NISTs): “HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework” maps HIPAA Security Rule standards and implementation specifications to applicable NIST Cybersecurity Framework sub-categories

There are several current threats to the healthcare industry. This includes 4-7% of total IT budgets across healthcare organizations spent on cybersecurity, and 4 in 5 US physicians having experienced some form of a cybersecurity attack. The IBM X-Force Threat Intelligence Index (2017) stated that it is worth noting that the healthcare industry, which fell just outside the top five in terms of records breached, continued to be beleaguered by a high number of incidents. However, attackers focused on small targets, resulting in a lower number of leaked records in the industry. A study from IBM Security and the Ponemon Institute suggests that the cost of a data breach for healthcare organizations rose from $380 per breached record in 2017 to $408 per record in 2018. Importantly, across all industries, health care has the highest cost for data breaches:image-1.jpg 
Of note, if the breach affects fewer than 500 individuals, organizations have until the end of each calendar year to notify HHS Office for Civil Rights or Federal Trade Commission. Breaches affecting 500 or more individuals must be notified to the appropriate agency and the local media within 60 days – the failure to do so attracts stiffer HIPAA violation penalties from HHS Office for Civil Rights or a fine of up to $46,517 per day from the Federal Trade Commission. As follows are the HIPAA violation penalties according to the Office of Civil Rights:HIPAA violations
In general, there has been an upward trend in the number of records exposed each year, with a massive increase in 2015, which was the worst year in history for breached healthcare records – more than 112 million records exposed or impermissibly disclosed. 2015 was particularly bad due to three massive data breaches at health plans: Anthem Inc, Premara Blue Cross, and Excellus. The Anthem breach affected 78.8 million of its members, with Premara Blue Cross and Excellus data breaches both affecting around 10 million individuals:
image-3.jpg
The two most common types of data breaches are hacking and ransomware attack, with the following figure highlighting hacking/IT incidents from 2009 – July 2023:hacking / IT incidents
To prevent attacks, it is crucial to look at all aspects of potential targets:ai model in health care overview
Dr. Jaggard concluded her presentation by highlighting that there are four liability theories in healthcare:

  • Medical malpractice liability
  • Enterprise liability
  • Joint and several liability
  • Product liability

Presented by: Rashimi Jaggard, University of Oklahoma Health Sciences Center, Oklahoma City, OK

Written by: Zachary Klaassen, MD, MSc – Urologic Oncologist, Associate Professor of Urology, Georgia Cancer Center, Wellstar MCG Health, @zklaassen_md on Twitter during the 2023 American Society of Radiation Oncology (ASTRO) Annual Meeting, San Diego, CA, Sun, Oct 1 – Wed, Oct 4, 2023.