AI security starts with awareness and governance

The hype level is high for artificial intelligence in healthcare, of course, both for administrative applications and with some key clinical use cases. But the promise is real. Early results are coming in, and they're showing that AI can help everyone from coders to surgeons.

But AI is also opening new security vulnerabilities for hospitals and health systems.

Akron Children's Hospital has a structured approach for implementing AI – and any new technology – within its four walls, says Deepesh Randeri, chief information security officer and VP of information security and infrastructure.

"We require all organizational units within the hospital to follow this process," Randeri explained, 
"whether it is through the new technology committee, the AI governance committee, the CEO council, to ensure we have a standard of care, cost optimization, return on investment and, most important, security embedded to ensure a successful implementation."

Due diligence

Akron Children's has strict due diligence requirements for new technologies; any new vendor or system entering the organization must go through a rigorous vetting procedure.

"We do not allow equipment or systems to be implemented unless there are checks and balances," said Randeri. "Because we have a centralized IT department, we have our staff who have been trained and know they cannot connect any devices to the network or implement any systems unless the devices and systems have been through the vetting process.

"To secure AI, we have to make sure the technology goes through a governance process, and that we take into consideration on the front end and the back end of this process that the system that has been slated for implementation provides the security standards originally intended," he continued.

Many healthcare organizations are very good at making sure there is AI governance at the front end of any new system – the problem becomes who monitors AI at the back end once it has been implemented, he added.

No bias, plenty of guardrails

"How do you ensure there is no bias that has been introduced?" Randeri said. "How do you ensure the system that has been approved is the system that has been implemented? How do you ensure the guardrails mentioned during the governance process have in fact been implemented?

"So, having that oversight from the beginning to the end is something organizations must follow in order to have a successful implementation," he continued. "And that's what we strive for."

Hospital and health system C-suite executives and other health IT leaders within these provider organizations have a variety of tasks that come with AI security.

"First and foremost, the tone at the top has to be strong," Randeri stated. "Security is everyone's business. It does not start at the top, and it does not start at the bottom. But having a strong tone at the top ensures even the executive suite is well aware of the security implications. With any new technology, whether it's AI now or whether it was the mainframes back in the 1990s, ensuring there are proper guardrails in place is paramount.

No more moats

"We have moved away from the moat principle of having security around the boundary to security in the cloud to identity being the new security," he explained. "So, we have to be cognizant of all of these things that the new technology is going to be bringing. Just like phishing is one of the easiest ways for threat actors to get into anybody's environment, so, too, are these technologies."

And it's not just technologies that only reside at third-party locations, he added.

"It can be technologies that reside on a healthcare organization's premises itself," he concluded. "If the proper controls are not implemented to safeguard the technology, the people and the process, there could be potential security incidents."

Follow Bill's health IT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

WATCH NOW: Data management underlies value-based contracts