The healthcare sector faces escalating risks from third-party security threats, a concern that has intensified with the rising implementation of artificial intelligence by vendors. Rick Doten, an independent consultant and former Chief Information Security Officer (CISO) of a prominent managed healthcare organization, emphasizes the need for healthcare providers to rigorously evaluate how their vendors utilize AI technologies.
Entities handling protected health information (PHI) under HIPAA are required to scrutinize their third-party contractors, particularly regarding data collection practices and the interaction of AI-driven agents with sensitive systems. Questions regarding the types of AI models employed—whether they are public or private, or if they serve analytics purposes—should be at the forefront of these evaluations, Doten advises.
Doten highlights that understanding the nature of the data being collected is crucial; concerns extend beyond mere data protection to encompass the ethical usage of that data. He raises critical inquiries such as whether AI systems might inadvertently collect PHI that is unnecessary or if they are designed to execute processes that could potentially expose sensitive information beyond what is necessary.
In an audio interview with Information Security Media Group, Doten addressed a range of topics pertinent to today’s healthcare cybersecurity landscape. His insights covered how to effectively engage with vendors during disruptive security events, the availability of resources to assist smaller healthcare providers in managing their cybersecurity risks, and the complexities associated with conducting HIPAA security risk analyses, which pose challenges for many regulated entities.
With a distinguished career that includes roles at Centene Corp as CISO and vice president of information security, Doten serves on the Cloud Security Alliance CXO Trust Advisory Council and is involved with local cybersecurity chapters. His expertise extends to evaluating security technologies for venture capital and advising several startups, solidifying his authority in the realm of cybersecurity challenges in healthcare.
This dialog around third-party cybersecurity vulnerabilities, especially concerning AI implementation, is crucial for healthcare providers who must navigate an ever-evolving threat landscape. The MITRE ATT&CK framework identifies potential adversarial tactics such as initial access and persistence that may be relevant in these scenarios, thereby assisting organizations in understanding the complexities involved in safeguarding sensitive information.
As vendors increasingly leverage AI in healthcare operations, the responsibility rests with healthcare providers to maintain diligent oversight, ensuring that all systems comply with regulatory standards while protecting patient data. As threats evolve, so too must the strategies employed to mitigate these risks, requiring continuous education and adaptation in the face of new vulnerabilities.
