Poisoned pixels, phishing, prompt injection: Cybersecurity threats in AI-driven radiology

Brendan S. Kelly

Image source: ESR 

Valuable health data, fragmented security standards and a vast network of connected systems, often operating on legacy software – it’s not surprising that healthcare is such an attractive – and vulnerable – target for cyber criminals, explained Brendan S. Kelly, AI & Paediatric Radiology Fellow at Great Ormond Street Hospital and Adjunct Assistant Professor at the University College Dublin’s School of Computer Science. 

These systems, he pointed out, ‘are only as strong as the weakest link in the chain’ – a lesson that the Irish National Health Service (HSE) learned the hard way: In March 2021, cybercriminals managed to infect an administrative workstation of the organisation with ransomware via a phishing attack, Kelly recounts: ‘Someone clicked on an email by mistake – this is by far the most common route into a cybersecurity vulnerability.’ After spreading unnoticed across the HSE network for several weeks, the software package detonated, encrypting data across every connected system: ‘IT systems across our entire country shut down. It took a week for the decryption key to be uncovered, and months before things went back to normal.’ 

‘This was a huge disruption with significant patient safety concerns and national-scale impact’ Kelly concluded, arguing that this incident vividly illustrates that cybercrime is not only rising in frequency, but also in sophistication. ‘And it shows that critical healthcare infrastructures worldwide need to be proactive and collaborative in order to reduce these risks.’ 

From minor gaps into open floodgates

AI, while being undeniably useful, unfortunately also adds new points of vulnerability to these already complex systems, the expert cautioned: ‘Things as simple as PDFs can contain prompt injections, but DICOM headers are a particular vulnerability.’ 

Tugba Akinci D'Antonoli

Image source: ESR 

This last point was further explored by Tugba Akinci D'Antonoli, radiologist at the University Hospital Basel. In her presentation, she explained why AI-powered large language models (LLMs) are a particular security concern: Unlike traditional AI models, which usually feature structured inputs and clearer boundaries, LLMs are significantly harder to interpret. ‘Instructions and data blur together, as both are in natural language. As a result, LLMs make cyberattacks far easier, especially for non-experts,’ she warned. ‘What used to require advanced programming skills can now be attempted by anyone with an internet connection and a bit of curiosity.’ 

For example, researchers demonstrated how inserting hidden instructions – a technique known as “prompt injection” – into diagnostic imaging data can manipulate AI-based decision support tools into disregarding detected pathologies.¹ In addition, D’Antonoli pointed out several known techniques that exploit LLMs for inserting malicious content into medical datasets, such as: 

• Data poisoning: contaminating an AI’s training data with deliberately falsified information;² 
• Backdoor attacks: planting hidden triggers in the model — a word, phrase, or image pattern — that lie dormant for months or years until activated, causing the model to silently execute a hidden instruction;³ 
• Jailbreaking: users intentionally tricking an LLM into ignoring its built-in safety rules.⁴ 

All of these exploits can be executed in any of the major commercial AI models, session Chairman Anton Becker, MD, PhD, pointed out. 

An evolving threat landscape

Prof. Renato Cuocolo

Image source: ESR 

The threat these new techniques pose to healthcare institutions should not be underestimated, stressed Prof. Renato Cuocolo, radiologist at the University of Salerno. The damage from data poisoning, for example, takes considerable resources to undo: ‘Once the model has been poisoned, we cannot just go and excise the poisoned data after the fact,’ he explained. ‘We need to retrain the model from scratch, reimplement it from scratch, and validate again. Obviously, this has an order-of-magnitude higher cost compared to traditional software, which can just be straightforwardly patched.’ 

Furthermore, this vulnerability could be used to escalate the threat level of the already-feared ransomware attacks: Rather than encrypting it, an attacker could corrupt just a small percentage of a hospital’s files – without a way of knowing which data is true and which is fake. 

Another new vulnerability opened up by LLM technology is the possibility of inversion attacks, Cuocolo continued: ‘If we use generative AI to produce synthetic data for research or training purposes, we have to be aware that certain kinds of prompts can be used to match the generated data a bit too closely.’ For example, an attacker may ask the AI model to “generate a brain MRI of a 40-year-old male with Glioblastoma from Hospital X” – if the model overfits, users could extract not only personal information, but also recognisable imaging information of a real patient that has been used in the training data. ‘The model itself becomes an access point,’ the expert pointed out. ‘And it is more easily accessible than the original data.’ 

Countermeasures: from privilege management to watermarking

With so much at stake, how can healthcare institutions protect themselves and their data from cyberattacks? 

Regarding agentic AI systems, Kelly advocates for the principle of least privilege – a tried-and-true strategy in cybersecurity: Essentially, an agent's permissions should automatically shrink to match the trustworthiness of whatever it has processed – for example, after reading a potentially manipulated email or corrupted PDF. ‘Once an agent consumes any untrusted content, there are downstream effects that need to be steered,’ the expert stressed. ‘If an agent ingests anything, its permission should drop to the level of the author of that information.’ In the HSE scenario from 2021, such an approach might have gone a long way to limit the damage, he added. 

Akinci D'Antonoli further suggested rigorous sandboxing – running a software or model in a secure, isolated environment to test it without risking adverse effects in the main system. ‘Not just to confirm it works, but also to see how it breaks, through stress tests and simulated misuse.’ She also cautioned her audience to carefully consider the pros and cons of deployment modes: While locally run open-source models benefit privacy control, proprietary models are easier to scale and operate, but at the cost of giving up some control over data to third parties. 

To enhance data privacy in AI training data, an additional layer of noise may be added to mask the original data, Cuocolo suggested. Further, digital watermarking makes it easier to verify data integrity and adds a layer of defence against data poisoning attempts. However, the expert added that such safety mechanisms require additional costs and increase latency. ‘If we are working in a time-sensitive setting – as can be the case in medical imaging – we obviously have to keep this in mind.’ 

Humans are the weakest link – and the last safeguard

In this technology-driven tug-of-war for cybersecurity, the human factor should not be forgotten – a point all speakers agreed on. On the one hand, human oversight is a major point of IT vulnerability – to recount: the 2021 HSE attack started with somebody clicking on a phishing email by mistake. On the other hand, humans are also the last safeguard if something goes wrong. Cuocolo therefore calls for the inclusion of radiologists in red teaming – simulation of cyberattacks by benevolent hackers who try to compromise systems to expose vulnerabilities: ‘Not only IT specialists, but also clinical specialists will be needed to break these systems in order to fix them in the future,’ he said. 

Finally, as more advanced AI technology enters clinical routine, the expert stressed that all staff members must be educated to its potential – and its vulnerabilities: ‘We need to align our teaching, our systems, and our knowledge to this new kind of threat.’ 

References:

1. Clusmann J, Ferber D, Wiest IC et al.: Prompt injection attacks on vision language models in oncology; Nature Communications 2025; https://doi.org/10.1038/s41467-024-55631-x 
2. Alber DA, Yang Z, Alyakin A et al.: Medical large language models are vulnerable to data-poisoning attacks; Nature Medicine 2025; https://doi.org/10.1038/s41591-024-03445-1 
3. Yan J, Yadav V, Li S et al.: Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection; arXiv 2024; https://doi.org/10.48550/arXiv.2307.16888 
4. Deng G, Liu Y, Li Y et al.: MasterKey: Automated Jailbreaking of Large Language Model Chatbots; NDSS Symposium 2024; https://dx.doi.org/10.14722/ndss.2024.24188 

02.04.2026

• AI (841)
• imaging (1654)
• IT (893)
• radiology (742)
• security (458)