Healthcare embraces AI while facing an identity security gap: report

Healthcare organizations are embracing AI with confidence, but identity security gaps are widening in the process, according to new research from Semperis. The company used Censuswide to survey 1,100 IT and security professionals across several industries to learn how they are using AI and how their AI integrations are affecting identity security.

In healthcare, 75% of respondents said they anticipate AI-driven attacks on their identity infrastructure. However, just 27% said they were confident they could fully recover if an AI agent exposed admin credentials.

The disparity between these two realities suggests that healthcare organizations recognize the risks to identity infrastructure posed by AI but are not yet prepared to address the consequences. Healthcare was not an outlier in this research; leaders in sectors like banking, education, government and IT and telecoms reported similar disconnects.

Each AI agent that an organization uses has its own non-human identity. NHIs are multiplying swiftly as organizations implement tools to carry out software workloads, authenticate data exchanges and complete other behind-the-scenes tasks.

"Each new agent, service principal, and low-code 'helper' becomes another potential entry point to identity systems," the report noted.

"AI support agents are often overpermissioned in ways that may have unintended consequences -- such as 'helpfully' reconfiguring security settings or granting access that can lock entire teams out of their identity systems or punch holes in corporate VPNs."

These identities could have access to password managers, browser sessions and other sensitive data, giving any threat actor who compromises them unfettered access to sensitive information.

Still, organizations are embracing AI agents to handle security tasks. About 29% of healthcare respondents said they are using AI agents to handle security-related help desk tickets, and 60% plan to implement agents for this use case in the next year.

Healthcare respondents also said that one-third of their workforce on average has AI installed on local machines, whichcan access Secure Shell and encryption keys.

About 66% of healthcare respondents said that AI identities were registered, authenticated and authorized within the organization. Nearly half said that their organizations register, authenticate and authorize AI identities separately from human identities.

Healthcare respondents expressed low confidence in their ability to fully regain control of their identity infrastructure if an AI agent exposed admin credentials to an attacker, even as they continue to embrace such tools. With this in mind, AI identity governance emerged as a top priority for 90% of healthcare organizations.

As AI identities continue to multiply, organizations will have to contend with the risks they pose. Best practices include enforcing least-privilege access for agents, segregating agent and human trust boundaries and designing identity infrastructure, backup and recovery and governance controls with the assumption that these agents will eventually be compromised, the report suggested.

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.