ML Security PapersData Poisoning Vulnerabilities Across Healthcare AI Architectures: A Security Threat Analysis
Farhad Abtahi 1,2,3, Fernando Seoane 1,3,4, Iván Pau 5, Mario Vega-Barbas 5
Published on arXiv
2511.11020
Data Poisoning Attack
OWASP ML Top 10 — ML02
AI Supply Chain Attacks
OWASP ML Top 10 — ML06
Training Data Poisoning
OWASP LLM Top 10 — LLM03
Key Finding
Attackers with access to only 100–500 training samples can compromise healthcare AI systems with over 60% success rate, with detection taking an estimated 6–12 months or never occurring.
Medical Scribe Sybil
Novel technique introduced
Healthcare AI systems face major vulnerabilities to data poisoning that current defenses and regulations cannot adequately address. We analyzed eight attack scenarios in four categories: architectural attacks on convolutional neural networks, large language models, and reinforcement learning agents; infrastructure attacks exploiting federated learning and medical documentation systems; critical resource allocation attacks affecting organ transplantation and crisis triage; and supply chain attacks targeting commercial foundation models. Our findings indicate that attackers with access to only 100-500 samples can compromise healthcare AI regardless of dataset size, often achieving over 60 percent success, with detection taking an estimated 6 to 12 months or sometimes not occurring at all. The distributed nature of healthcare infrastructure creates many entry points where insiders with routine access can launch attacks with limited technical skill. Privacy laws such as HIPAA and GDPR can unintentionally shield attackers by restricting the analyses needed for detection. Supply chain weaknesses allow a single compromised vendor to poison models across 50 to 200 institutions. The Medical Scribe Sybil scenario shows how coordinated fake patient visits can poison data through legitimate clinical workflows without requiring a system breach. Current regulations lack mandatory adversarial robustness testing, and federated learning can worsen risks by obscuring attribution. We recommend multilayer defenses including required adversarial testing, ensemble-based detection, privacy-preserving security mechanisms, and international coordination on AI security standards. We also question whether opaque black-box models are suitable for high-stakes clinical decisions, suggesting a shift toward interpretable systems with verifiable safety guarantees.
Key Contributions
- Systematic taxonomy of eight healthcare AI data poisoning attack scenarios across four categories: architectural, infrastructure, resource allocation, and supply chain attacks
- Empirical finding that 100–500 poisoned samples can compromise healthcare AI models regardless of dataset size, with detection latencies of 6–12 months
- Policy analysis showing HIPAA/GDPR privacy constraints and lack of mandatory adversarial robustness testing create regulatory blind spots that inadvertently shield attackers
🛡️ Threat Analysis
The paper's central focus is data poisoning attacks across healthcare AI architectures, analyzing eight attack scenarios where training data is corrupted — including federated learning Byzantine attacks, clinical workflow poisoning (Medical Scribe Sybil), and label-flipping — achieving >60% compromise rate with 100–500 samples.
Supply chain attacks are explicitly one of the four attack categories analyzed, with the finding that a single compromised vendor can poison models across 50–200 healthcare institutions via commercial foundation model distribution.