Healthcare organizations are wiring LLMs and machine learning into clinical work: ambient documentation that drafts notes from a visit, chatbots that answer patient questions, retrieval over the EHR, and predictive models for sepsis, readmission, and imaging triage. Each of these is a new attack surface, and most healthcare security teams were trained for networks and endpoints, not models and training data.
The skills gap is specific. Here is what healthcare cybersecurity professionals actually need to train on.
Keeping PHI Out of the Model Pipeline
The first problem is data exposure, and it does not look like a normal data breach. Protected health information ends up in places a network review never checks: inside LLM prompts, in the retrieval context a RAG pipeline pulls from the EHR, in application and model-provider logs, and in every call to an external inference API.
HIPAA’s Safe Harbor method requires removing 18 identifiers (names, geographic subdivisions, dates, medical record numbers, and more) before data counts as de-identified. Security teams need to know where PHI enters a pipeline and strip it before it does. Microsoft Presidio is a practical starting point for detecting and redacting identifiers:
from presidio_analyzer import AnalyzerEngine
from presidio_anonymizer import AnonymizerEngine
analyzer = AnalyzerEngine()
anonymizer = AnonymizerEngine()
text = "Patient John Doe, MRN 00219384, seen on 2026-06-14 for chest pain."
results = analyzer.analyze(text=text, entities=["PERSON", "DATE_TIME"], language="en")
clean = anonymizer.anonymize(text=text, analyzer_results=results)
print(clean.text) # -> "Patient <PERSON>, MRN 00219384, seen on <DATE_TIME> for chest pain."
The lesson to teach alongside the tool: de-identification is imperfect. Named-entity recognition misses custom identifiers like that MRN unless you add a recognizer, and even Safe Harbor data carries re-identification risk. De-identify before data reaches the model, log what you send, and treat the model provider as a data flow, not a black box.
Red-Teaming Clinical LLM Features
A patient-facing chatbot or a clinician copilot is an application that takes untrusted input and acts on it. That makes it a target for prompt injection. Direct injection overrides the system prompt through user input. Indirect injection hides instructions in a document the model retrieves, which matters most in healthcare because RAG pipelines routinely ingest clinical notes, uploaded records, and patient messages that an attacker can influence (OWASP LLM01, MITRE ATLAS AML.T0051).
Security teams should train to test these features the way they test a web app: send adversarial input, try to override instructions, attempt to exfiltrate the system prompt or connected data, and write findings mapped to OWASP and ATLAS. We cover the mechanics in how to red team an LLM-powered application and RAG poisoning and jailbreaking.
Testing Diagnostic Models Under Attack
The models that carry the highest stakes are the ones influencing clinical decisions. These can be fooled. Finlayson et al. showed in Science (2019) that small, human-imperceptible perturbations flip the output of dermatology and radiology classifiers. This is a model-evasion attack (MITRE ATLAS AML.T0015), and it applies to any ML model tied to a clinical or billing outcome.
Vendor accuracy numbers are measured on clean data. Healthcare security teams need to evaluate robustness under adversarial pressure, not accept the marketing figure. The methodology is the same one we teach for any security-relevant model, covered in how to evaluate ML model robustness for security use cases.
The Constraints That Change the Threat Model
The attack techniques are not healthcare-specific. The constraints are. PHI exposure is a regulatory event under HIPAA. Model evasion against a diagnostic tool is a patient-safety event. And the FDA governs AI/ML-based Software as a Medical Device, including how a deployed model can be updated, so change management on a model is not a purely internal decision. Training that ignores these stakes teaches the mechanics but misses the point.
None of this requires a data science degree. Security practitioners already have the adversarial mindset; what they need is the AI-specific layer and time in a lab against real targets. GTK Cyber teaches that layer in hands-on courses like AI Red-Teaming and Applied Data Science and AI, and delivers custom, on-site training for security teams that need it mapped to their own environment.