AI is improving cybersecurity in healthcare, but attackers are using it, too

Artificial intelligence is playing a bigger role in cybersecurity, and hospitals and healthcare organizations are using AI tools to improve their defenses.

Limor Kessem, IBM Consulting’s global lead for cyber crisis management, says the growing use of AI in their cybersecurity strategy is helping healthcare organizations reduce the expense and disruption of breaches. The average cost of a healthcare data breach over the past year was $7.4 million, still the highest of any industry, but down from $9.7 million, according to IBM’s new annual report on the cost of breaches.

Kessem says the use of AI is “paying dividends.”

“That's just containing and detecting and doing stuff a lot faster than the organizations would, and the more you cut the time to do things, the more money you save,” she tells Chief Healthcare Executive®.

But ransomware groups are also employing AI technologies in their efforts to infiltrate organizations, and they are having success as well.

“AI is doing good things for everyone,” she says. “It's doing good things for the security teams. It's for organizations, for people's productivity, and for everyone. It also includes the attackers who are able to build better phishing very quickly.” (See part of our conversation on AI and cybersecurity in this video. The story continues below.)

• Read more: These are the biggest health data breaches in the first half of 2025

In the past, it was easier to detect suspicious emails, since some had five typos in the first two sentences. Such messages often contained awkward phrasing that made it clear the author’s first language wasn’t English. But with AI tools, ransomware groups are sending polished, authentic messages.

Kessem also notes that phishing was the top attack vector used to get into healthcare systems.

“It's a big deal, and it's just getting a lot harder to recognize a phishing attempt from attackers,” she says.

Writing malware

Beyond that, cyberattackers are using AI tools to write malware, making it easier and quicker for ransomware groups to try and hack into organizations.

“Attackers are doing better with AI,” Kessem says. “They're doing things faster, and it’s something we have to contend with.”

“They could write malware without knowing how to write malware,” she says. “Just get the code, make sure it works, and proceed. So they're doing things a lot faster. And especially, I think it is for people in the cyber crime arena who already know how to write code like that, it just speeds them up so much, just like it does everybody else that writes code.”

Kessem says the growing use of AI by both healthcare organizations and criminal groups is only going to continue.

“It's kind of like an AI against AI sort of situation right now, but I think it's inevitable,” Kessem says. “It's just like when we kind of went mainstream on the internet, and now, AI is at everybody's fingertips, and everybody's using it for everything.”

Kessem says she's worried about the prospect of attackers developing AI agents that will be inserted into organizations.

"I am afraid to see, them bringing a rogue agent into an organization and letting it loose, and connecting it to things, and letting it loose on the organization," she says. "That's what I'm scared of, and this is what I think organizations should be looking out for in the next couple of years."

Deep fakes

More attackers are also developing more credible “deep fake” ploys, as they use AI to mimic the voices and faces of organization leaders.

“They'll do a really good deep fake, which is very scary, because that's totally eroding trust everywhere, and the concept of trust,” Kessem says.

While some deep fakes in the past were less convincing, Kessem says the technology is improving.

“It's becoming better and better,” she says. “A few years back, five years back, it was a little clunky. It started getting extremely good, extremely accurate, and it looks and feels right. And beyond just the voice cloning, there's also the images, the real time images, where it could look like the person.”

“So these are definitely things that are really shaking the foundations of trust of what we see in general, and of course, in terms of security,” she adds.

Healthcare leaders have been worried about the prospect of deep fakes. Lee Kim, senior principal for cybersecurity and privacy at HIMSS, said in a September 2023 interview with Chief Healthcare Executive® that she expects health systems will see more deepfakes.

“Deepfakes, I predict, will make a significant entry point into healthcare as well as other industries,” Kim said in that interview.

• Read more: Cyberattackers target physician practices, specialty groups

Need for planning

While AI tools can help companies detect attackers attempting to hack into systems, she says AI can only do so much to help a system recover from an attack. Healthcare organizations took 279 days, on average, to identify and contain breaches, more than five weeks longer than the worldwide average of all industries, according to the IBM report.

Once an attacker has hacked a system, if organizations have to take key systems such as electronic medical records offline, then staff are going to be facing a lot of manual work.

“Recovery from the disruption is still taking very long, and the times are not going down,” Kessem says. “You think, Well, can we use AI to do that? Can we, like, speed that up with AI? I mean, we're speeding all the other parts of the life cycle with AI.”

But she says, “Actually, it's not as easy, because the recovery, a lot of times, tends to be very physical.”

Kessem says healthcare organizations need to brace for more disruptive attacks powered by AI.

“I think AI is going to make cyber attacks larger,” she says.

Organizations must govern their own use of AI tools carefully, and Kessem says health systems need to bring AI staff into discussions about bolstering cybersecurity. Hospitals and health systems need detailed plans for maintaining operations if and when a breach occurs.

Health systems need “a playbook for disruption and should be planning ahead for everything,” Kessem says.

• Read more: Why LLMs demand a rethink of healthcare AI governance | Viewpoint