2. The impact of artificial intelligence (AI) on the day-to-day responsibilities of information security professionals.
The potential impact of AI is top of mind for leaders in virtually every industry right now – and health delivery is no exception. Given AI’s ability to dramatically increase automation, coupled with the rapid evolution and proliferation of AI products, information security professionals in healthcare – just like back-office staff, clinicians, and others – are understandably concerned about how the technology will impact their jobs and day-today responsibilities. It is important to remember that automation is not the same as autonomy. Even as AI continues to evolve, human intermediaries still need to be heavily involved in the information security cycle of protecting, identifying, detecting, responding, and recovering. People still must inform and monitor the technology for automation to be successful.
Most of the hype right now is centered around generative AI, but that ultimately represents only one type of artificial intelligence – and generative AI products (and the health delivery use cases for those products) are still very much in their infancy. Although hospital and health system CISOs need to carefully monitor the rapid evolution of generative AI solutions (and the information security risks that stem from them, such as the potential for more convincing phishing attacks), it is also important not to lose sight of what is required to successfully enable automation from the more mature – and proven – AI products on the market. For example, over the last few years, machine learning (which is a more mature application of AI) has become a mainstay in the health delivery industry for endpoint protection, automatically detecting – and then quarantining – any files deemed to be “malicious.” However, machine learning technology still must be trained in a manner that accounts for the unique way the organization conducts business, and implemented with the right systems and controls in place to ensure it is operating safely. Without a robust program (e.g., policies, procedures, plans, playbooks / runbooks, etc.) to inform the endpoint protection technology, it is possible that common everyday elements will be incorrectly quarantined – or conversely, that threat vectors of specific concern to the organization will be left open.