Health system CIOs are eagerly watching the development of Anthropic’s Claude Mythos, an yet-to-be-publicly-released AI model that can detect and exploit cybersecurity vulnerabilities.
The AI startup decided not to launch the new version of Claude because of those cybersecurity concerns, instead giving private access to critical software infrastructure firms to try to fix the flaws as part of Project Glasswing.
“Healthcare systems need to be at the table, working with AI labs alongside hyperscalers and cybersecurity firms to prevent harm,” Sha Edathumparampil, chief digital and information officer of Coral Gables-based Baptist Health South Florida, told Becker’s. “Currently, Project Glasswing consists mostly of big tech and cybersecurity companies; healthcare appears absent from the partner list. As soon as they are able, AI labs and frontier model providers need to bring healthcare systems and healthcare software vendors into this work.”
Healthcare carries unique cybersecurity risk because of patient safety and regulatory considerations, as well as the industry’s heavy reliance on third-party software and legacy platforms, he said. Hospital networks are also constrained by clinical uptime requirements, which is why EHRs and other third-party clinical systems carry longer upgrade cycles.
Health systems also operate with thin — or negative — margins, making advanced cybersecurity tools a challenge to afford, Mr. Edathumparampil said. Even if they do have the budget, healthcare procurement cycles are longer because of business associate agreement requirements.
Chapel Hill, N.C.-based UNC Health is working to coordinate with key vendor partners that are preparing updates based on their work with the new AI models, CIO Brent Lamm said. The health system has also started communicating with clinical and operational teams on potential, quicker-than-normal maintenance windows.
“These models, and the potential vulnerabilities they may find, present another significant challenge for our industry,” Mr. Lamm said. “We are hopeful that software vendors can identify issues and provide updates quickly.”
After previously requiring nondisclosure agreements, Anthropic has started allowing Project Glasswing participants — which include Amazon, Google, Microsoft, Nvidia, CrowdStrike, and Palo Alto Networks — to share their cybersecurity findings with other organizations.
“We are focused on increasing patching velocity by setting clear expectations with operations for same-day patching windows, accelerating the use of AI to identify vulnerabilities, working closely with vendors on their vulnerabilities, and strengthening our resiliency plans,” said Luis Taveras, PhD, executive vice president and chief digital and information officer of Philadelphia-based Jefferson Health. “In parallel, healthcare can partner with AI companies in areas such as code review and AI-driven automation to streamline response times and expand the depth of capabilities where AI can assist within existing tool stacks.”
Advanced AI models such as Mythos do not introduce entirely new cyber risks; they simply shorten the time between vulnerability discovery and exploitation and lower the barrier to committing sophisticated attacks, said Scott Dresen, senior vice president and chief information security officer of Corewell Health, based in Grand Rapids and Southfield, Mich.
“Ultimately, we are operating under the assumption that these capabilities will become broadly accessible, and our strategy is built around being able to withstand and recover from increasingly automated and high-velocity attacks, not just prevent them,” Mr. Dresen said. “Healthcare organizations must continue to strengthen baseline cyber hygiene, improve supply chain security and invest in resilience as a core operating capability.”
Claude Mythos marks the beginning of an era in which hospital IT departments will need to continuously update systems, said Robert Eardley, CIO of Cleveland-based University Hospitals.
“This will challenge us to adopt fully automated testing routines in order to keep pace in what may become nightly code change cycles,” he said. “These same AI technologies will allow our software partners to quickly identify gaps and write code to mitigate. In turn, a health system should work to deploy these patches immediately.”
Healthcare is already seeing an unprecedented increase in the zero-day vulnerabilities — in which hackers find security flaws before a fix is in place — and AI will only speed up the time it takes bad actors to find them, said Glynn Stanton, senior vice president and CIO and chief information security officer of Yale New Haven (Conn.) Health. However, software developers can use the same AI tools to make their products more secure.
“Mythos will provoke the next arms race in cybersecurity,” Mr. Stanton said. “Cybersecurity has always been a race; Mythos will require us all to run faster.”
Because of that, close relationships with Project Glasswing partners will be important for health systems, he said. So will network segmentation and exercising business continuity and disaster recovery plans, as healthcare relies on legacy platforms for which no patches will be made available.
Madison, Wis.-based UW Health has been focused on increasing AI literacy, strengthening cybersecurity and governance fundamentals, and leaning into trusted partnerships with AI companies and industry groups, Chief Information and Digital Officer Michael Waisbrot said.
“Healthcare can’t chase every AI headline, but we do need to be educated, prepared and honest about how quickly these capabilities are changing the cybersecurity landscape,” he said. “The goal is not to overreact, but to be intentional enough that we can move forward with AI without creating unnecessary risk for patients, data or operations.”
Mr. Waisbrot added that health systems will rely on AI companies for early conversations, responsible testing and transparency while focusing internally on the basics, which still matter even as AI increases the speed and scale of threats: disciplined governance, identity, third-party risk, vendor oversight, and vulnerability management.
Cincinnati-based Christ Hospital Health Network is strengthening its government, risk and compliance platform to better identify mission-critical systems, spot vulnerabilities, and find opportunities to reduce its application footprint and threat exposure, Chief Information and Digital Transformation Officer Joy Oh said.
The health system is also prioritizing vulnerability management, including scanning, logging and patching, and assessing which people, processes and technologies are needed to execute those functions.
“Finally, we continue to partner with regional and national government partners and peer health systems to share best practices and learn from one another,” Ms. Oh said. “I believe taking this multipronged approach enables us to not only mitigate the associated risks, but also to leverage these exciting emerging AI capabilities.”
At the Becker's 11th Annual IT + Revenue Cycle Conference: The Future of AI & Digital Health, taking place September 14–17 in Chicago, healthcare executives and digital leaders from across the country will come together to explore how AI, interoperability, cybersecurity, and revenue cycle innovation are transforming care delivery, strengthening financial performance, and driving the next era of digital health. Apply for complimentary registration now.
