Cybersecurity leaders in healthcare face new risks as artificial intelligence systems grow more autonomous. Unlike traditional software, agentic AI can access data, make decisions, and execute actions without direct human input. This shift challenges existing security frameworks, which were designed for rule-based programs. Healthcare, with its access to sensitive patient data and tightly regulated workflows, is a key area where these risks are becoming evident.
Datavant, a healthcare data platform, recently joined the AIUC-1 Consortium. This group aims to create open standards for securing agentic AI. Dan Walsh, Datavant’s CISO, explains that current security measures are inadequate for systems that operate independently. “Traditional frameworks don’t account for the unpredictable nature of agents,” he says. The consortium brings together industry leaders to address these gaps.
Related: WashU Medicine AI institute bridges research fields
Healthcare organizations must rethink how they manage permissions for AI agents. Unlike automated systems that perform tasks deterministically, agents can make non-repeating choices. This raises questions about oversight: How do you ensure agents follow rules? How do you track their decisions? And how do you verify their actions didn’t introduce vulnerabilities? These concerns grow more complex when multiple agents interact with diverse data sources.
HIPAA remains a cornerstone for healthcare data security. However, its rules, written before modern AI, don’t fully address today’s challenges. Organizations need additional governance to monitor agentic systems. “We’re not replacing HIPAA,” Walsh says. “But we need mechanisms to evaluate how AI operates, holds itself accountable, and improves over time.”
Related: London Says I Do Responsibly: Lab-Grown Diamonds Offer a Conflict-Free Choice for Anniversaries
Walsh warns that governance often lags behind technology. He draws parallels to the early days of cloud computing, where misconfigurations led to major breaches. With agentic AI, similar risks could emerge faster. “Patching and configuration errors might be exploited more quickly,” he notes. This could trigger renewed debates about privacy laws in the U.S., especially as AI’s impact on data becomes clearer.
Healthcare leaders should prioritize basic security measures first. Multi-factor authentication, access controls, and inventory management are non-negotiable. Without a clear picture of what AI tools are in use, organizations can’t effectively monitor or secure them. “You can’t manage what you don’t understand,” Walsh says. Once inventory is established, companies can align security protocols with the specific capabilities and data access of each agent.
Related: Understanding the Role of a Food Handlers Certificate in Preventing Contamination
The future may see more government involvement in regulating agentic AI. Walsh points to Europe’s GDPR as a model for privacy protection. In the U.S., similar conversations could arise as breaches involving AI systems become more common. He emphasizes that trust in AI depends on demonstrating reliability over time, not just technological innovation.
Patients and providers are increasingly focused on outcomes, not hype. Walsh says customers want transparency in how AI improves data quality and patient care. “They’re not interested in AI as a gimmick,” he says. “They want to know how it delivers better results.” As the industry evolves, balancing innovation with accountability will be critical to maintaining that trust.
