Electronic Health Reporter

By Errol Weiss, chief security officer, Health ISAC.

Hospitals have spent the last decade modernizing their digital infrastructure. But faced with various technical and regulatory hurdles, and sometimes resistance from employees, formal adoption of new tools has proved difficult.

According to a 2015 survey of healthcare institutions, only 15 percent of employees said their organization was “very ready” to adopt new technology, citing compliance as the primary hurdle.

Those very compliance challenges are now being exacerbated by AI, simply because employees want to use this new technology to do their jobs better and faster. AI adoption is often informal, and outpacing  the speed at which most governance structures can move.

Clinicians and administrative staff are adopting AI-powered tools to streamline documentation, communicate with patients, and automate repetitive workflows. In many cases, these tools are introduced into the tech stack, or into a vendor’s systems, not through formal IT procurement processes but through well-meaning individual initiatives.

Overall, we’re seeing a widening gap in how health sector organizations want to use AI and how this powerful new technology is actually being used both inside and outside their walls.

An Unofficial AI Ecosystem

The rush to adopt AI makes sense, especially in healthcare, where clinicians are under pressure from staffing shortages and time constraints have only intensified; documentation alone can consume hours of a physician’s day. Against this backdrop, generative AI tools offer a practical shortcut: faster note-taking, detailed and deep summaries of patient histories, and lower administrative friction.

But because software approval processes can be slow, complex and risk-averse at health sector  organizations, it’s not unusual to see some employees bypass them entirely. In practice, this creates a parallel ecosystem of “off-record” AI tools (or “shadow AI”) operating alongside sanctioned systems.

One survey found over 51% of healthcare organizations had relied on vendor disclosures to discover shadow AI usage – the unauthorized or unvetted use of AI tools. In other words, employees just tried different AI tools without approval, compliance, or standardization in mind.

But before we start blaming employees for negligence, we must recognize that this behavior is driven by urgency. Healthcare requires speed and efficiency, while governance processes prioritize long review cycles, vendor vetting and compliance checks to manage risk. The mismatch is becoming more pronounced as AI tools become easier to access and embed into everyday workflows.

Shadow AI is Risks Galore

Such rapid, informal adoption of AI tools introduces a range of risks that healthcare organizations are only beginning to grapple with.

The primary concern is data privacy. When a clinician types patient information into an unapproved AI chatbot to summarize a consultation or draft a treatment plan, they risk exposing the patient’s protected health information (PHI) to external systems. Depending on the tool, this data could be stored, retained, or used for model training in ways that violate internal policies or regulations.

This can lead to severe compliance violations. Healthcare organizations operating under HIPAA must ensure strict controls over how patient data is handled and processed. Shadow AI usage can inadvertently create compliance gaps that are difficult to detect in real time.

There are patient safety considerations, too. AI-generated outputs, particularly clinical summaries or suggested text, can contain inaccuracies or omissions simply due to the non-deterministic nature of AI models. If these outputs are incorporated into medical records without proper verification, they may introduce errors into clinical decisions around diagnoses or prescriptions.

Governance Must Evolve to Keep Up

Traditional IT governance structures were not designed for the speed or accessibility of modern AI tools. That’s especially true in healthcare, where regulatory requirements drive extensive validation, legal review, and security assessments for software and vendor approval processes. But these critical steps can take months – time a clinician may not spare when they have a ready AI tool to make their work easier.

Traditional governance frameworks struggle with the lack of categorization of AI tools. Traditional policies tend to distinguish between “approved” and “unapproved” software, but AI tools blur those lines. A single AI agent might function as a documentation assistant, a search tool, a patient history database, and a generative writing engine at the same time — a problem when the tool is approved for one use case and not another.

This creates blind spots in oversight. IT departments may approve the use of an AI platform at the enterprise level without full visibility into how embedded AI features are being activated at the user level.

Another challenge is the absence of consistent AI-specific governance standards tailored to healthcare workflows. Many existing frameworks focus on data security and vendor compliance, but do not fully account for risks unique to generative AI, such as hallucinated outputs, prompt sensitivity, or unintended disclosure of protected health information through user input.

This makes it difficult for security and governance teams to evaluate tools consistently, particularly as AI-enabled systems evolve rapidly.

Closing the Gap

Information security and resilience professionals must realize that the goal is not to block AI adoption, but to bring it under responsible governance frameworks that reflect how the technology is being used. That requires visibility. Organizations need better mechanisms to identify where AI tools are being used across clinical and administrative workflows.

Another focus is enabling safe and fast pathways to adoption. If hospital staff are turning to external tools because the internal systems are too slow or limited, organizations may need to reassess how the approved AI solutions are evaluated and deployed. This may mean you could shorten approval cycles for lower-risk use cases, and provide pre-vetted AI tools that meet security and compliance standards.

Education is also critical. Clinicians adopting AI tools may not fully understand the data handling implications of entering patient information into third-party AI tools. Clear guidance on what is and is not permissible can reduce unintentional risks.

A Shift is Underway

AI has outpaced nearly every other technology in how quickly it’s being adopted in the healthcare sector. So the challenge is not whether AI is used in clinical environments, but how quickly organizations can align governance, security, and operations to ensure the tools being used are the right ones.

Healthcare systems that succeed will not be the ones to implement AI in the most workflows. The winners in this race will be the organizations that make AI’s usage visible, secure, and sustainable.