When the digital teammate goes rogue: Why your 2026 AI strategy needs a ‘rewind’ button 

Artificial intelligence has shifted from a trending buzzword to a transformative tool, changing how all industries function, including healthcare. This growing trend of a ‘digital teammate’ helps employees work more efficiently and effectively, but there are increasing concerns around the use of AI in the healthcare setting and its implications on data and reduced visibility on the network. 

In healthcare, multiple 2025 studies show more than half of these organizations are levering AI to redefine daily and long-term operations, transcription tools, and other critical tasks. In fact, a Menlo Ventures report found healthcare is leading the charge on AI adoption, implementing AI at more than twice the rate of other industries. 

Sixty-eight percent of healthcare organizations are already using agent-based systems, automating core functions to improve patient care and reduce time in the EHR, according to a 2025 KPMG study. Meanwhile, Google’s 2025 annual ROI of AI in healthcare and life science report shows the majority of these organizations are finding positive ROI from the deployment of AI to support business operations, particularly with clinical documentation.  

In healthcare, the use of AI remains a hot button issue for a variety of reasons, including patient privacy, ethical concerns, and cybersecurity. Typical solutions for the use of AI in healthcare settings focus on governance policies to counteract the above risks. 

It’s clear, many hospitals and other provider organizations are adding AI and reaping the benefits of its use, but there remain key challenges to understanding and responding to the risks AI brings to organizations without oversight. As AI continues to proliferate into a wide range technologies, keeping patient data secure and private should be top of mind for all healthcare leadership. 

Curious where healthcare AI is heading next? Join the conversation with top innovators and health system leaders at ViVE. AI Zone @ViVE 2026.

A recurring cyber theme: Swift adoption, visibility reduction, and knowledge gaps

The issues plaguing healthcare cybersecurity have remained constant throughout the last decade: visibility challenges, bring-your-own-device, a lack of understanding about data and workflows, departments not communicating with the cyber team for tech adoption, and third-party risk, among others. 

AI risk falls into all of these categories with some added user challenges that inadvertently raise risk profiles. For example, in all industries, employees commonly leverage AI chat tools like ChatGPT to quickly find answers to questions, improve writing, and other daily tasks. 

Even in organizations where employees are banned from leveraging the tech on work devices, employees may simply use their own devices – often not understanding the full risk the actions take to intellectual property and other data tied to their organization.  

“Shadow AI” refers to the unsanctioned use of AI tools outside of the approved governance framework, often operating on personal accounts or unapproved cloud tools and bypass hospital security measures, including multi-factor authentication. These clinicians and other employees are entering information into these platforms to support their work – without understanding that once company data is entered into the AI platform, it’s no longer in the organizations’ or their control. 

In short, anyone circumventing governance and other organizational controls is exfiltrating sensitive information to contribute to the AI data bank. And once that data has left the building, it belongs to the AI model and can’t be retrieved.  

This seemingly innocuous act of using AI within the network and outside of company policy includes unverified apps, agents, and other tools not only increases cyber risk but it leads to exfiltrated data to third parties and the loss of information, while increasing the threat landscape. 

Unmonitored technology equals unmonitored threats

The use of technology that could be deemed risky by the cyber team is not a new phenomenon in healthcare. In the early days of limited awareness around cyber risks, IT and security leaders would share anecdotal stories about employees checking their email on MRI machines without the knowledge of the potential risks to the network. 

In a more widespread issue, multiple reports in 2022 found most healthcare websites were inadvertently sharing data with third parties through pixels installed to track user activity for an enhanced experience. As a result, some personally identifiable data and health information was used to create ads and other targeted web activity. 

An SC Media report in 2022 found the problem was not that these healthcare organizations suddenly forgot the need for Health Insurance Portability and Accountability Act (HIPAA) compliance. Rather, the marketing teams who installed the technology were unaware of the potential data and privacy risks posed by the tool. Their procurement policies did not include a requirement to run software implementations by cybersecurity first. 

AI adoption – and the latest concerns around shadow AI and ghost agents – can learn a great deal from these past mistakes. 

The most simple solution is often the hardest one: governance, or policies that will validate the processes required by an organization are being followed by the workforce. The legal and security teams likely have these in place already, but leadership must review these policies to ensure there are AI-specific rules to ensure compliance. And just like with cyber hygiene, employees must be routinely trained and educated around the risks AI poses – and the role they play in front-line defense. 

Unfortunately, the rate of AI adoption is far outpacing governance. In 2026, the industry can expect to see technical audits of AI-generated records by the Department of Health and Human Services. HHS has interpreted HIPAA to the application of AI and emerging tech to address the necessary security requirements for its use. 

The 2024  notice of proposed rulemaking requires an up-to-date inventory of all technology assets, identifying AI technologies that interact with ePHI and clarifies HIPAA governs ePHI used in AI training data and its developed algorithms. That means all AI must be included in its audits, including  how the AI tools interact with ePHI, the type of data, and how much is accessed. 

While a number of healthcare stakeholders have pushed back on the proposed changes, getting ahead of these challenges and understanding workflows will be critical to risk reduction – and not just potential compliance requirements. 

Some organizations have found success with an immutable safety net, which is most commonly understood as an effective cyber measure that allows teams to restore their data after a ransomware or malware attack. This same measure can be applied to AI usage as a defense against data tampering, allowing organizations to restore data to a point in time to reduce the impact of unsanctioned AI use and take the network back to a set point in time – without disrupting the network. 

Immutable backups ensure the security and integrity of the data used by AI models. The tool maintains a permanent record of data, while protecting from potential risks such as cyberattacks, hardware failure, or accidental deletion. 

As with all technology use in healthcare, the risks posed by AI should not bar their compliant, effective use for digital innovation. Instead, organizations should be proactive in their approach to the adoption and review strategies used by their peers to ensure safe deployment. 

Join CHIME and your cyber peers at the Cyber Virtual Summit on January 20, where we’ll tackle specific AI monitoring strategies and immutable backup protocols to keep AI on a short leash.