Glyphward

Healthcare AI · Dermatology screening · Clinical AI triage

Prompt injection in dermatology and clinical AI — patient-submitted skin condition photos, wearable device images, wound care telehealth, and AI triage severity manipulation

The intersection of healthcare and consumer AI has produced a class of clinical applications where patients submit photos directly to AI diagnostic and triage systems with minimal clinician mediation at the intake step: dermatology screening apps allow patients to photograph skin lesions and receive AI-generated risk assessments, telehealth wound care platforms process wound progression photos for remote nurse and physician review mediated by AI severity scoring, primary care AI triage systems analyse patient-submitted symptom photos to generate urgency classifications before clinician scheduling, and wearable device onboarding platforms use AI to process device placement photos for setup validation. Each of these workflows involves patient-submitted images entering an AI pipeline that produces clinical-significance outputs — risk scores, severity classifications, urgency tiers, or treatment recommendations. The adversarial threat model in clinical AI differs from the financial-incentive model of insurance or HR injection: the primary concern is not fraud-motivated manipulation but safety-motivated concern about patient harm. A patient who submits an adversarially manipulated dermatology image to a triage AI — whether intentionally or as the victim of a platform compromise — may receive an incorrect severity assessment that affects clinical follow-up timing, treatment urgency, or specialist referral. The clinical AI platforms most exposed include Hims & Hers AI (consumer telehealth with dermatology AI features), Skin Analytics DERM (NHS-approved AI-assisted dermatology), Ada Health (AI symptom checker with photo submission features), Nuo Therapeutics and Tissue Analytics (wound care AI), Derm AI and First Derm (teledermatology platforms), and primary care AI triage tools embedded in NHS 111, Kaiser Permanente’s digital triage, and similar systems. This page focuses on the patient-submitted photo triage dimension — for the broader clinical imaging and DICOM attack surface, see our healthcare imaging AI page; for the general healthcare AI attack surface, see prompt injection in healthcare AI. HIPAA compliance considerations specific to AI photo processing are covered at HIPAA-compliant AI security.

TL;DR

Dermatology screening apps, telehealth wound care platforms, and clinical AI triage systems process patient-submitted skin photos and medical images through VLM pipelines that have no adversarial content detection. Adversarial images can manipulate AI triage severity classifications and diagnosis outputs. Scan every patient-submitted clinical photo with POST https://glyphward.com/v1/scan before clinical AI ingestion. Use score >= 55 threshold (lower than default given patient safety stakes). Free tier — 10 scans/day, no card required.

Four multimodal injection surfaces in dermatology and clinical AI

1. Dermatology skin lesion photo triage AI — adversarial manipulation of malignancy risk scores. Consumer and clinical dermatology AI apps process patient-submitted photos of skin lesions, moles, rashes, and other dermatological presentations to generate risk assessments and triage recommendations. Platforms like Skin Analytics DERM, used within the NHS teledermatology pathway, apply AI classification to lesion photos to generate a two-tier triage: “needs urgent referral” vs “can wait for routine appointment”. This triage output directly affects clinical follow-up timing — patients classified as low-risk by the AI are routed to longer-wait pathways than patients classified as high-risk. Adversarial manipulation of this triage output has bidirectional clinical significance: adversarially crafted lesion images that cause the AI to downgrade a genuinely high-risk presentation may delay referral for a malignant lesion; adversarially crafted images that cause the AI to upgrade a low-risk presentation cause unnecessary urgent referrals that consume clinical capacity. Both outcomes represent patient safety risks. The patient submits their own skin photos — the adversarial injection point is the photo capture and upload step. While most patients would not deliberately manipulate a dermatology AI triage, the attack surface is not only patient-intentional: platform compromise, adversarial photo filter applications, and photo processing intermediaries that modify images before platform upload are all potential adversarial injection vectors outside patient intent. A Glyphward pre-scan on lesion photos before AI triage classification detects adversarial payloads regardless of injection source.

2. Telehealth wound care platform image injection in remote wound progression monitoring. Telehealth wound care platforms serve patients with chronic wounds — diabetic foot ulcers, post-surgical wounds, pressure injuries — who require regular monitoring between clinical visits. Patients photograph their wounds on a schedule (daily or weekly) and upload photos to platforms like Tissue Analytics, Nuo Therapeutics MIST, and similar wound care AI systems. These AI systems measure wound dimensions from photos (area, depth indicators from shadow analysis), classify tissue type composition (healthy granulation, slough, eschar, epithelialising), generate automated PUSH score calculations, and alert clinical care coordinators when wound progression indicators suggest deterioration. These outputs directly affect care escalation decisions: a wound progression alert triggers a clinical callback or in-person visit; a suppressed alert means a deteriorating wound goes unmonitored until the scheduled assessment. Adversarially crafted wound progression photos — genuine wound photos with injected payloads that suppress deterioration signals — can cause the AI to underreport wound area increase, misclassify necrotic tissue as granulation tissue, or suppress PUSH score escalation alerts. For vulnerable patient populations (elderly, immunocompromised, diabetic) where wound deterioration can progress rapidly to sepsis-level risk, delayed escalation based on suppressed AI wound alerts represents a direct patient safety concern. A Glyphward pre-scan on wound progression photo uploads detects adversarial content before AI wound assessment runs.

3. Wearable device photo submission injection in device onboarding and clinical monitoring setup. An increasingly common clinical AI workflow involves patients photographing wearable medical devices during setup and calibration: continuous glucose monitor (CGM) sensor placement photos submitted to AI placement validation systems, ECG patch electrode placement confirmation photos, oxygen saturation probe placement images, and wound VAC (vacuum-assisted closure) device setup photos. These device setup photos are processed by AI validation tools to confirm correct placement and return placement quality scores — a valid placement score is the gate that activates clinical data collection. Adversarially crafted device placement photos — genuine setup photos with injected instruction payloads — can cause the AI placement validation to confirm correct placement for an incorrectly positioned device, generating false positive placement validation that allows clinical data collection to proceed from a mis-positioned sensor. A CGM incorrectly positioned but validated as correct by adversarial photo injection will produce systematically biased glucose readings — a patient management risk for diabetes care. The device placement photo is entirely patient-controlled and is submitted to an AI validation system with no independent physical verification step. The attack is most significant for device types where placement accuracy directly affects measurement quality and where the AI validation score is the sole confirmation mechanism.

4. Primary care AI triage system photo submission injection in symptom severity classification. Primary care AI triage tools embedded in NHS 111 digital pathways, Kaiser Permanente’s digital triage, and consumer health platforms like Ada Health increasingly incorporate photo submission for symptom assessment: photos of visible symptoms (rashes, swellings, throat presentations, eye conditions, ear canal presentations) submitted to AI symptom classifiers that generate urgency tier outputs. These urgency tier outputs determine routing: “call emergency services immediately”, “attend urgent care within two hours”, “book GP appointment within 48 hours”, “manage at home with self-care guidance”. Adversarial manipulation of urgency tier outputs in either direction creates patient safety risk: downgraded urgency for a genuine emergency presentation delays emergency response; upgraded urgency for a non-emergency presentation generates unnecessary emergency service utilisation and causes secondary delay for genuine emergencies competing for the same capacity. The AI triage photo submission point is a patient-controlled input that enters the clinical urgency pipeline with no adversarial content screening. Platforms running AI triage at scale across millions of user sessions have a systemic safety exposure if adversarial injection techniques capable of manipulating urgency tier outputs become accessible to motivated actors. A Glyphward pre-scan at the photo submission step provides adversarial detection before the urgency classification AI processes the image.

Integration: clinical photo intake with Glyphward pre-scan

import base64
import hashlib
import requests
from datetime import datetime, timezone

GLYPHWARD_KEY = "<your-glyphward-api-key>"

# Clinical photo threshold is 55, stricter than the general default of 65.
# Patient safety stakes in clinical AI triage justify a lower threshold:
# the cost of a missed adversarial payload is a potential incorrect
# clinical decision, not just a data quality issue.
# False positives route to human clinical review — an acceptable cost.
GLYPHWARD_THRESHOLD_CLINICAL = 55

def scan_clinical_photo(
    image_bytes: bytes,
    photo_type: str,  # "dermatology_lesion" | "wound_progression" | "device_placement" | "symptom_triage"
    patient_id: str,  # pseudonymised / hashed patient identifier
    session_id: str,
) -> dict:
    """
    Pre-clinical-AI scan for patient-submitted health photos.
    Returns scan audit record for clinical safety and HIPAA audit trail.
    Raises ValueError on adversarial detection; RuntimeError on scan failure.

    patient_id must be a pseudonymised/hashed identifier, not PHI,
    to comply with data minimisation requirements when sending to
    third-party scan services. Do not send name, DOB, or NHS/SSN number.
    """
    encoded = base64.b64encode(image_bytes).decode()
    image_hash = hashlib.sha256(image_bytes).hexdigest()

    scan_resp = requests.post(
        "https://glyphward.com/v1/scan",
        headers={"Authorization": f"Bearer {GLYPHWARD_KEY}"},
        json={"image": encoded},
        timeout=5,
    )

    audit_record = {
        "patient_id_hash": patient_id,
        "session_id": session_id,
        "photo_type": photo_type,
        "image_sha256": image_hash,
        "scanned_at": datetime.now(timezone.utc).isoformat(),
        "scan_status": None,
        "scan_id": None,
        "scan_score": None,
        # HIPAA and NHS DSPT audit trail field
        "clinical_ai_safety_gate": "glyphward_multimodal_pi_scan",
    }

    if scan_resp.status_code != 200:
        # Fail-closed: route to human clinical review when scan gate is
        # unavailable. Never auto-process clinical AI on unscannable image.
        audit_record["scan_status"] = "error_routed_to_human_clinical_review"
        persist_clinical_audit_record(audit_record)
        raise RuntimeError(
            f"Glyphward scan unavailable: type={photo_type} session={session_id}"
            f" — photo routed to human clinical review"
        )

    scan = scan_resp.json()
    audit_record["scan_id"] = scan["scan_id"]
    audit_record["scan_score"] = scan["score"]

    if scan["score"] >= GLYPHWARD_THRESHOLD_CLINICAL:
        audit_record["scan_status"] = "adversarial_blocked_clinical_review"
        persist_clinical_audit_record(audit_record)
        # Route to human clinical review; log scan_id as safety event.
        raise ValueError(
            f"Adversarial clinical photo blocked: type={photo_type} "
            f"session={session_id} score={scan['score']} "
            f"scan_id={scan['scan_id']} — routed to human clinical review"
        )

    audit_record["scan_status"] = "clean_passed"
    persist_clinical_audit_record(audit_record)
    return audit_record

def persist_clinical_audit_record(record: dict):
    # Append to HIPAA-covered / NHS DSPT audit log alongside clinical session.
    # Retain per applicable clinical records retention requirement.
    # Do not store PHI in the audit record fields — only the pseudonymised hash.
    pass

Note the patient_id_hash field: send only a pseudonymised/hashed patient identifier to the Glyphward scan API, not raw PHI. The image bytes themselves do not contain PHI unless the patient has photographed identifying documents — scan the clinical image without metadata that would constitute PHI under HIPAA or UK GDPR. Persist every audit_record to the clinical session audit log, retaining the scan_id as evidence that each submitted photo was adversarial-content-checked before clinical AI processing. This satisfies the clinical AI safety audit requirement under the EU AI Act Annex III (medical device AI systems in high-risk categories) and provides a documented safety event log for HIPAA-covered entities. See HIPAA-compliant AI security for the full compliance context. Get early access

Coverage matrix

Mitigation layer Dermatology AI triage injection Wound care progression injection Device placement AI injection Clinical triage urgency injection
Image quality validation (focus, lighting, resolution) No — validates technical photo quality; does not detect adversarial content in well-focused, well-lit images that meet quality thresholds No — wound photo quality checks validate usability; do not detect adversarial pixel-level payloads in quality-passing images No — placement photo quality checks; adversarial payloads designed to pass quality thresholds are not detected No — symptom photo quality review; adversarial payloads not detected by quality assessment
Clinical professional overread Partial — dermatologist overread of AI-flagged cases catches some AI errors; human clinicians cannot perceive sub-threshold adversarial pixel payloads in images they review Partial — clinical coordinator review of wound AI alerts; adversarial payload suppresses the alert before coordinator review is triggered No — device placement validation is typically not independently overread by a clinician in consumer wearable workflows Partial — clinical overread of escalated triage cases; adversarially downgraded urgency cases may not reach the overread threshold
HIPAA and EU AI Act compliance controls No — regulatory controls address data handling and model performance reporting; do not detect adversarial content in individual photo submissions No — compliance controls address data protection; do not provide adversarial content detection at photo intake No — compliance requirements document AI system safety; do not address adversarial image injection at the intake step No — regulatory obligations require accuracy and robustness; Glyphward provides the technical control that satisfies the adversarial robustness requirement
Glyphward pre-VLM multimodal scan Yes — lesion photo pre-scan; adversarial malignancy risk score manipulation blocked before dermatology AI triage runs Yes — wound progression photo pre-scan; adversarial deterioration signal suppression blocked before wound AI assessment Yes — device placement photo pre-scan; adversarial placement validation injection blocked before setup validation AI runs Yes — symptom photo pre-scan; adversarial urgency tier manipulation blocked before clinical triage AI classification

Related questions

Is adversarial injection in clinical AI a realistic patient safety risk or just theoretical?

The adversarial injection attack class is empirically demonstrated against medical image AI systems in academic research. Published work has shown that adversarial perturbations applied to dermatology lesion images can cause state-of-the-art dermatology AI classifiers to output substantially different malignancy risk scores — in both directions, inflating or deflating assessed risk depending on the target perturbation. The “theoretical” framing understates the risk for two reasons. First, the attacks work against the same class of vision models deployed in clinical platforms — the demonstrated vulnerability in research conditions transfers to production systems using similar architectures. Second, the patient safety consequences are not hypothetical: a delayed malignant melanoma referral caused by an adversarially suppressed risk score has the same clinical impact as any other referral delay mechanism, regardless of what caused the suppression. The distinction between “theoretical” and “realistic” depends on whether a motivated actor with sufficient technical skill has reason to attempt the manipulation — a distinction that is less relevant for safety analysis than for fraud analysis. Clinical AI safety engineering should address demonstrated adversarial vulnerability as a safety hazard regardless of current threat actor motivation, consistent with the “adversarial examples considered as defects” framing in the NIST AI RMF and EU AI Act Article 15 robustness requirements. See NIST AI RMF GenAI profile for the standards framing.

How does a patient-submitted photo ever contain an adversarial payload without the patient knowing?

Patient-initiated adversarial injection is not the only attack vector. Four non-patient-intentional injection paths deserve clinical AI platform attention. First, photo filter and editing app intermediaries: patients frequently use their phone’s native photo editor, third-party skin-tone adjustment apps, or AI-enhanced camera apps before submitting clinical photos. A malicious or compromised photo editing app could apply adversarial pixel modifications to clinical photos before submission without the patient’s knowledge. Second, platform or API compromise: an adversary who compromises the clinical AI platform’s image processing pipeline (the layer between patient upload and AI inference) can inject adversarial modifications at scale across all submitted photos. Third, supply chain attacks on AI model training data: adversarially poisoned images injected into training datasets during model development affect model behaviour at inference for a class of inputs, not just the single injected training image. This is a different attack from inference-time photo injection but has similar clinical impact. Fourth, physical-world adversarial elements in the photo environment: a patient who has been sent an adversarially designed visual template (“use this guide for photographing your wound”) by a third party includes adversarial elements in the camera frame without knowing their purpose. Glyphward’s pre-scan detects adversarial content in submitted images regardless of how the payload was introduced.

Does HIPAA require adversarial content detection for clinical AI photo pipelines?

HIPAA does not explicitly mandate adversarial content detection — it predates the adversarial AI threat class. However, HIPAA’s Security Rule administrative safeguard requirement for covered entities to implement “reasonable and appropriate” security measures to protect PHI applies to the accuracy integrity of clinical AI systems that process PHI (patient photos are PHI when associated with identifiable patients). HIPAA’s Integrity standard (45 CFR §164.312(c)) requires covered entities to implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorised manner — adversarial pixel-level modification of a patient-submitted clinical photo is an unauthorised alteration of ePHI that affects the integrity of the clinical AI output derived from it. The most directly applicable regulatory framework is the EU AI Act: Article 15 requires high-risk AI systems (which include AI systems used in medical devices and healthcare under Annex III) to achieve “appropriate levels of accuracy, robustness and cybersecurity” and specifically cites “adversarial examples or model evasion” as the robustness requirement area. Clinical AI photo triage systems used in regulated healthcare pathways (NHS DTAC-assessed, CE-marked as SaMD) are within Article 15’s scope, and adversarial image scanning provides the technical control required to satisfy the adversarial robustness mandate. See EU AI Act Article 15 multimodal compliance for the full standards analysis.

Which dermatology AI platforms are most exposed to patient-submitted photo injection?

Exposure is highest where the AI triage output directly determines clinical routing without a mandatory clinician overread of each AI assessment before the routing decision is executed. The NHS teledermatology pathway using Skin Analytics DERM operates in a two-tier triage model where AI classification determines “urgent” vs “routine” routing — a clinician reviews cases flagged as urgent, but cases classified as routine proceed to the longer-wait pathway without per-case AI output review. Adversarial downgrade of a genuinely urgent case means the clinician review never triggers. Ada Health’s symptom checker photo submissions feed into urgency recommendations that users act on directly; there is no mandatory clinician override of every AI urgency output before the user follows the recommendation. First Derm and Derm AI teledermatology platforms route patient-submitted lesion photos to dermatologist review, but AI pre-scoring affects which cases receive priority review allocation — adversarially depressed AI scores delay priority routing even where clinician review ultimately occurs. Consumer dermatology features in telehealth platforms (Hims & Hers AI, Ro) are exposed at the consumer AI layer where the AI assessment may be the only clinical output the patient receives. Risk stratification for adversarial injection exposure should prioritise platforms where the AI output has the most direct clinical routing effect with the least mandatory human override at each AI decision step.

Further reading