Glyphward

Compliance · HIPAA & Healthcare AI

HIPAA-compliant AI security — multimodal prompt injection in healthcare vision models

Healthcare AI is moving fast: patient-facing apps that let patients upload wound photos for triage, dermatology AI that accepts skin lesion images, radiology AI review tools, and EHR document intelligence pipelines that OCR scanned patient records all process patient-supplied images with vision LLMs. Under HIPAA, these are covered entities or business associates handling electronic protected health information (ePHI). When a prompt injection attack embedded in a patient-uploaded image manipulates the AI's clinical output — changing a triage recommendation, corrupting an extracted lab value, or altering a radiology AI suggestion — that corrupted output may enter the medical record. The integrity of ePHI is a core HIPAA Technical Safeguard requirement. Glyphward's multimodal security API scans image inputs before they reach the model, providing both the protection and the audit trail that HIPAA §164.312 requires.

TL;DR

Before passing any patient-uploaded image to a vision LLM in a HIPAA-regulated workflow, POST it to /v1/scan. Log the returned scan_id alongside the image record. Reject uploads where score ≥ 60 (healthcare threshold). This establishes the audit trail for HIPAA §164.312(b) and the integrity control for §164.312(c)(1). Free tier — 10 scans/day, no card required.

HIPAA Technical Safeguards and multimodal AI inputs

§164.312(b) — Audit Controls. The Audit Controls standard requires covered entities to implement hardware, software, and procedural mechanisms to record and examine activity in information systems that contain or use ePHI. When a vision AI system processes a patient-uploaded image and produces an output that becomes part of the patient record, the AI processing step is an ePHI-touching activity that falls within the Audit Controls standard. Logging the Glyphward scan_id for every image scan — alongside the patient identifier, timestamp, and model call ID — creates an immutable record of the image's PI risk score at the time of processing. If a downstream AI output is ever questioned (clinically or legally), the audit trail documents that the input was scanned and at what risk level.

§164.312(c)(1) — Integrity. The Integrity standard requires covered entities to implement policies and procedures to protect ePHI from improper alteration or destruction. A prompt injection attack that causes a vision AI to produce a falsified clinical output — one that differs from what the model would have produced without the adversarial payload — is an improper alteration of an ePHI record caused by a failure of the input integrity control. Input scanning is the technical mechanism that closes this specific vulnerability. It is the multimodal analogue of input sanitisation for SQL injection in traditional database systems — a well-established "addressable" safeguard under the Security Rule.

§164.312(a)(1) — Access Control. When patients submit images via a patient portal or telehealth application, those images are submitted under authenticated sessions tied to a patient identifier. A prompt injection payload in the image does not require the attacker to compromise authentication — it exploits the AI's response to the image content after authentication has succeeded. Access controls alone do not prevent this attack vector.

§164.308(a)(8) — Evaluation. The Evaluation standard requires covered entities to perform periodic technical and non-technical evaluations of their security controls in response to environmental or operational changes. Deploying a new AI feature that processes patient-supplied images is an operational change that should trigger a security evaluation. Evaluating multimodal prompt injection as an input vector for that feature — and documenting the controls implemented — satisfies the evaluation requirement for the new AI pipeline.

Healthcare AI attack surfaces

Patient-uploaded wound and symptom photos (telehealth triage). Direct-to-consumer telehealth apps that let patients photograph wounds, rashes, or symptoms for AI-assisted triage accept fully external, patient-controlled image inputs. A patient motivated to manipulate a triage result (to obtain a particular medication, avoid an in-person visit, or test the system) can embed adversarial instructions in the submitted photo. The AI triage recommendation that follows may be recorded and acted upon by a clinician.

Dermatology AI with patient-submitted skin lesion images. Consumer dermatology AI (teledermatology apps, pharmacy chain apps, insurance wellness programs) processes patient-submitted images of skin lesions for preliminary classification. These apps are widely used, handle ePHI by definition, and many operate under HIPAA as covered entities or BAs. The patient submitting the image controls the image content entirely.

EHR document intelligence (scanned records OCR + AI extraction). Healthcare AI pipelines that ingest scanned patient records — referral letters, lab results on letterhead, handwritten notes — and use vision AI to extract structured data (diagnoses, medications, lab values) for entry into the EHR have a document-origin attack surface. A referring provider whose systems are compromised could send a scanned referral letter containing an adversarial payload that causes the destination EHR's AI extractor to insert incorrect values. See PDF prompt-injection detection for the PDF variant of this pattern.

Radiology AI second-read tools with DICOM preview images. Radiology AI platforms that provide AI second reads convert DICOM images to JPEG/PNG for model input. While DICOM files typically originate from certified imaging equipment, AI tools that accept JPEG previews or screenshots of DICOM images from external sources (e.g., patient-submitted images of imaging CDs) have a user-controlled image input that carries PI risk.

Python integration — HIPAA-grade audit logging

import httpx
import base64
import logging
from datetime import datetime, timezone
from dataclasses import dataclass, asdict

GLYPHWARD_API_KEY = os.environ["GLYPHWARD_API_KEY"]
HIPAA_SCORE_THRESHOLD = 60  # conservative for clinical AI

@dataclass
class ImageScanAuditRecord:
    patient_id: str
    scan_id: str
    score: int
    threshold: int
    blocked: bool
    image_sha256: str
    scanned_at: str
    source: str

async def scan_patient_image(
    image_bytes: bytes,
    patient_id: str,
    source: str = "patient_upload"
) -> ImageScanAuditRecord:
    import hashlib
    b64 = base64.b64encode(image_bytes).decode()
    image_hash = hashlib.sha256(image_bytes).hexdigest()

    async with httpx.AsyncClient() as client:
        resp = await client.post(
            "https://glyphward.com/v1/scan",
            headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
            json={
                "image": b64,
                "source": source,
                "metadata": {"patient_id_hash": hashlib.sha256(
                    patient_id.encode()
                ).hexdigest()},  # hash PII in scan metadata
            },
            timeout=10.0,
        )
        resp.raise_for_status()
    result = resp.json()

    record = ImageScanAuditRecord(
        patient_id=patient_id,
        scan_id=result["scan_id"],
        score=result["score"],
        threshold=HIPAA_SCORE_THRESHOLD,
        blocked=result["score"] >= HIPAA_SCORE_THRESHOLD,
        image_sha256=image_hash,
        scanned_at=datetime.now(timezone.utc).isoformat(),
        source=source,
    )
    # Write to your HIPAA audit log (append-only, access-controlled)
    logging.getLogger("hipaa.audit").info(asdict(record))
    return record

async def process_patient_image(image_bytes: bytes, patient_id: str):
    scan = await scan_patient_image(image_bytes, patient_id)
    if scan.blocked:
        raise ValueError(
            f"Patient image rejected by PI scanner "
            f"(scan_id={scan.scan_id}, score={scan.score}). "
            "Please resubmit a clear photo of the affected area."
        )
    return await call_clinical_vision_model(image_bytes, patient_id)

The audit record stores the scan_id and SHA-256 of the image bytes (not the bytes themselves — no ePHI in the scan log). The patient identifier is hashed before being sent to Glyphward, keeping ePHI on your infrastructure. The scan log is append-only and access-controlled to meet HIPAA's audit log integrity requirements.

Get early access

BAA and data handling

Glyphward's Pro and Team plans include a Business Associate Agreement (BAA) for covered entities and business associates operating under HIPAA. The Glyphward scan API receives a base64-encoded image and returns a numeric score and a scan_id. Image data is processed in-memory and not stored on Glyphward infrastructure post-scan — the scan_id is a pointer to a hashed scan record, not to the image bytes. The API response does not include any patient identifier or ePHI.

To request a BAA, contact hello@glyphward.com with your organisation name and HIPAA covered entity type before activating a Pro or Team subscription.

Related questions

Does scanning image inputs satisfy HIPAA's "addressable" vs "required" distinction?

Under 45 C.F.R. §164.306(d), HIPAA safeguards are either "required" (must implement as specified) or "addressable" (must implement if reasonable and appropriate, or document why an equivalent alternative is used). The Audit Controls standard (§164.312(b)) is required. The Integrity standard (§164.312(c)(1)) is required. Input validation as a mechanism for meeting the Integrity standard — preventing adversarial inputs from corrupting ePHI — is the specific technical control being addressed. Documenting the scan_id audit trail in your HIPAA Security Policy satisfies the implementation requirement for both standards as they apply to AI vision inputs.

Can I share the scan_id with my HIPAA compliance officer during an audit?

Yes. The scan_id uniquely identifies a scan event in Glyphward's system and can be used to retrieve the score, timestamp, and (hashed) source metadata associated with that scan. It does not reference any ePHI and can be shared with compliance officers, auditors, and regulators without risk of ePHI disclosure. Include the scan_id in your Security Incident Response documentation for any scan that was flagged and blocked.

Does Glyphward integrate with existing HIPAA-compliant cloud infrastructure (AWS HealthLake, Azure Health Data Services)?

Glyphward's scan API is a standard HTTPS REST endpoint and integrates with any cloud infrastructure that can make outbound HTTPS calls. For AWS-hosted healthcare workloads, the API call can be made from Lambda, ECS, or EC2 with standard boto3 / httpx / requests libraries. For Azure-hosted workloads, Azure Functions or Azure Container Apps work equivalently. Neither AWS HealthLake nor Azure Health Data Services need to be involved in the scan — the scan is an input pre-processing step that runs before any data is stored in those services.

Further reading