ICP-by-vertical · Healthcare AI
Prompt-injection scanner for healthcare AI
Healthcare AI applications routinely accept image and audio inputs that text-only prompt-injection scanners never inspect: patient photo uploads for dermatology and wound assessment triage, scanned clinical documents fed into EHR chatbots, radiology report PDFs ingested into medical knowledge bases, and patient voice recordings processed by telehealth voice agents. An attacker who embeds a FigStep-class adversarial instruction in a medical image — a photo, a scanned form, a DICOM-exported JPEG — delivers a payload that passes every text-level defence and reaches the vision model unfiltered. For AI systems that classify as high-risk under EU AI Act Annex III and for HIPAA-covered-entity AI processing, the 2 August 2026 Article 15 enforcement date makes adding the scan gate urgent. Scan image and audio bytes at the inference boundary — not the text extracted from them.
TL;DR
Before passing any patient-uploaded image, scanned medical document, or voice input to your vision or audio model, POST the raw bytes to Glyphward's /v1/scan. A score above threshold means the input contains an adversarial payload; reject it before it reaches the model. One POST, under 200 ms, returns a 0–100 score, the flagged pixel or waveform region, and a scan_id for your per-request audit log. Start on the free tier — 10 scans/day, no card.
Healthcare AI use cases with multimodal PI exposure
Dermatology and wound assessment triage apps. Patients photograph a skin lesion or wound and upload it to a chatbot that describes the image, suggests urgency tier, and recommends follow-up. The uploaded photo is passed directly to a vision model. An attacker can embed a FigStep instruction in the photo — visible only to the vision encoder, not to OCR — that instructs the model to output a false low-urgency triage recommendation or to exfiltrate the session context.
EHR document chatbots. Clinical documentation AI accepts uploaded PDF files (discharge summaries, referral letters, lab reports) and answers questions about them. These PDFs commonly contain scanned page images — the primary attack surface described in PDF prompt-injection detection. A document with a FigStep payload on a scanned page passes text extraction clean and poisons the chatbot's context for every subsequent question in the session.
Medical imaging report assistants. PACS viewers and radiology workflow tools increasingly add an LLM-based report assistant that accepts exported JPEG or PNG slices from DICOM studies alongside the radiologist's free-text query. The image slice is passed to a vision model. The DICOM export pipeline is typically automated and may not include any human review of the pixel content before it reaches the LLM. This is a high-value attack target: a compromised report assistant could systematically alter clinical interpretations.
Telehealth voice agents. Voice-based intake bots, symptom-checkers, and prescription-refill agents accept audio from callers. WhisperInject-class attacks embed adversarial instructions at frequencies or timing patterns that survive ASR transcription as benign text while remaining legible to a multimodal audio model. Even for pipelines that only pass the STT transcript to the LLM, audio with embedded anomalous waveform patterns warrants scanning.
Clinical form OCR + AI extraction. Paper forms (intake questionnaires, consent forms) are scanned and processed by an AI pipeline that extracts structured fields. If the pipeline passes page images to a vision model (a common pattern for forms with checkboxes, signatures, and handwritten sections), the page image is a multimodal PI attack surface.
Regulatory context: EU AI Act Article 15 and HIPAA
EU AI Act Article 15(5) — applies from 2 August 2026. AI systems used in medical diagnosis, patient triage, and clinical decision support that meet the Annex III high-risk classification criteria are subject to Article 15 cybersecurity requirements. Article 15(5) names "adversarial examples or model evasion" among the AI-specific vulnerabilities that providers must prevent, detect, respond to, resolve, and control for. Multimodal prompt injection — FigStep in a patient photo, an adversarial waveform in a voice recording — is the adversarial-example class in its image and audio forms. A medical AI system that accepts image or audio inputs and does not have a per-request scan of those inputs cannot demonstrate the "detect" and "control for" obligations against the named vulnerability class for the non-text modalities it accepts. The per-request scan_id and score from Glyphward is the audit-evidence record an assessor will request when evaluating Article 15(5) compliance. See the full analysis in EU AI Act Article 15 — multimodal prompt injection compliance.
HIPAA Security Rule — Audit Controls (45 CFR § 164.312(b)). The HIPAA Security Rule requires covered entities and business associates to implement hardware, software, and procedural mechanisms to record and examine activity in information systems that contain or use electronic protected health information (ePHI). An AI system that accepts patient images or voice — which may contain or generate ePHI — and does not log the security-relevant events associated with those inputs creates an audit gap. The per-request scan_id log from Glyphward is not a HIPAA audit log by itself, but it satisfies the "record activity for all inputs to the AI system" requirement when incorporated into the system's audit-log pipeline.
FDA SaMD (Software as a Medical Device). The FDA's Digital Health Center of Excellence has issued guidance on AI/ML-based SaMD transparency and monitoring. For AI systems classified as SaMD, the ability to demonstrate that the system's inputs were validated before use — and to provide evidence of that validation — is part of the predetermined change control plan and real-world performance monitoring requirements. A per-request scan record for every image or audio input is the validation evidence for the multimodal input channels.
Python integration: medical document and image scanning
For a healthcare AI pipeline that accepts patient images and PDF documents, add the Glyphward scan gate before any call to a vision model:
import io, base64, httpx
from PIL import Image
GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY" # use env var in production
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"
# For healthcare, use threshold 60 (conservative; lower than general product default of 70)
SCAN_THRESHOLD = 60
def scan_medical_image(image_bytes: bytes, patient_session_id: str) -> dict:
"""Scan a patient-uploaded image. Returns scan result."""
encoded = base64.b64encode(image_bytes).decode()
resp = httpx.post(
GLYPHWARD_SCAN_URL,
headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
json={
"image": encoded,
"source": "patient_upload",
"metadata": {"session_id": patient_session_id},
},
timeout=5.0,
)
resp.raise_for_status()
return resp.json() # {score, flagged_region, scan_id, modality}
def safe_vision_call(image_bytes: bytes, text_prompt: str,
patient_session_id: str) -> str:
"""Gate: scan image, then dispatch to vision model only if clean."""
scan = scan_medical_image(image_bytes, patient_session_id)
# Log every scan result to your audit system
log_scan_event(patient_session_id, scan)
if scan["score"] >= SCAN_THRESHOLD:
raise ValueError(
f"Medical image blocked: PI score {scan['score']} >= {SCAN_THRESHOLD}. "
f"scan_id={scan['scan_id']}"
)
# Only reach here if scan passed
return call_vision_model(image_bytes, text_prompt)
def log_scan_event(session_id: str, scan: dict):
"""Append scan result to HIPAA audit log."""
import json, datetime
record = {
"event_type": "image_pi_scan",
"session_id": session_id,
"scan_id": scan["scan_id"],
"score": scan["score"],
"modality": scan.get("modality", "image"),
"flagged": scan["score"] >= SCAN_THRESHOLD,
"ts": datetime.datetime.utcnow().isoformat() + "Z",
}
# Write to your immutable audit log (SIEM, append-only S3, etc.)
print(json.dumps(record))Use a threshold of 60 for healthcare applications — lower than the general-product default of 70 — because the consequences of a false negative (a payload that reaches the model) in a clinical context are higher than in a general-purpose chatbot. The cost of a false positive (a benign image flagged) is a physician or patient being asked to resubmit or use a different image format.
PDF scanning for EHR document chatbots
For pipelines that ingest clinical PDF documents (discharge summaries, referral letters, lab reports), add a page-render scan before the document enters the knowledge base or is passed to the LLM:
import fitz # PyMuPDF
def scan_clinical_pdf(pdf_bytes: bytes, doc_id: str, dpi: int = 150) -> list[dict]:
"""Render each page to PNG and scan. Returns list of flagged pages."""
flagged = []
doc = fitz.open(stream=pdf_bytes, filetype="pdf")
for page_num in range(len(doc)):
page = doc[page_num]
mat = fitz.Matrix(dpi / 72, dpi / 72)
pix = page.get_pixmap(matrix=mat)
png_bytes = pix.tobytes("png")
result = scan_medical_image(png_bytes, patient_session_id=doc_id)
result["page"] = page_num
if result["score"] >= SCAN_THRESHOLD:
flagged.append(result)
return flagged
def safe_ingest_clinical_doc(pdf_bytes: bytes, doc_id: str) -> bool:
flagged = scan_clinical_pdf(pdf_bytes, doc_id)
if flagged:
raise ValueError(
f"Clinical document {doc_id} blocked: "
f"{len(flagged)} flagged page(s). "
f"First: page {flagged[0]['page']}, scan_id={flagged[0]['scan_id']}"
)
return TrueThis satisfies ISO 27001 A.8.28 (external data sources treated as untrusted until validated) at document ingestion time, with the per-page scan_id as the validation record.
Coverage matrix
| Tool | Detects image PI in medical photos | Detects PI in scanned PDFs | Detects WhisperInject audio | HIPAA-compatible per-request log |
|---|---|---|---|---|
| Lakera Guard | No (text only) | No (text only) | No | Text channel only |
| LLM Guard | No (text only) | No (text only) | No | Text channel only |
| Azure Prompt Shields | No (text only) | No (text only) | No | Text only, Azure-gated |
| Azure AI Vision (content mod) | Content categories only — not PI | No | No | No per-request PI evidence |
| Glyphward | Yes — pixel-level | Yes — page-render scan | Yes — waveform + transcript | Yes — scan_id per request |
Related questions
Does EU AI Act Annex III apply to my healthcare AI product?
Annex III lists eight high-risk AI categories. Category 5(a) covers AI systems used as safety components of medical devices or as medical devices themselves within the scope of Regulation (EU) 2017/745 (MDR). Category 5(c) covers AI for prognosis, diagnosis, or treatment recommendation of diseases. If your AI product assists in triage, diagnosis, treatment planning, or risk stratification — even as a decision-support tool rather than an autonomous decision-maker — assess whether it meets the Annex III thresholds. The Article 15 cybersecurity requirements apply to all Annex III systems from 2 August 2026.
Is patient-uploaded image data processed by Glyphward?
Glyphward's /v1/scan endpoint receives the image bytes in the POST request body. The scan is a stateless inference call — the bytes are processed in memory for the scan and the result is returned. Review Glyphward's data processing agreement (DPA) for healthcare-specific terms. For applications that handle ePHI, ensure that the DPA covers business associate obligations if applicable. The free-tier scan endpoint does not store submitted images beyond the request lifecycle.
What about DICOM format?
DICOM files are not directly scannable as images — they are a medical imaging container format. Convert the DICOM study to JPEG or PNG using a DICOM library (pydicom + PIL) before scanning. Export at a resolution that preserves the diagnostic image content (typically 300–400 DPI for radiological images). Scan the exported JPEG/PNG bytes. The scan result applies to the rendered image; the DICOM metadata (patient demographics, study parameters) is not part of the scan.
How do I handle scans that are flagged — quarantine or reject?
For patient-facing applications, return a generic error to the patient ("We were unable to process this image — please try uploading a different file or contact support") without revealing that a security scan blocked the request. Log the flagged scan_id, the session_id, and the timestamp to your security incident queue. A high score (e.g., >85) warrants immediate incident review; a borderline score (60–75) may be a false positive that a human reviewer can clear. Do not silently pass flagged images to the model after logging — the scan gate must be a hard block.
Does this apply to radiology AI (inference on DICOM studies) as well as chatbot AI?
Radiology AI that processes DICOM images autonomously (e.g., detecting abnormalities in CT or MRI series) typically does not accept user-supplied images in the attack-relevant sense — the DICOM studies come from controlled hospital PACS systems, not from arbitrary user uploads. The multimodal PI attack surface is highest where untrusted external parties (patients, external partners, third-party data feeds) can influence the image content. If your radiology AI pipeline accepts images from external sources — submitted by partners, downloaded from patient portals, ingested from shared storage — scan those external-origin images before they reach the model.
Further reading
- EU AI Act Article 15 — multimodal prompt injection compliance — the regulatory framework in detail, including the 2 August 2026 deadline.
- EU AI Act Article 15 checklist — 8 controls before 2 August 2026 — action list for compliance leads.
- PDF prompt-injection detection — scan medical PDFs (discharge summaries, referral letters, lab reports) before RAG ingestion.
- FigStep detection — the typographic attack class hidden in medical photos.
- WhisperInject detection — the audio attack class for voice-based healthcare AI.
- ISO 27001:2022 AI security controls — A.8.28 validation evidence for healthcare information systems.
- SOC 2 AI security controls — CC6.6 evidence for healthcare SaaS audit programmes.
- Vision language model security — architecture overview of the VLM inference-boundary attack surface.