AI: the gift that keeps on glitching. While most folks are still marveling at how AI can write emails and fold laundry (okay, not quite yet), this episode pulls back the curtain on what happens when artificial intelligence stops being polite and starts getting dangerous. We’re talking zombie agents, security holes big enough to drive a HIPAA violation through, and automated tools that might just be a little too eager to help. It’s informative, a little terrifying, and more than a few chuckles along the way.
In this episode:
When AI Stops Being Helpful – Ep 545
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
When AI Stops Being Helpful
[00:41]AI Is Moving Into Healthcare Faster Than Most Organizations Realize
AI is no longer experimental or isolated. It is being embedded into vendor platforms, EHRs, analytics tools, and operational systems. Many organizations are enabling AI features by default or through vendor updates without fully understanding the impact.
CISOs are reporting vendor AI and EHR systems as primary drivers of healthcare data risk. AI is being treated like a feature upgrade instead of a new technology category.
CISOs in 9 Countries: Vendor AI and EHR Now Drive Most Healthcare Data Breaches
From the article:
Across the nine markets, respondents report that:
80% say their greatest emerging cyber risk in 2026 comes from EHR, AI, and cloud health IT vendors, not from on-premise systems.
69% have experienced at least one security incident or serious near miss in the last 24 months that was directly traceable to a vendor platform, integration, or managed service.
91% believe their current third-party risk management practices are “not adequate” or “barely adequate” for the complexity of modern digital health and AI environments.
Douglas Brown, President of Black Book Research “In every region we studied this year, the pattern is the same: vendor failures are turning into operational crises at the bedside,” Brown added. “You can have a strong internal security program and still see clinics shut down or oncology pathways disrupted because a partner’s platform was compromised or offline.”
“CISOs are clear: this isn’t just an IT problem or a single vendor negotiation issue,” said Brown. “They are asking boards, regulators, and industry groups to recognize that EHR and AI vendor vulnerability is now a top-tier systemic risk to patient safety, continuity of care, and public confidence in health data.”
Keeping up with AI is not optional anymore, even if you are not actively “building” AI.
[10:42]
When Helpful AI Introduces Real Risk
AI tools are often deployed to solve legitimate problems: efficiency, staffing shortages, workflow issues. But rushed or poorly governed deployments create new exposure.
A recent vulnerability found with the ServiceNow AI platform is an example of how enterprise AI can be exploited when assumptions are wrong.
Agentic AI Security Vulnerability in ServiceNow Exposed | AppOmni
‘Most Severe AI Vulnerability to Date’ Hits ServiceNow
ServiceNow’s AI vulnerability shows how automation and AI agents can create serious security gaps. Vendor platforms are becoming attack surfaces, not just support tools.
AI is helpful right up until it becomes the thing you didn’t plan for.
[18:50]
The Next Wave Makes This Even More Urgent
AI adoption is accelerating from simple chatbots to AI agents that can act autonomously on systems and data. This matters for healthcare because it increases the attack surface and the potential for unintended actions.
What’s new with AI agents right now
- Companies like Anthropic have launched tools like Claude Cowork, which lets AI act like a “virtual coworker” — reading, organizing, and modifying files or workflows when given access.
- These agentic AIs are designed to automate tasks beyond conversation — effectively acting on your data and systems at a deeper level.
- The very capabilities that make them powerful also expand the attack surface: when an AI can act across files or tools, poorly scoped permissions or vague instructions can lead to data exposure or unintended actions.
This isn’t far-off technology — it’s the next stage of automation many vendors and EHR integrators will adopt. If an AI agent can act beyond a chat window, organizations need governance and controls that match that level of autonomy.
[26:15]
Why this matters now
Agentic AI expands risks similar to the earlier examples (vendor tool gaps, rushed adoption) — not because the tech is evil, but because the scope and speed of its actions can outpace governance and oversight in a healthcare setting.
Anthropic’s Claude CoWork Pushes AI Agents into the Mainstream—and Expands the Attack Surface
If organizations struggle to keep up with today’s AI, tomorrow’s AI will be much harder to control.
It’s not about stopping AI.
It is about understanding it early enough to manage risk before it manages you.
In the end, AI isn’t the villain—it’s just that overly enthusiastic coworker who shows up early, touches everything, and doesn’t quite understand boundaries. The trick is making sure it doesn’t rearrange your filing cabinet while you’re out to lunch. If you’re not watching what it’s doing, you might find out too late that your new “digital assistant” RSVP’d to a phishing email and invited your whole system to the breach party. Stay alert, stay skeptical, and maybe keep one hand near the off switch.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
