Cybersecurity Risks with Large Language Models: What Radiologists Should Know
While large language models (LLMs) may offer the promise of workflow efficiencies and streamlined documentation in radiology, LLMs may also increase exposure to cybersecurity risks, according to a presentation at the European Congress of Radiology (ECR).
Data poisoning, trigger attacks and prompt injection are some of the ways that a cybersecurity breach can occur with large language models (LLMs) in radiology.
In a recent lecture at the European Congress of Radiology (ECR), Tugba Akinci D’Antonoli, M.D., cautioned that the potential promise of LLMs also carries elevated cybersecurity risks beyond traditional artificial intelligence (AI) models.
Dr. D’Antonoli emphasized that cybersecurity must be addressed throughout the lifecycle of an LLM as cybersecurity breaches can occur during model training, initial deployment or with daily use in a clinical setting.
While traditional AI models commonly combine structured inputs with well-delineated boundaries, Dr. D’Antonoli noted the instructions and data are more intertwined and “blurred together” with the natural language processing of LLMs. This characteristic makes it easier for malicious prompts to affect the behavior of an LLM, according to Dr. D’Antonoli. The variability of outputs with LLMs and the possibility of LLMs reproducing sensitive information from training increase the vulnerability. When LLMs are integrated with external tools or application programming interfaces (APIs), Dr. D’Antonoli said LLMs may perform actions beyond text generation, potentially expanding the potential attack surface for cybercriminals.
“As a result, LLMs make cyberattacks far easier, especially for non-experts. … What used to require maybe advanced programming skills can now be attempted by anyone with an Internet connection and a bit of curiosity,” posited Dr. D’Antonoli, a neuroradiology fellow at the University Hospital Basel in Basel, Switzerland.
Noting that LLMs are commonly trained on massive datasets, Dr. D’Antonoli said they are potentially vulnerable to “data poisoning,” the insertion of malicious or misleading data into an LLM’s training dataset.
“Even small amounts of poisoned data can subtly distort a model's behavior,” pointed out Dr. D’Antonoli, a board member of the European Society of Medical Imaging Informatics.
Other tools used by cyber criminals include “trigger attacks” that may be embedded during the training of an LLM. These hidden triggers can be activated by a certain word or phrase to manipulate LLM responses, according to Dr. D’Antonoli.
“Such triggers can remain dormant for long periods before being activated,” noted Dr. D’Antonoli.
“Prompt injections” operate in a similar manner with the insertion of hidden prompts that can override legitimate prompts. Citing a recent study, Dr. D’Antonoli said researchers found that simulated prompt injections embedded in medical images were able to adversely affect an LLM’s ability to detect lesions.
"Prompt injection works by inserting hidden or malicious instructions that can override a model's input and manipulate the output,” said Dr. D’Antonoli.
Accordingly, Dr. D’Antonoli said rigorous defensive strategies are essential for the evaluation of LLMs.
She emphasized “sandboxing” that allows developers to assess LLMs and their potential vulnerabilities in controlled environments. While proprietary cloud-based systems may simplify scaling for LLMs, Dr. D’Antonoli indicated this also requires a strong trust threshold in third-party data handling. She noted that local open-source models may provide greater data control but require dedicated in-house engineering for monitoring.
Related Content
