The weaponisation of AI in the healthcare sector & the national security risks (UK) Part 2

 by Zara Hayat, International Relations Correspondent at Intelligence Forums

Part 2 explores how the weaponisation of AI in the UK healthcare sector becomes a national security risk when technical vulnerabilities intersect with governance weaknesses, institutional dependence, and public trust. It argues that AI-enabled threats are not only risks of disruption, but also risks to clinical integrity, data confidentiality, decision-making reliability, and the resilience of essential health services.

 

A framework for understanding the risk:

This piece adopts a two-layered framework analysing how the weaponisation of AI in the healthcare sector becomes a national security risk. The first layer draws on theories regarding securitisation and resilience to explain why healthcare although traditionally understood as a societal and welfare-oriented sector can become security-relevant when its disruption threatens essential services, public trust, and state capacity. The second aspect draws on the socio-technical risk thinking side as well as the National Institute of Standards and Technology’s adversarial machine learning taxonomy to differentiate between AI-specific vulnerabilities and AI-enabled extensions of existing cyber threats. By combining the two, the risk of treating AI as inherently transformative or simply another form of cyber risk diminishes. Instead, together they make it possible and productive to analyse how governance choices, technical vulnerabilities, and hostile actor capabilities interact to produce national security exposure. The framework intentionally rejects technologically deterministic claims by treating AI-related security risk as contingent on institutional design, governance structures, and system resilience rather than as an inevitable consequence of technological advancement itself.

The first theoretical lens is the securitisation theory. This theory is particularly useful here as it focuses specifically on how issues become framed and institutionalised as matters of national security in ways that Risk Society theory or broader Critical Security Studies fail to despite also examining non-traditional threats. This makes it especially suited to analysing how healthcare cyber disruption is translated into national risk within UK policy discourse. Security is argued to be constructed through the framing of issues as existentially significant to a valued referent object rather than limited to military threats. This is particularly useful as healthcare is not automatically nor inherently a national security issue. Instead it becomes security relevant only when disruption to healthcare threatens wider society functioning, public order, state legitimacy or the crisis response capacity. For this reason, it is not to be automatically assumed that all AI-related healthcare risks are national security risks. It is to be questioned under what conditions hostile activity against healthcare crosses that threshold from sectoral disruption into a broader threat to national resilience. This approach is especially pertinent to the UK because official policy documents increasingly frame health and social cyber disruption in national risk terms. The National Risk Register’s inclusion of a cyber-attack on the health and social care system is critical here as it positions healthcare disruption as a risk facing the UK as well as its interests rather than simply an organisational or a technical failure. Therefore, securitisation theory aids in the understanding of how the meaning of healthcare cyber risk changes as soon as it is connected to essential service continuity, public confidence, and crisis governance. The framework is used cautiously. The claim is not that healthcare has been fully securitised in a strong Copenhagen School sense. Instead it chooses to use securitisation to examine how Security relevance is produced through policy framing, institutional prioritisation and national risk assessment. The National Risk Register is not used here as theory, but as evidence of how UK policy already frames healthcare cyber disruption in national risk terms.

Resilience theory compliments securitisation by shifting the focus from whether something is labelled as a security threat to how systems absorb, respond to and recover from disruptions. Resilience at present moment is central to contemporary security governance as modern threats are often complex uncertain and difficult to prevent entirely. National security increasingly depends on the capacity of states and critical systems to maintain functionality under conditions of disruption. This is crucial for healthcare because hostile AI-enabled activity does not need to destroy the infrastructure in order to generate national security consequences. It likely suffices if they degrade service availability, delay emergency care, compromise on data flows, undermine clinical decision, integrity or weaken public confidence during times of crisis. Resilience theory thus allows the article to analyse healthcare not merely as a target but as a system whose continued functioning is itself a security condition, one that AI-enabled threats may strain without destroying. The WannaCry incident serves as a useful empirical baseline here. Albeit not AI-enabled, it depicts how cyber disruption can quickly spread from technical compromise into operational disruption, cancelled care and wider concerns about preparedness. Resilience theory therefore provides the conceptual bridge between cyber incident and national security consequence.

The second layer of the framework is the socio-technical aspect. A socio-technical perspective understands technological systems as embedded within interactions between the technical infrastructure, human actors, institutions, organisational routines and governance arrangements. This is essential for analysing artificial intelligence in healthcare as AI systems simply do not operate in isolation. The risks are shaped by how they are procured, trained, deployed, monitored, audited and especially trusted. For example, a model may be technically sophisticated but it’s security implications are contingent on data governance, vendor relationships, staff capacity, regulatory oversight and institutional accountability. This socio-technical perspective clearly supports the core argument which is that national security risk is not produced by the capabilities of artificial intelligence. This lens is particularly useful for analysing how the NHS Federated Data Platform's data centralisation, procurement choices, and contested legitimacy become security-relevant rather than merely operational concerns. The taxonomy distinguishes between different forms of AI-specific attack, including poisoning, evasion, and inference or privacy attacks. The first one being cases where AI is used by hostile actors to enhance conventional cyber operations such as phishing reconnaissance, vulnerability discovery or malware development. The second being cases where AI systems themselves become the target of manipulation. This distinction is crucial as a lot of the public debate combines both within the general language of an AI threat, producing the very kind of hype and conceptual aforementioned. Crucially, such attacks may leave systems apparently functional while compromising the integrity of their outputs a distinction with significant implications for healthcare decision-making.

Risk Pathway 1: AI-specific vulnerabilities and compromising clinical integrity

A prominent way that AI weaponisation creates national security risk in the healthcare sector is through the degradation of clinical integrity. Unlike conventional cyber-attacks, which often operate by disrupting availability through system shutdowns, ransomware or denial of service, AI-specific attacks tend to leave the system functional at face value while corrupting the reliability of the decisions they support. It is critical to make this distinction as in healthcare harm does not only arise when hospitals are unable to operate but may also arise when seemingly operational systems produce misleading outputs. This can lead to the distortion of diagnosis, treatment prioritisation, and resource allocation. Therefore, artificial intelligence introduces a very specific integrity problem. Hostile actors may not need to disable healthcare infrastructures entirely to generate strategic and intentional harm but instead can manipulate the data, models or outputs upon which clinical and operational decisions increasingly depend upon.

The NIST adversarial machine learning taxonomy is useful as it prevents AI risk from being treated as a vague or inflated category. NIST distinguishes between various form of AI specific attacks including but not limited to poisoning, evasion, and inference or privacy attacks. When speaking in the context of healthcare, poisoning attacks are significant because they involve corrupting the data or training process through which the LLMs learn. For example, if a hostile actor were able to insert manipulated data into a clinical training pipeline, the resulting model could make systematically distorted predictions whilst still appearing technically functional. This is crucial as healthcare AI tends to be valued precisely for its ability to detect patterns in large datasets that clinicians may struggle to process manually. Despite this, the same dependence on data creates a vulnerability which is that if the data environment is compromised, the model’s authority may amplify rather than correcting the error.

On a similar level, evasion attacks present a related but distinct problem. In this case, hostile actors manipulate inputs to deceive a model at the point of use. For example, in medical imaging adversarial perturbations have the potential to alter how an AI system classifies scans without necessarily being perceptible to clinicians or patients. From the perspective of national security, it is not that every imaging model is currently vulnerable but that the logic of AI supported clinical decision-making creates a new target surface. If the UK deployed this at scale across hospitals, manipulated outputs could degrade diagnostic reliability, delay treatment, or misdirect scarce clinical resources. Should a public health emergency occur, even limited degradation of decision support systems could have consequences beyond an individual patient affecting wider crisis response capacity.

The risk further extends from clinical integrity into confidentiality perpetuated by inference and privacy attacks. Health data is uniquely sensitive as it has the capacity to reveal not only medical conditions but also demographic patterns, vulnerabilities and institutional dependencies. If hostile actors use AI-enabled techniques to infer sensitive information from models or datasets, the consequences may include blackmail, coercion, espionage, or strategic intelligence extraction. In cases where healthcare data infrastructure is becoming increasingly centralised and dependent on external vendors, this becomes particularly relevant. Logically, the more healthcare systems integrate data across platforms and services, the more strategically significant and valuable those data systems and environments become. In the context of NHS, the Federated Data Platform's aggregation of data across trusts creates exactly the kind of centralised, high-value environment in which inference attacks become most detrimental. If a hostile actor could probe such a platform through a compromised access point, vulnerable API or a manipulated model interface, the inferred information could extend beyond patient records to reveal a deeper institutional dependency, workforce patterns or even systemwide vulnerabilities that can carry strategic intelligence.

The key point of analysis however is that these risks do not arise from AI capability alone. They only become nationally significant when AI-specific vulnerabilities intersect with governance weakness. For example, a poisoned dataset is only likely to produce systemic harm if data provenance, auditing, monitoring, and procurement oversight are weak to begin with. An evasion attack only becomes pivotal when clinicians over rely on model outputs or where systems are deployed without sufficient human review. When data sharing agreements are opaque or public entities are unable to properly show how sensitive information is protected, inference risks become more severe. This corresponds with the security governance gap argument that the weaponisation of AI becomes a national security problem, not just because adversarial machine learning exists rather because governance systems can fail to anticipate how these technical vulnerabilities operate inside high-stake public service infrastructures. Due to the nature of the topic, this is why the chapter does not treat proof of concept research as equivalent to real-world exploitability. Many adversarial machine learning attacks remain technically demanding and context dependent. Several conditions would need to be in line for such risks to materialise in the NHS. Hostile actors would need access to relevant data, inputs or model interfaces, monitoring systems would need to fail to detect manipulation and institutional governance would need to be insufficiently robust to contain the effects. These stipulations are important because overstating artificial intelligence risk could likely reproduce the hype dynamics criticised in the literature review. Dismissing these risks because they are technically complex would be equally detrimental. National security planning cannot only be concerned with present incidents but must be concerned with plausible pathways through which vulnerabilities may become strategically consequential.

To summarise, AI-specific attacks therefore shift the security problem from mere disruption to compromised reliability. Whilst availability remains important, integrity becomes the crux. A healthcare system that is off-line is visibly in crisis. Furthermore, a system that continues operating whilst its outputs, data or models have been manipulated may be harder to diagnose and trickier to contain. For this reason, AI weaponisation in healthcare should be understood as a threat to decisional integrity as much as to digital infrastructure. The national security risk lies in the possibility that hostile actors could degrade the systems through which care is prioritised, resources are allocated, and institutional trust is maintained, thereby turning AI-enabled healthcare infrastructure into a site of strategic vulnerability.

 

Cristina Schek