“Do No Harm” — Cybersecurity, AI, & Radiology at ECR 2026

At ECR 2026, cybersecurity in AI-driven radiology systems took center stage. Experts agreed that as radiology embraces AI, its attack surface is expanding just as quickly. From agentic AI systems that can autonomously execute tasks, to generative models capable of fabricating highly convincing medical images, the discussion moved beyond abstract cyber risk. It focused squarely on what these technologies mean for PACS, RIS, DICOM workflows, and the integrity of clinical decision-making.

March 4-6, 2026—The European Congress of Radiology (ECR) began day one with multiple topics of interest, most notably the discussion concerning all industries: cybersecurity. In a panel discussion, three experts split the topic into equally important subcategories in which they merged cybersecurity, AI, and radiology. UK’s Brendan S Kelly spoke about security threats posed by AI systems in radiology. Switzerland’s Tugba Akinci D’Antonoli followed him by unraveling traditional cybersecurity threats compared to the unique risks that LLMs introduce to radiology systems. Lastly, Italy’s Renato Cuocolo not only examined how generative AI models can create misleading images or manipulate patient data, but he presented a how-to strategy to identify the validity of images.

They opened the talk by referencing OpenClaw, an open-source AI assistant that quickly transformed into a “backdoor agent” for attackers. Since the beginning of the year, the tool has been tagged for a “lethal trifecta” of vulnerabilities. Combining access to private data, exposure to untrusted content, and the ability to act autonomously turns it into a potent attack vector. Pliny the “Liberator” joined the storytelling, as an example that no model is safe for long. According to Time Magazine, it’s an anonymous internet personality with a penchant for poking holes in billion-dollar AI systems.

Now that radiologists are decently frightened about AI-infused systems, what can be done? Healthcare centers are plunging forward with AI systems, and for good reason. Here are the security threats and defense strategies to understand.

Security Threats Posed by AI Systems in Radiology

Brendan S Kelly opened with a stark reminder that radiologists cannot adopt Silicon Valley’s “move fast and break things” ethos. 

“We have a separate responsibility,” he said, invoking the clinical imperative to first do no harm. 

As AI tools become embedded in triage, report generation, and follow-up recommendations, they introduce new vulnerabilities at each integration point.

A central concern is agentic AI, systems that do not merely analyze images but ingest data, make decisions, and act within hospital environments. These agents may parse PDFs, access electronic health records, or even process DICOM headers, which Kelly identified as a specific vulnerability for prompt injection. Once an agent consumes untrusted content, adversarial instructions can propagate horizontally across systems, particularly if self-replication or automation is involved.

Kelly emphasized the principle of least privilege: if an AI agent ingests information from a lower-trust source, “its permissions should drop to the level of the author of that information.” In practical radiology terms, an AI triage system reading data from an external GP database or administrative account should not retain high-level access to PACS archives or scheduling systems.

He also addressed the perennial cloud-versus–on-premises debate. Cloud infrastructure offers managed controls, rapid patching, and resilience, but latency can be problematic in time-critical pathways such as acute stroke imaging. Conversely, on-prem systems may suffer from legacy vulnerabilities. For most radiology departments, Kelly argued: 

“The safe default is going to be hybrid,” keeping mission-critical, time-sensitive processes local, while leveraging cloud scalability for training, collaboration, and federated learning.

The overarching message: assume breach, limit harm, and architect AI systems with containment in mind.

Large Language Models (LLMs)—A Security Threat?

Tugba Akinci D’Antonoli shifted the focus to large language models and their unique risks. Unlike traditional cybersecurity threats that target infrastructure, LLM-related risks may target knowledge itself. One emerging concern is the circulation of convincing but fabricated scientific content. 

“Convincing fake abstracts can easily circulate, get cited, and quietly disturb our cumulative scientific knowledge.”

For radiology, where practice guidelines and reporting standards evolve rapidly, the infiltration of synthetic or manipulated research into the literature poses downstream clinical risk.

Agentic LLM systems compound this threat. These models can set goals, execute tasks, and act with user privileges. As discussed in the session, autonomous agents in other sectors have demonstrated how easily runtime errors or misaligned goals can trigger unintended actions. In a hospital context, an LLM integrated with scheduling, reporting, or procurement systems could theoretically act beyond its intended scope.

Data poisoning was another key theme. When models are trained on large, multi-institutional datasets, it becomes “impossible to check every source of data before training the model,” opening the door to toxic or malicious inputs. In radiology, subtle manipulation of training datasets could bias lesion detection, alter performance across demographics, or degrade sensitivity in high-stakes contexts.

Defense strategies fall into several layers: architectural safeguards, rigorous sandboxing, adversarial testing, and system-level controls. But perhaps most critically, Akinci D’Antonoli stressed governance. That means clear documentation of model provenance, controlled deployment environments, and transparency about training data sources.

Generative AI: Identifying Threats and Defense Strategies

Renato Cuocolo concluded with a deep dive into generative AI, focusing on what may matter most to practicing radiologists: how to know whether an image is real.

He described a future evolution of ransomware. Instead of locking data, attackers might inject small amounts of corrupted or synthetic data into imaging archives. The extortion scenario shifts from “pay to decrypt” to “pay to know which images you can trust.” For departments reliant on longitudinal comparison studies and AI-assisted triage, even minimal corruption could have outsized clinical consequences.

Identifying manipulated images requires both technical and procedural defenses. During acquisition and training, teams must guard against data poisoning; at inference, they must monitor for hallucinations, model drift, and inversion attacks. Yet because high-quality synthetic images are designed to be indistinguishable from authentic ones, detection often demands domain expertise.

Cuocolo advocated several safeguards:

• Digital watermarking, embedding markers in both original and generated data to preserve provenance. International efforts such as the Coalition for Content Provenance and Authenticity aim to standardize content authenticity frameworks.
• Chain-of-custody documentation, tracking every transformation a dataset undergoes.
• The Software Bill of Materials (SBOM), implemented in the United States in 2021 after major cyber incidents, documents every software component in a system. Europe’s Cyber Resilience Act is expected to bring similar requirements into force in 2027.

He further emphasized red teaming, engaging “benevolent hackers” and, crucially, clinical specialists to deliberately break systems before adversaries do. In radiology, certain manipulations can only be detected through clinical knowledge. This makes the “human-in-the-loop” not merely a safety feature, but a firewall.

Ultimately, Cuocolo reminded attendees that humans are both the first point of exposure and the last safeguard. Blind trust in AI output is itself a vulnerability.