Skip to main content
CybersecurityHealthcare

AI Tools Expose Healthcare to Rising Cyber Risk

Hospital corridor with healthcare professionals and a laptop on a cart, soft natural daylight from large windows.

"Healthcare CISOs and security teams need to understand that with Mythos, the speed of vulnerability detection and exploitation will be increased exponentially," said Denise Anderson, CEO of Health-ISAC.

Anthropic's Claude Mythos: access, capability, and a narrow rollout

The report from the Health Information Sharing and Analysis Center (Health-ISAC) and Quest Diagnostics warns that Claude Mythos — the more-capable variant of Anthropic's AI models — poses elevated cyber risk to the healthcare sector. Mythos is currently restricted to roughly 50 vetted Project Glasswing organizations, but the report cautions that a leak could "create a force multiplier for criminal elements."

Anthropic is reported to be investigating a claim, noted in the report, that a group of Discord users gained access to the Mythos model, a report that was covered by Bloomberg and referenced by Health-ISAC and Quest Diagnostics.

Parallels drawn to Cobalt Strike and Brute Ratel abuse

The Health-ISAC/Quest Diagnostics threat-research report draws direct parallels between Mythos and legitimate security tools that have been repurposed by attackers. It cites the documented pattern in which Cobalt Strike and Brute Ratel — both created for enterprise red teams and pen-testing — were subsequently used by threat actors after being obtained through cracked versions or by misleading developers.

The report notes precedent: in 2023 Fortra (the Cobalt Strike developer), Microsoft and Health-ISAC obtained a U.S. federal court order to redirect Cobalt Strike-infected computers' traffic to sinkhole servers controlled by defenders. Brute Ratel, described in the report as a "Cobalt-like" toolkit, has been used by cybercriminal gangs, including the now-defunct Russian-speaking BlackCat/AlphV, to launch healthcare attacks.

Operational urgency: exploitability at "AI speed"

Experts in the report emphasize that Mythos-like tools change the cadence of risk from days or weeks to minutes or hours. Jason Elroy, CISO of MultiCare Health System and an executive advisor at security firm Elisity, said the critical difference is velocity: "The moment that happens, you've got 20 to 30 minutes, maybe - 24 hours tops in this new world." He framed the shift as one from vulnerability management to "exploitability management," and advocated for tactics including micro-segmentation, zero trust and limiting bandwidth.

Denise Anderson advised that healthcare teams will need to speed up patch cycles and prepare plans for taking devices offline to patch. She also identified third-party partners and legacy systems as persistent, high-risk vectors and urged moving off legacy systems where possible while implementing mitigating controls around third-party tools.

What this means for Healthcare CISOs, Software Developers, and Third-party Providers

  • Healthcare CISOs and security teams: Expect dramatically shorter windows between disclosure and exploitability; prioritize rapid patching, isolation plans and micro-segmentation, per cited practitioners in the report.
  • Software developers and product teams: Scott Gee, deputy national cyber risk adviser at the American Hospital Association, said the emergence of Mythos could drive a shift toward "secure by design," urging security to be integrated earlier and more consistently in development lifecycles.
  • Third-party providers and operators of legacy systems: The report singles these groups out as ongoing, primary sources of risk; organizations are advised to reduce dependence where feasible and apply compensating controls when they cannot.

Defensive playbook and legal remedies already in use

The report points to concrete defensive measures and legal precedents. The 2023 U.S. federal court order to sinkhole Cobalt Strike traffic demonstrates one tool defenders have used to disrupt active abuse of legitimate security software. The report also suggests technical mitigations — patch speed, segmentation, zero-trust controls and plans for taking devices offline — as critical countermeasures in a world where AI tools can autonomously discover and exploit long-standing vulnerabilities.

While the report recognizes possible benefits — Scott Gee noted that Mythos could be used by software developers to build more secure software and shift practices toward security-by-design — the central warning is clear: a leak or illicit access to Mythos-like capabilities could amplify attackers' speed and scale.

Anthropic's ongoing investigation of the Discord-access claim, the historical use of cracked or misappropriated red-team tools, and the Health-ISAC/Quest Diagnostics assessment together set a narrow, urgent choice for healthcare organizations: accelerate defensive modernization or face a materially faster threat timeline. The report leaves one pointed question for the sector and the companies that develop these models: if Mythos-like capabilities escape vetted environments, will the defensive measures and legal tools demonstrated so far be enough to blunt an AI-enabled surge in exploitability?

https://www.govinfosecurity.com/report-mythos-like-ai-tools-raising-healthcare-cyber-stakes-a-31711