Data Poisoning Puts CDS, Order Verification, and ADCs at Risk

Predictive PerspectivesPredictive Guidelines & Standards

Authors:Farhad Abtahi; Fernando Seoane; Ivan Pau, et al.

Journal:Jmir

DOI:10.2196/87969

Small-scale data poisoning can implant durable backdoors in CDS, order verification, and ADC-integrated AI, quietly skewing dosing and checks making medication safety a near-term risk. Pharmacy leaders and informatics teams should tighten vendor due diligence and drift monitoring, require adversarial attestations and rollback rights, and add AI poisoning to the risk register with clear ownership.

January 23, 2026

Quick Take

100–500 poisoned training samples can embed persistent backdoors in healthcare AI—affecting documentation, imaging, and decision support with >60% trigger success and detection delays of months to years.

Pharmacy leaders, informatics pharmacists, and compliance should expect exposure in clinical decision support (CDS), order verification, and automated dispensing cabinets (ADCs). Vendor due diligence and drift monitoring will need tightening.

Why it Matters

Operational medication safety: Poisoned CDS or LLM outputs can quietly alter order sets, dosing guidance, and interaction checks, sometimes only on trigger phrases or subgroups. Mitigation will require pharmacist-in-the-loop verification, drift dashboards, subgroup audits (opioids/anticoagulants/insulin), and cross-model checks rather than trusting a single tool.

Supply chain and data flow: A tainted vendor model or scripted scribe data can propagate through EHR, CDS, and automated dispensing cabinets (ADCs), affecting multiple clinical systems. Procurement should require adversarial-testing attestations, data provenance, version pinning, and rollback rights, and expect longer go‑live validation.

Governance and liability: Because detection is difficult and privacy rules limit cross-patient forensics, accountability must shift to proactive monitoring and clear ownership. Implement an AI safety playbook (pharmacy & therapeutics, Compliance, IT), incident drills, audit logging, staged rollouts, and policies that keep clinicians as final decision-makers.

Bottom Line

Treat data poisoning as an 'explore‑now' risk for CDS, order verification, and pharmacy‑adjacent AI, add it to the risk register, and assign an owner to validate model behavior.

Key Details

Empirical thresholds: Across medical imaging CNNs, large language models (LLMs), and reinforcement learning agents, 100–500 poisoned samples caused 60–95% trigger success regardless of dataset size. With 3–5 training epochs, those samples yield ~750–1,250 exposures; detection commonly lagged 6–12 months or longer.

LLM fine-tuning risk: Poisoned reinforcement learning from human feedback (RLHF) with ~100–200 biased ratings in 1,000–5,000 institutional examples induced trigger-based medication recommendations. Low-Rank Adaptation (LoRA) concentrates updates, helping backdoors persist through later training. The attack needs feedback access, not source-code access.

Infrastructure vectors: In federated learning, a single malicious site can submit poisoned updates that evade robust aggregation and spread backdoors across participants. Coordinated 'Medical Scribe Sybil' fake visits seed scripted electronic health record (EHR) entries. HIPAA and GDPR privacy limits impede cross-patient forensics and attribution.

Supply chain exposure: Poisoned foundation models at vendors can embed resilient backdoors that survive local fine-tuning and propagate to ~50–200 institutions. Contractual opacity and limited regulatory requirements for adversarial testing hinder deep forensics and attribution.