Securing Clinical AI at Scale — Henry Schein Intelligence Briefing

Section 01

The Situation

Henry Schein One has moved from AI experimentation to platform-wide deployment at remarkable speed — 3 AI products shipped in 4 months, embedded in an agentic architecture with 700+ API endpoints.

48,000+

US dental practices on Dentrix / Dentrix Ascend^[1]

100M

Claims processed annually^[1]

191M

Eligibility checks in 2025^[1]

3M

Charts completed via AI-powered voice dictation^[1]

Product Timeline

Nov 3, 2025

AWS Strategic Partnership announced — goal: "world's first AI-augmented practice management system"^[2]

Nov 25, 2025

Voice Notes & Claire unveiled at Greater New York Dental Meeting (GNYDM)^[3]

Feb 19, 2026

Image Verify launched — AI-powered image quality assessment in Dentrix^[4]

Mar 10, 2026

Dentrix Ascend restructured into 3 AI-embedded tiers — AI is now non-optional even at Essentials level^[1]

As of March 10, 2026, Henry Schein One restructured Dentrix Ascend into three tiers: Essentials, Pro, and Accelerate. Voice Notes and Image Verify are included even in the entry-level Essentials package. This means every new Ascend customer receives AI-powered features whether they specifically opted in or not — creating a universal attack surface across all practices.^[1]

The platform is described as a "fully integrated, agentic platform architecture" with 250+ technology partners and 700+ API endpoints. Ryan Hungate (Chief Clinical & Strategy Officer): "supported by agentic AI working in the background."^[1]

On October 2, 2025, the Lynx ransomware gang (Russia-linked) attacked TriMed Inc., a Henry Schein subsidiary. Data exfiltrated included executive communications, legal documents, IP including surgical product designs, and financial records. This was the second major ransomware incident in two years across the Henry Schein group, following BlackCat/ALPHV in 2023.^[5]

Section 02

The Gap — AWS Says It's Your Problem

AWS explicitly states that prompt injection defense is the customer's responsibility. Their own documentation, security blog, and ML blog say so — eight separate times.

"The responsibility for preventing vulnerabilities like prompt injection lies with the customer."

— AWS Bedrock Documentation

"Guardrails should not be relied upon as the sole defense against prompt injections."

— AWS Security Blog, Anna McAbee, Security Specialist Solutions Architect (Jan 2025)

"Unlike SQL injection… prompt injection doesn't have a single remediation solution."

— AWS ML Blog, Sr. AI Security Engineers at Amazon (May 2025)

What Bedrock Guardrails Covers vs. What It Doesn't

Capability	Guardrails Covers	Gap
Content filtering (hate, violence, etc.)	✓	—
PII/PHI redaction	✓	—
Prompt attack detection (jailbreak/injection)	✓	Requires correct input tagging — "if there are no tags, prompt attacks will not be filtered"^[6]
Contextual grounding checks	✓	Conversational QA / chatbot use cases NOT supported^[7]
Tool input/output scanning	✗	Agent tool I/O not passed through Guardrails by default^[8]
Reasoning content blocks	✗	Explicitly excluded from scanning^[7]
Automated reasoning → injection protection	✗	Validates "as-is" — provides "No prompt injection protection"^[7]
System prompt absolute control	✗	"Don't provide absolute control, model may still deviate"^[9]

AI safety entirely absent from public materials: No mention of adversarial testing, prompt injection defenses, hallucination detection, or output validation^[10]
Agentic autonomy undefined: Agents making "autonomous decisions" about PHI processing with no published constraints^[10]
GDPR / EU AI Act gap: Committed to UK/EU expansion with zero public compliance documentation^[10]
No independent audit: All security claims self-reported via marketing materials^[10]
Voice recording → medical record ambiguity: Flagged in their own buying guide but not publicly addressed for Voice Notes^[10]
Speed of deployment: 3 AI products in 4 months suggests a pace that may outstrip security review capacity^[10]
AI is non-optional: Even the base Essentials tier includes Voice Notes and Image Verify; practices can't opt out^[10]

Section 03

The Threat Landscape

OWASP Top 10 for LLM Applications 2025 — the global security standard created by 600+ experts across 18 countries, mapped to Henry Schein's specific workflows.^[11]

LLM01

Prompt Injection

Manipulating LLM behavior via crafted inputs. OWASP: "It is unclear if there are fool-proof methods of prevention."^[12]

LLM02

Sensitive Info Disclosure

LLMs exposing PII, health records, credentials. Health records explicitly listed as at-risk category.^[13]

LLM03

Supply Chain

Vulnerabilities in third-party models, datasets, and dependencies.

LLM04

Data & Model Poisoning

Tampered training/fine-tuning/embedding data introducing backdoors or bias.

LLM05

Improper Output Handling

Insufficient validation of LLM outputs before downstream use. OWASP: "Treat the model as any other user."^[14]

LLM06

Excessive Agency

LLMs granted too much functionality, permissions, or autonomy. Directly relevant to agentic architecture.^[11]

LLM07

System Prompt Leakage

Risk that system prompts and developer instructions are exposed to users.

LLM08

Vector & Embedding Weaknesses

Security risks in RAG systems and vector databases.

LLM09

Misinformation

LLMs generating false but convincing content. OWASP flags healthcare as a high-stakes domain.^[11]

LLM10

Unbounded Consumption

Excessive resource usage leading to DoS or cost exploitation.

Threat Matrix: Henry Schein Workflows × Attack Types

Voice Notes

CRITICAL

MEDIUM

HIGH

Image Verify

HIGH

MEDIUM

HIGH

Claire (Agent)

CRITICAL

HIGH

CRITICAL

HIGH

Claims Auto

HIGH

CRITICAL

Voice Notes → Transcript injection, PHI leakage: The transcript itself is an untrusted input stream. If downstream LLM prompts treat the transcript as instructions rather than data, transcript-level prompt injection becomes possible. Correct design: treat transcripts as untrusted content and enforce privileges in code, not by "asking the model nicely."^[8]

Image Verify → Multimodal prompt injection via images: OWASP explicitly warns that multimodal systems introduce unique prompt injection risks, including hiding instructions in images. A 2025 study in Nature Communications showed state-of-the-art vision-language models used for medical tasks are susceptible to "sub-visual prompts" embedded in medical images.^[12]

Claire → Agent goal hijacking, tool misuse: As a 24/7 support agent with access to practice management functions, Claire represents a prime target for OWASP LLM06 (Excessive Agency) and the OWASP Top 10 for Agentic Applications — specifically ASI01 (Agent Goal Hijack) and ASI02 (Tool Misuse).^[15]

Claims automation → Data flow manipulation, unauthorized actions: AWS's agent security guidance highlights that indirect prompt injection can lead to system manipulation (unauthorized workflows/actions), unauthorized data exfiltration, and even remote code execution through tools.^[8]

Section 04

Attack Research — What the Lab Says

Frontier AI safety defenses are being systematically bypassed. UK government researchers demonstrated automated attacks against the strongest commercial safeguards — at trivial cost.

Boundary Point Jailbreaking (UK AI Security Institute, Feb 2026)

0% → 75.6%

GPT-5 input classifier — avg harmful rubric score (94.3% max@50)^[16]

0% → 68%

Claude Sonnet 4.5 / Constitutional Classifiers — avg with elicitation (80.4% max@50)^[16]

$210–$330

API cost to develop universal jailbreak (months of R&D not included)^[16]

Scores measured on non-empty responses only (refused queries excluded)
Tested on exempt accounts not subject to banning — normal users would be banned long before 660K+ flagged queries^[16]
Required months of R&D by government AI security researchers — the dollar figure is the floor, not the total cost
A separate human-found jailbreak was needed to bypass model-level safety — BPJ only attacks the classifier layer
The authors themselves recommend batch-level monitoring as the primary defense^[16]

Key insight: "Single-request filtering is not enough. Batch-level monitoring is essential." — This validates defense-in-depth, not that current safeguards are useless.

Each generation of automated jailbreak research has produced progressively more effective attacks. Multi-turn attack success rates now reach 92.78% across open-weight models tested, according to Cisco's State of AI Security 2026 Report.^[17]

Boundary Point Jailbreaking represents the latest evolution — the first fully automated black-box attack to succeed against Constitutional Classifiers. Anthropic verified it "would have met the universal jailbreak bar described in their bug bounty program."^[16]

Clinical Hallucination Risk at Scale

"44% of hallucinations were clinically major" — even at the "low" 1.47% rate, at Henry Schein's scale (3M AI-powered charts), this translates to ~19,400 clinically major hallucinations per year.

— Asgari et al., npj Digital Medicine 2025

ECRI ranked AI chatbot misuse as the #1 health technology hazard for 2026.

— ECRI, January 2026

Section 05

The Defense Blueprint — CaMeL + Defense-in-Depth

CaMeL (CApabilities for MachinE Learning) provides provable security guarantees against prompt injection — the centerpiece of a 6-layer defense architecture.^[18]

The Dual LLM pattern (Simon Willison, 2023) splits an agent into a Privileged LLM (plans actions) and Quarantined LLM (processes data). This protects control flow — an attacker can't change which tools are called.

But it misses data flow attacks. Example: "Send Bob the document he requested — his email is in the meeting notes." An attacker modifies the notes to include attacker@gmail.com. The P-LLM's control flow is intact, but the data flow is corrupted — the Q-LLM returns the attacker's email as "Bob's email."^[18]

CaMeL solves this with capability tags: the extracted email inherits the untrusted provenance of the meeting notes. Before send_email() executes, the policy checks whether the recipient is trusted — and blocks execution if it came from a compromised source.^[18]

AgentDojo Benchmark Results

~77%

Task completion with CaMeL (vs ~84% undefended) — 7pp cost for provable guarantees^[18]

0–2

Successful attacks remaining (vs 80–300 undefended)^[18]

Voice Notes: Transcript tagged as untrusted data. Cannot trigger claims actions or EHR modifications. PHI stays in Q-LLM (can run locally), never reaches cloud P-LLM — a HIPAA-relevant property.^[18]
Image Verify: Image-derived data carries restricted capabilities. Assessment results cannot escalate to financial actions without explicit user confirmation.
Claire: Support agent actions gated by capability policies. Tool calls (account changes, entitlements) require explicit user confirmation and trusted-source verification.
Claims automation: Financial actions (claims submission, eligibility decisions, refunds) require that both the action and its arguments have the user as their source with no untrusted parent in the dependency graph.

6-Layer Defense Stack

Privileged/Quarantined LLM split with data flow tracking and capability-based policies. Provides provable security — even if the Q-LLM is fully compromised, the capability system catches any attempt to use corrupted data dangerously.^[18]

Auxiliary classifiers trained to detect and refuse harmful requests at the model level. Anthropic's Constitutional Classifiers resisted all attacks from ~3,000 hours of red-teaming before BPJ broke through — they raise the cost of attacks significantly even if not perfect.^[17]

Input sanitization and pre-processing to detect and neutralize injection attempts before they reach the model. Includes structured prompt templates, input tag enforcement, and content separation (trusted instructions vs. untrusted data).^[9]

Content filtering, PII redaction, prompt attack detection — but correctly configured with proper input tags, ApplyGuardrail API integration for tool I/O, and awareness of known limitations (conversational QA gaps, reasoning block exclusions). AWS calls this "additional protection" — not primary defense.^[19]

Model outputs intent → code validates schema, argument ranges, entity boundaries, business rules → code enforces least privilege, rate limits, and step-up auth for privileged operations → only then is the tool called. Converts "prompt injection" from catastrophic to "annoying but contained."^[8]

Red-team regression suite run on every model/prompt update. Bedrock invocation logging and guardrail tracing. Alerting on leading indicators: high refusal rates, token spikes (DoS/cost attacks), unusual tool-call patterns. Batch-level monitoring — the primary defense recommended by BPJ researchers.^[16]

Section 06

Regulatory Mandate

The EU AI Act makes adversarial robustness a legal requirement for high-risk AI systems — and names the specific attack categories by name in binding law.

EU AI Act Enforcement Timeline

Feb 2, 2025

ALREADY LIVE
AI Literacy (Art. 4)
Prohibited Practices (Art. 5)^[20]

Aug 2, 2026

General Enforcement
Annex III high-risk
Transparency rules
Regulatory sandboxes^[20]

Aug 2, 2027

MEDICAL DEVICE AI
Annex I high-risk (MDR)
Henry Schein's deadline^[20]

"High-risk AI systems shall be resilient against attempts by unauthorised third parties to alter their use, outputs or performance by exploiting system vulnerabilities. The technical solutions shall include measures to prevent, detect, respond to, resolve and control for attacks trying to manipulate the training data set (data poisoning), or pre-trained components (model poisoning), inputs designed to cause the AI model to make a mistake (adversarial examples or model evasion), confidentiality attacks or model flaws."

— EU AI Act, Article 15(5) — Adversarial robustness is now LAW

Financial Exposure

$375M

Maximum Tier 2 fine: 3% of $12.5B global revenue^[21]

$9.77M

Average healthcare data breach cost — highest sector, 13th year running^[17]

Market Ban

Authorities can order non-compliant AI systems withdrawn from EU market^[21]

HIPAA Security Rule updates (2025–2026): Proposed changes include mandatory encryption of ePHI at rest and in transit, mandatory MFA, vulnerability scans every 6 months, annual penetration testing, and 72-hour recovery requirements.^[22]

Notified Body bottleneck: Medical device AI faces dual compliance (MDR + AI Act) assessed by the same Notified Body. Team-NB has warned that "building NB capacity and securing formal designation can be a lengthy process, with the risk that few bodies will be ready by 2 August 2027." Companies that wait until 2027 to start will find their path to market blocked.^[20]

Extraterritorial reach: Like GDPR, the AI Act applies to providers placing AI on the EU market regardless of where the provider is established. Henry Schein's US-based AI products used by EU dentists are in scope.^[20]

Section 07

Engagement Model

A progressive engagement ladder, from no-cost diagnostic to ongoing managed security, designed to match Henry Schein's deployment pace and risk profile.

1. AI Exposure QuickScan

Recommended Entry Point

2 weeks

No cost

Produce an exec-ready punch list showing where the AI stack is most exposed to prompt injection and tool abuse in the real workflows named in Henry Schein One's public roadmap.

AI inventory (models, agents, tools, data sources)
Trust-boundary and ingestion-channel map
Guardrails configuration review: tags, coverage, known limitations
Top 10 risks ranked by likelihood × impact, mapped to OWASP LLM risks

2. AI Safety & Security Baseline Audit

6–8 weeks

€45k–€90k

Produce audit artefacts that stand up to security leadership scrutiny and create a remediation roadmap aligned to AWS, OWASP, and EU AI Act obligations.

Threat modeling workshops with Security, Product, and Engineering
Prompt injection (direct + indirect) test suite design
RAG / knowledge-base hygiene assessment
Tool-use/agency hardening review and least-privilege design
Monitoring and logging design recommendations

3. Red-Team Sprint

3–4 weeks

€60k–€140k

Stress-test staging environments across the highest-risk flows: intake → EHR fields, voice → summary → coding suggestions, support → entitlements/actions, RAG → tool calls.

Adversarial testing across all AI workflows
Multimodal injection tests for image ingestion paths
Audio/transcript pipeline tests for voice workflows
Guardrail bypass verification

4. Layered Defenses Buildout

8–12+ weeks

€120k–€350k+

Ship the hard controls, not just write a report.

AI gateway build (policy enforcement, tagging discipline, tool router)
CaMeL-pattern implementation for highest-risk workflows
Guardrails integration + tuning + regression harnesses
RAG hardening (source allowlists, signing/change control)
Monitoring and incident response playbooks

5. Managed AI Security Monitoring

Ongoing

€5k–€25k/month

Keep security controls from decaying as models, prompts, and tools change.

Quarterly red-team regression reports and drift detection
Guardrail KPI monitoring (block rates, false positives, language coverage)
Update advisory when AWS releases new capabilities/limitations
EU AI Act compliance tracking and documentation support

Section 08

The Bottom Line

"We stop treating the model as the security boundary, and start treating it as just another untrusted input processor — wrapped in controls you can audit."

Next Step

Schedule the AI Exposure QuickScan — a 2-week, no-cost diagnostic that produces an actionable risk assessment specific to Henry Schein One's architecture.

Hugo Nguyen — hugo@hugonguyen.com
AI Security

Securing Clinical AIat Scale

The Situation

Product Timeline

The Gap — AWS Says It's Your Problem

What Bedrock Guardrails Covers vs. What It Doesn't

The Threat Landscape

Threat Matrix: Henry Schein Workflows × Attack Types

Attack Research — What the Lab Says

Boundary Point Jailbreaking (UK AI Security Institute, Feb 2026)

Clinical Hallucination Risk at Scale

The Defense Blueprint — CaMeL + Defense-in-Depth

AgentDojo Benchmark Results

6-Layer Defense Stack

Regulatory Mandate

EU AI Act Enforcement Timeline

Financial Exposure

Engagement Model

The Bottom Line

Next Step

Sources & References

Securing Clinical AI
at Scale