Let’s talk about something that’s happening right now in clinics and hospitals all across Canada, probably without anyone in the IT department or the C-suite even knowing about it.
Imagine a doctor at the end of a grueling 12-hour shift. She has a mountain of patient notes to write up. To save time, she opens up a public AI tool on her laptop—something like ChatGPT or Gemini—and pastes in her raw, anonymized notes. She asks it to "summarize this for a clinical chart." In seconds, she gets a perfectly structured summary. It’s a huge time-saver.
Seems harmless, right? A smart use of new technology to be more efficient.
But here's the thing: that simple, well-intentioned act is creating a massive, invisible risk that could blow up in our faces. It's a problem we in the insurance world are just starting to get our heads around, and it has a couple of spooky names: "Shadow AI" and "Silent Cyber."
So, What Exactly is 'Shadow AI'?
If you’ve been in the tech or insurance space for a while, you’ve probably heard of "Shadow IT." That’s when employees use software or hardware without the company's approval—think using a personal Dropbox account to share work files.
"Shadow AI" is the exact same idea, but for artificial intelligence.
It’s the quiet, under-the-radar use of public AI tools like ChatGPT, Claude, and Microsoft’s Copilot by doctors, nurses, and other healthcare staff. They’re using them to write clinical notes, translate discharge summaries for patients who speak another language, or even to quickly summarize a complex patient history.
They’re not trying to cause trouble. They’re just trying to do their jobs faster and better. But because these tools aren't approved, vetted, or controlled by the hospital's IT department, they're creating a digital blind spot. And in healthcare, blind spots are where disasters happen.
Why This is a Ticking Time Bomb for Healthcare
Okay, so people are using unapproved apps. What’s the big deal? Well, when you’re dealing with sensitive patient health information, the stakes are incredibly high. The risks here aren't just theoretical; they're very real.
A Patient Privacy Nightmare
When a doctor pastes patient information into a public AI tool, where does that data go?
Does it get stored on the AI company’s servers? Is it used to train the next version of their model? Can their employees see it? The answer is often a murky "maybe," and that’s a terrifying prospect. In Canada, this is a direct collision course with privacy laws like PIPEDA. You can't just upload sensitive health data to a third party without explicit consent and bulletproof security agreements.
Who's Liable When the AI Gets It Wrong?
These AI models are amazing, but they’re not perfect. They can "hallucinate" or make things up. They can misinterpret context or miss a subtle but critical detail in a patient's notes.
So, what happens if an AI-generated summary omits a key allergy, leading to a dangerous drug interaction? Who is at fault?
- Is it the doctor who used the tool?
- Is it the hospital for not having a clear policy?
- Is it the AI company that built the model?
This is a legal and liability minefield that we are completely unprepared for. It opens up a whole new world of potential malpractice claims that current insurance policies were never designed to handle.
And Here's Where It Gets Tricky for Us: The 'Silent Cyber' Problem
This brings us to the insurance side of the equation. This whole mess is a perfect example of a "silent cyber" threat.
Think of it like this: You have a standard home insurance policy. You assume you're covered for everything. Then a flood hits your neighborhood, your basement is underwater, and you find out your policy has a hidden exclusion for "groundwater damage." The risk was always there, but your policy was silent on the issue, leaving you exposed.
That’s what’s happening with cyber insurance and Shadow AI.
Most cyber liability policies were written to cover familiar threats: a hacker stealing a database, a ransomware attack locking up your systems, or an employee accidentally emailing a spreadsheet of patient data to the wrong person. They’re good at covering those things.
But do they cover a data breach that happens because a doctor fed information into ChatGPT? Do they cover a malpractice claim that stems from an AI’s error? The honest answer is: probably not. The policy language is often too ambiguous. It doesn't explicitly exclude these scenarios, but it certainly doesn't explicitly cover them either.
This silence is the problem. When a claim eventually happens—and it will—it's going to lead to a massive fight over what the policy was actually intended to cover. It’s a bad situation for the healthcare provider who thought they were protected, and it’s a bad situation for the insurer who is now facing a novel, un-priced risk.
It's Time to Stop Being Silent
We can’t just sit back and wait for the first major Shadow AI lawsuit to hit. We have to be proactive, and that goes for both healthcare providers and us in the insurance industry.
For Hospitals and Clinics:
The solution isn't to just ban all AI. That’s like trying to ban the internet; it’s not going to work. Staff will just find ways around it.
The smarter move is to bring AI out of the shadows and into a controlled environment. This means:
- Creating a Clear AI Policy: You need rules of the road. What tools are allowed? What data can be used? What are the procedures? Everyone needs to be on the same page.
- Providing Secure Tools: Instead of letting staff use public tools, hospitals should invest in secure, healthcare-specific, "walled-garden" AI solutions. These are tools where the data stays in-house and is protected by the hospital's security measures.
For Insurers and Brokers:
We have to start asking the tough questions. During the underwriting process for cyber insurance, we need to be asking our healthcare clients:
- "Do you have a formal policy on employee use of generative AI?"
- "Are you monitoring your networks for the use of public AI tools?"
- "What approved, secure AI tools do you provide to your staff?"
The answers to these questions will tell us a lot about an organization's true cyber risk profile.
More importantly, we need to update our policy wordings. We need to move from "silent cyber" to "affirmative cyber." This means our policies need to be crystal clear. They should state exactly what is and isn't covered when it comes to AI-related incidents. It protects the client from nasty surprises, and it protects us from taking on risks we never intended to cover.
This whole situation with Shadow AI is a reminder that technology always moves faster than policy. It's happening now, in the background, driven by good people trying to do their jobs. But if we don't get ahead of it, this silent threat is going to get very, very loud.
