Medical large language models are susceptible to targeted misinformation attacks

Tianyu Han; Sven Nebelung; Firas Khader; Tianci Wang; Gustav Müller-Franzes; Christiane Kuhl; Sebastian Försch; Jens Kleesiek; Christoph Haarburger; Keno K. Bressem; Jakob Nikolas Kather; Daniel Truhn

doi:10.1038/s41746-024-01282-7

npj Digital Medicine (Oct 2024)

Medical large language models are susceptible to targeted misinformation attacks

Tianyu Han,
Sven Nebelung,
Firas Khader,
Tianci Wang,
Gustav Müller-Franzes,
Christiane Kuhl,
Sebastian Försch,
Jens Kleesiek,
Christoph Haarburger,
Keno K. Bressem,
Jakob Nikolas Kather,
Daniel Truhn

Affiliations

Tianyu Han: Department of Diagnostic and Interventional Radiology, University Hospital Aachen
Sven Nebelung: Department of Diagnostic and Interventional Radiology, University Hospital Aachen
Firas Khader: Department of Diagnostic and Interventional Radiology, University Hospital Aachen
Tianci Wang: Department of Diagnostic and Interventional Radiology, University Hospital Aachen
Gustav Müller-Franzes: Department of Diagnostic and Interventional Radiology, University Hospital Aachen
Christiane Kuhl: Department of Diagnostic and Interventional Radiology, University Hospital Aachen
Sebastian Försch: Institute of Pathology, University Medical Center of the Johannes Gutenberg-University
Jens Kleesiek: Institute for AI in Medicine, University Medicine Essen
Christoph Haarburger: Ocumeda GmbH
Keno K. Bressem: Department of Radiology, Charité - Universitätsmedizin Berlin, Corporate Member of Freie Universität Berlin and Humboldt Universität zu Berlin
Jakob Nikolas Kather: Else Kroener Fresenius Center for Digital Health (EKFZ), Technical University Dresden
Daniel Truhn: Department of Diagnostic and Interventional Radiology, University Hospital Aachen

DOI: https://doi.org/10.1038/s41746-024-01282-7
Journal volume & issue: Vol. 7, no. 1
pp. 1 – 9

Abstract

Read online

Abstract Large language models (LLMs) have broad medical knowledge and can reason about medical information across many domains, holding promising potential for diverse medical applications in the near future. In this study, we demonstrate a concerning vulnerability of LLMs in medicine. Through targeted manipulation of just 1.1% of the weights of the LLM, we can deliberately inject incorrect biomedical facts. The erroneous information is then propagated in the model’s output while maintaining performance on other biomedical tasks. We validate our findings in a set of 1025 incorrect biomedical facts. This peculiar susceptibility raises serious security and trustworthiness concerns for the application of LLMs in healthcare settings. It accentuates the need for robust protective measures, thorough verification mechanisms, and stringent management of access to these models, ensuring their reliable and safe use in medical practice.

Published in npj Digital Medicine

ISSN: 2398-6352 (Online)
Publisher: Nature Portfolio
Country of publisher: United Kingdom
LCC subjects: Medicine: Medicine (General): Computer applications to medicine. Medical informatics
Website: https://www.nature.com/npjdigitalmed/

About the journal