Using Agentic AI to Scale Threat Detection in Healthcare

For every human in a healthcare organization, there are 82 machine identities—service accounts, API keys, cloud functions, medical devices.² That's the 82:1 ratio, and it means your team is fundamentally outnumbered. The Change Healthcare breach in 2024, which started with one unprotected Citrix credential and disrupted 40% of US claims processing,¹ showed exactly what happens when that ratio goes unmanaged. The numbers back this up: According to BlueVoyant's State of Supply Chain Defense 2025 report, 87% of healthcare organizations were impacted by third-party breaches last year, and 36% cannot detect threats in their vendors.³ Change Healthcare wasn't in that 87%—it caused it. One vendor, 15 billion transactions a year, $872 million in Q1 2024 losses, and 100 million Americans' data potentially exposed.⁴ Most affected organizations had zero visibility into Change Healthcare's security posture. I've been using agentic AI to bridge the detection gap. Here's how it works, and why you still can't trust it blindly.

The Detection Window

BlackCat was inside Change Healthcare's network for nine days before deploying ransomware.¹ Nine days in a healthcare environment means nine days of potential access to patient records, claims data, and clinical systems. Nine days where lateral movement could reach connected hospital networks, pharmacy systems, and insurance platforms. Change Healthcare processed 15 billion transactions a year—every hour of undetected access expanded the blast radius. The TTPs weren't exotic—Citrix remote access, credential harvesting, lateral movement, registry persistence.⁵ All detectable. The CISA advisory on BlackCat had been public since December 2023, two months before the breach.⁵ The detection logic existed. The indicators were known. The gap wasn't intelligence—it was implementation speed. The question is: how fast can you turn a threat report into a detection rule? The bottleneck isn't detection logic—it's the syntax struggle. Taking a multi-page threat report and turning it into actionable KQL takes hours. An agentic workflow (I use Claude Opus 4.6 and Gemini 3.1) compresses that to minutes, sometimes seconds.

The Workflow: Threat Intel to KQL

The input: The CISA BlackCat/ALPHV advisory—the same TTPs used at Change Healthcare—describing registry persistence via a BlackCatUpdate key. The output: A KQL query ready for Microsoft Sentinel or Defender.
Here's what the AI generates:

// AI-Generated Detection: BlackCat Registry Persistence
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey contains "Run"
| where RegistryValueData contains ".exe"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc

Syntactically correct. Targets Run key persistence. Ships in 5 seconds. And it will bury you in false positives.

The Catch: Why You Can't Ship This

Look at line 4:

| where RegistryKey contains "Run"

This matches:

• HKLM\...\CurrentVersion\Run (intended)
• HKLM\...\CurrentVersion\RunOnce (intended)
• HKLM\SOFTWARE\Veeam\Backup\RuntimeOptions (your backup software)
• HKLM\SOFTWARE\Epic\Hyperspace\RuntimeConfig (your EHR)

In a hospital environment, this query returns thousands of hits from legitimate applications. The AI doesn't know your environment. It can't.

The Fix: Human-Tuned Query

// BlackCat Registry Persistence - Tuned for Healthcare
let TrustedPublishers = dynamic(["Veeam", "Epic Systems", "Philips", "CrowdStrike"]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey matches regex @"\\CurrentVersion\\Run(Once|Services)?\s*$"
| where RegistryValueName contains "Update" or RegistryValueName contains "Sync"
| extend Publisher = extract(@"^.+\\([^\\]+)\.exe", 1, RegistryValueData)
| where Publisher !in (TrustedPublishers)
| where RegistryValueData !startswith @"C:\Program Files"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, Publisher
| order by Timestamp desc

Three additions:

1. Regex scope — Matches actual Run keys, not partial strings
2. Trusted publishers — Excludes known-good software in your environment
3. Path filtering — Ignores standard installation directories
   The AI saved hours of writing. I spent minutes validating. That's the force multiplier.

The Harder Lesson: Hallucinated Analysis

After Change Healthcare, everyone was hunting for BlackCat indicators. I ran threat hunts across our environment and fed the results to an AI for analysis. It came back confident: multiple entries flagged as malicious, specific file paths called out as suspicious, process names correlated to known BlackCat TTPs. The output was detailed, well-structured, and completely wrong. 

I didn't trust it. Something felt off—the correlations were too clean, the confidence too high for findings that didn't match what I knew about our environment. So I didn't escalate. I sat with the output and started validating manually. About an hour later, I confirmed every flag was a false positive. A scheduled task that ran at an odd hour. A service account name that loosely matched a known-bad pattern. A file path that looked anomalous but was standard for an EHR configuration.

The agent had pattern-matched on superficial features—naming conventions, execution timing, path structures—without understanding our baseline. It didn't know what "normal" looked like in our environment because it had never seen our environment. It saw signals where there was only noise. The data was clean. The AI hallucinated the threat. And if I had trusted it, we would have burned hours of analyst time, leadership attention, and organizational trust chasing ghosts. The irony? UnitedHealth paid $22 million in ransom,⁶ and the attackers still leaked the data.⁷ Blind trust fails at every level—whether you're trusting a vendor's security posture or trusting an AI's threat analysis.

The Takeaway

Change Healthcare proved that one weak link can take down the ecosystem. The 82:1 ratio means there are 82 potential weak links for every human watching them. In healthcare, those machine identities are connected to systems that schedule surgeries, dispense medication, process insurance claims, and store the most sensitive data a person has. The stakes aren't abstract. 

Agentic AI gives you the power of a thousand analysts—but it still requires the wisdom of one professional to hit "Go."

Use it to:

• Convert threat intel to detection logic fast
• Draft queries you would have written anyway
• Skip the syntax struggle
• Accelerate triage when a new advisory drops and the clock is ticking

Don't use it to:

• Validate your own results
• Make escalation decisions
• Replace environmental knowledge
• Bypass the review process because the output "looks right"

If you're a healthcare CISO or security leader, the lesson from Change Healthcare isn't just "patch your Citrix." It's that the detection gap between threat intelligence published and threat intelligence operationalized is where attackers live. Agentic AI shrinks that gap from days to minutes. But the output still needs a human who knows what normal looks like in your environment, who understands the clinical workflows behind the telemetry, and who can tell the difference between a real threat and a confident hallucination. AI is how we scale. But the human in the loop isn't optional—it's the difference between a force multiplier and a faster way to fail.

References

1. UnitedHealth CEO Andrew Witty, testimony before US Senate Finance Committee and House Energy & Commerce Committee, May 2024. Confirmed Citrix portal without MFA as initial access vector; nine days dwell time before ransomware deployment. (Senate hearing)
2. CyberArk, "2025 Identity Security Landscape Report," April 2025. Survey of 2,600 cybersecurity decision-makers across 20 countries. (Report)
3. BlueVoyant, "State of Supply Chain Defense 2025," 6th annual report. Survey of 1,800 C-suite IT/security leaders. (Report)
4. UnitedHealth Group Q1 2024 earnings; HHS OCR breach notification, October 2024. (HHS Breach Portal)
5. CISA Advisory AA23-353A, "ALPHV Blackcat Ransomware," December 19, 2023 (updated February 27, 2024). (Advisory)
6. UnitedHealth confirmed $22 million ransom payment, April 2024.
7. Data posted to RansomHub following ALPHV affiliate dispute, April 2024.

Frequently Asked Questions

How did the Change Healthcare breach happen?

The Change Healthcare breach began with a compromised Citrix remote access portal that lacked multi-factor authentication (MFA). Attackers using BlackCat/ALPHV ransomware accessed the network through stolen credentials, then moved laterally for nine days before deploying ransomware. UnitedHealth CEO Andrew Witty confirmed these details in May 2024 testimony before the US Senate Finance Committee.

What is the 82:1 machine identity ratio in healthcare?

According to CyberArk's 2025 Identity Security Landscape Report, there are 82 machine identities for every human identity in a healthcare organization. Machine identities include service accounts, API keys, cloud functions, and connected medical devices. This ratio means security teams are fundamentally outnumbered by the number of non-human credentials they need to monitor.

Can AI generate threat detection rules?

Yes, agentic AI can generate syntactically correct detection rules (such as KQL queries for Microsoft Sentinel) from threat intelligence reports in seconds. However, AI-generated rules typically require human tuning to reduce false positives, because the AI lacks context about what "normal" looks like in a specific environment. The AI accelerates the drafting step but does not replace the validation step.

What are the risks of using AI for threat analysis?

The primary risk is hallucinated analysis, where AI pattern-matches on superficial features like naming conventions or execution timing and flags legitimate activity as malicious. In healthcare environments with complex EHR configurations and specialized software, this can produce false positives that waste analyst time and erode organizational trust if escalated without manual validation.