Governing Trust in Health AI: A Qualitative Study of Cybersecurity Professionals Perspectives

This qualitative study reveals that cybersecurity professionals view health AI as a fragile, augmented clinical infrastructure where institutional trust is contingent upon visible governance and accountability rather than technical performance alone.

The Gist

The Big Picture: Who is Watching the Watchmen?

Imagine a hospital as a massive, high-tech spaceship. For a long time, we've been talking about the pilots (doctors) and the passengers (patients). We've asked: "Do the pilots trust the autopilot? Do the passengers feel safe?"

But this study asks a different question: "What do the engineers in the engine room think?"

The researchers interviewed cybersecurity professionals—the people who build the digital walls, guard the data, and keep the spaceship's computer systems from crashing. They wanted to know: When we put Artificial Intelligence (AI) into healthcare, do these security experts trust it? And how do they think we should govern it?

The Four Main Takeaways (The "Engine Room" Report)

Here are the four main things the security experts told the researchers, translated into everyday metaphors:

1. AI is a "Super-Powered Co-Pilot," Not a Replacement

The Metaphor: Imagine a GPS in a car. It can tell you the fastest route, warn you about traffic, and even suggest a detour. But you wouldn't let the GPS drive the car while you sleep, right? You still need a human hand on the wheel.

The Finding: The cybersecurity pros didn't see AI as a robot doctor that takes over. They see it as augmented infrastructure. It's a tool that helps doctors work faster and spot things they might miss (like a super-fast X-ray reader). However, they insist that a human must always be the "co-pilot" making the final decision. If the AI says "This looks like a broken bone," the doctor still has to look at the X-ray and say, "Yes, I agree."

2. The Digital House is "Leaky," and AI Makes the Leaks Bigger

The Metaphor: Imagine trying to build a fancy new glass extension onto an old house that already has cracked windows and a shaky foundation. If you add a high-tech glass wall (AI) to a house that is already falling apart (fragmented data systems), the whole thing becomes even more fragile.

The Finding: The experts said healthcare data is messy. It's stored in different places, in different formats, and often not very securely. AI needs huge amounts of data to work, which means it pulls from all these leaky pipes. The experts worry that because the foundation is weak, the AI might accidentally expose private patient info or get confused by bad data. They view data breaches not as "accidents" that might happen, but as events that will happen, so we need to be ready for them.

3. Trust is Like a "Slow-Brewing Tea," Not a Light Switch

The Metaphor: You don't trust a stranger with your house keys the moment you meet them. You trust them slowly, over time, as they prove they are honest and careful.

The Finding: The experts said you can't just flip a switch and say, "We trust this AI." Trust is contingent (it depends on things). It depends on:

• How the AI was trained (was it fed good data?).
• Whether humans are checking its work.
• How the hospital reacts when things go wrong.
  If a hospital is transparent and admits mistakes, trust grows. If they hide things, trust evaporates.

4. Security Guards are the "Trust Architects"

The Metaphor: Think of cybersecurity professionals not just as people who fix broken locks, but as architects of trust. If they build a strong, visible safety net, people feel safe jumping. If they are invisible or reactive, people are scared to jump.

The Finding: These experts see their job as more than just technical. They are responsible for "stewardship." This means:

• Security by Design: Building safety into the AI from day one, not taping it on later.
• Continuous Testing: Like checking a bridge for cracks every day, not just once a year.
• Education: Teaching doctors and admins that "digital safety" is just as important as "hand washing."

The Bottom Line: Why This Matters

The paper concludes that trust in Health AI isn't about how smart the computer is; it's about how responsible the hospital is.

If a hospital has a history of being careless with data, or if they treat security as an afterthought, patients and doctors won't trust the AI, no matter how "smart" it is. But if the hospital treats cybersecurity as a core part of patient care—like a nurse or a doctor—then trust can grow.

In short: We can't just build faster AI. We have to build safer, more honest hospitals to hold it. The security experts are the ones holding the blueprints for that trust.

Technical Summary

1. Problem Statement

The rapid integration of Artificial Intelligence (AI) into healthcare delivery has shifted the focus from purely technical performance to the broader question of institutional legitimacy and trust. While existing literature heavily scrutinizes the perspectives of clinicians and patients, there is a critical gap in understanding the role of cybersecurity professionals. These actors sustain the digital infrastructures that support health AI, yet their insights into how AI is conceptualized as clinical infrastructure, and how this shapes risk management and trust, remain underexplored.

The study addresses the following core problems:

• Infrastructural Fragility: Healthcare data systems are often fragmented, vulnerable, and historically inequitable. AI systems relying on large-scale data integration inherit and potentially amplify these weaknesses.
• The Trust Deficit: Public trust in healthcare is already strained by historical inequities and recent security breaches. The introduction of AI without robust governance risks further eroding confidence.
• Governance Gap: Current narratives often treat AI as an autonomous authority. There is a lack of understanding regarding how cybersecurity professionals view the necessity of human oversight and the "sociotechnical" embedding of AI within institutional workflows.

2. Methodology

The study employs a qualitative research design grounded in Sociotechnical Systems Theory and Institutional Trust Scholarship.

• Data Collection:
  • Participants: 20 cybersecurity professionals working in healthcare-relevant domains (e.g., network security, health informatics, data science, AI/ML).
  • Recruitment: Conducted via professional networks, LinkedIn outreach, and snowball sampling to access specialized roles not easily reached through conventional healthcare sampling.
  • Demographics: The cohort was predominantly Black or African American (80%), aged 25–34 (65%), and held master's or professional degrees (75%).
  • Procedure: Semi-structured, in-depth interviews (45–60 minutes) were conducted between May and August 2025.
• Data Analysis:
  • Technique: Qualitative content analysis using constant comparison.
  • Process: Two researchers independently coded transcripts using Dedoose software. Discrepancies were resolved through iterative discussion.
  • Rigor: Credibility was ensured through interdisciplinary collaboration, reflexive memoing, and the maintenance of an audit trail.
• Ethical Considerations: The study received IRB approval (Calvin University #25-002), and all participants provided informed consent.

3. Key Contributions

This paper makes three primary contributions to the field of Health AI and Cybersecurity:

1. Reframing AI as Infrastructure: It shifts the conceptualization of Health AI from an "autonomous decision-maker" to "augmented clinical infrastructure." This reframing emphasizes that AI is a tool that extends workflow capacity but remains dependent on human judgment and oversight.
2. The Role of Cybersecurity Stewardship: It identifies cybersecurity professionals not merely as technical enforcers but as institutional stewards whose governance decisions (security by design, breach response planning) are foundational to institutional trustworthiness.
3. Contingent Trust Model: It proposes that trust in Health AI is not binary (trusted/untrusted) but contingent and cumulative. Trust is built over time through visible accountability, transparency, and the demonstrated capacity to contain harm rather than just prevent it.

4. Key Results

The analysis revealed four interconnected thematic patterns:

Theme 1: AI as Augmented Clinical Infrastructure

• Participants rejected the notion of AI as an autonomous authority.
• AI is viewed as a tool for scaffolding clinical judgment (e.g., accelerating pattern recognition in imaging, streamlining documentation) rather than replacing it.
• Human-in-the-loop is non-negotiable; trust in AI outputs is conditional upon human review and professional responsibility.

Theme 2: Fragile Data Ecologies

• Healthcare data environments are described as fragmented and structurally vulnerable.
• AI intensifies existing risks by requiring large-scale data aggregation, which complicates de-identification and exposes inconsistencies in data storage formats.
• Breach Anticipation: Participants view data breaches not as rare anomalies but as anticipated events. Current governance often focuses on database protection but lacks adequate contingency planning for breach response.

Theme 3: Contingent Trust

• Trust in AI is partial and context-dependent. It relies on understanding the specific model, training data, and application context.
• Participants expressed skepticism regarding AI's ability to handle novel or complex conditions (e.g., "hallucinations," over/under-diagnosis) due to static training data.
• Trust is relational and iterative, built through consistent transparency and the demonstration of accountability over time.

Theme 4: Cybersecurity Stewardship and Governance

• Cybersecurity is framed as foundational infrastructure, not a discretionary cost center.
• Security by Design: Risk management must be embedded into the system design phase, not appended after failure.
• Continuous Oversight: Participants advocate for continuous penetration testing, layered safeguards (encryption, access control), and ongoing education for clinical stakeholders to translate technical risks into organizational practice.

5. Significance and Implications

• Institutional Accountability: The credibility of Health AI is inextricably linked to the governance practices of the deploying institution. In environments with histories of inequity, robust cybersecurity governance is a signal of institutional responsibility.
• Policy and Practice: The findings suggest that regulatory frameworks and institutional policies must move beyond technical performance metrics to evaluate risk management maturity and breach response capabilities.
• Responsible Innovation: The study supports the "responsible innovation" paradigm, arguing that cybersecurity stewardship is a collaborative effort involving clinical leadership, legal teams, and technical experts to manage risk proactively.
• Future Research: The authors call for longitudinal studies to track how professional views on oversight evolve and empirical research to measure the impact of cybersecurity stewardship on actual patient trust and engagement.

Conclusion:
The paper concludes that Health AI cannot be trusted solely on its technical merits. Its legitimacy is an institutional achievement derived from governance practices that demonstrate accountability, manage fragility, and maintain human oversight. Cybersecurity professionals are central to this process, acting as the guardians of the digital infrastructure that underpins modern healthcare trust.