Visual and Structural Prompt Injection in Medical RAG Systems: A Comparative Robustness Analysis
8th International Congress on Human-Computer Interaction, Optimization and Robotic Applications, ICHORA 2026, Ankara, Türkiye, 21 - 23 Mayıs 2026, (Tam Metin Bildiri)
- Yayın Türü: Bildiri / Tam Metin Bildiri
- Doi Numarası: 10.1109/ichora69329.2026.11536987
- Basıldığı Şehir: Ankara
- Basıldığı Ülke: Türkiye
- Anahtar Kelimeler: Adversarial Robustness, Clinical Decision Support Systems, Healthcare AI Security, Indirect Prompt Injection, LLM Security, Medical RAG Systems, On-Premise LLMs, Visual Injection Attacks
- İstanbul Üniversitesi-Cerrahpaşa Adresli: Evet
Özet
The integration process of Large Language Models (LLM) into the healthcare ecosystem is demonstrating a shift from cloud-based systems towards local (on-premise) and opensource Retrieval-Augmented Generation (RAG) architectures due to data privacy regulations such as GDPR and HIPAA. However, these architectures harbor critical vulnerabilities against indirect prompt injection attacks that target parsing gaps in the document processing layer and manipulate model behavior. In this study, the resilience of 6 distinct local models, including Llama-3, Gemma-3, and Meditron, against visual and structural injection vectors has been quantitatively and qualitatively analyzed. Within the scope of the study, visual-semantic mismatch (white-text), micro-typography, and metadata manipulation techniques were tested on $\mathbf{1 0 0}$ original clinical discharge summaries generated via Google Gemini 2.5 Flash and dynamic prompt engineering. In the threat model, the objective was to have the model diagnose a false septic shock and prescribe meropenem, a high-risk antibiotic with no clinical indication, by suppressing a stable patient profile (context suppression). Analyses involving a total of 2,400 unique experimental steps revealed that standard RAG parsers failed to detect visual payloads hidden from human perception, and the models could be manipulated with an average Attack Success Rate (ASR) of 47.78 %. The most significant finding of the study is the security asymmetry between models. While the generalpurpose Gemma-3 model exhibited the highest vulnerability with 96.33 % ASR, the Meditron-7B model, trained specifically for the medical domain, demonstrated superior resistance with 8.67 % ASR. The results indicate that domain-specific training establishes a natural security shield (inherent robustness) against injection attacks. On the other hand, the use of general-purpose models in clinical decision support processes without visual sanitization mechanisms poses serious risks in terms of patient safety.