Articles

How Should a Healthcare Board Address Deepfake and Voice Fraud Risk?

July 6, 2026
Author
Dallin Grimm
Healthcare Strategy Principal
How should a healthcare board address deepfake and voice fraud risk-6950031

Your board wants to know two things: could a breach land on the front page, and could it land on us. In healthcare, voice- and video-channel risk has to be framed in those terms or it won’t get the attention it now deserves.

The AMA just made that easier. In April 2026, the American Medical Association called for formal protections against deepfake impersonation of physicians, warning that synthetic audio and video can mislead patients, influence clinical decisions, and erode trust in care delivery. When the largest physician organization in the country elevates an issue to board level, the framing has already changed.

Here’s how to walk into that room.

Marketing

The short version: Boards are now personally accountable for identity failures, and voice and video channels are the exposure most healthcare organizations haven’t closed.

AI-driven fraud in these channels surged 1,337% in 2025, the average healthcare breach costs $7.42M, and the underlying controls most organizations rely on weren’t built for synthetic callers or deepfake video.

The control exists, it’s deployable now, and the decision in front of the board is whether to keep carrying that risk.

Why are boards now personally accountable for identity failures?

Regulators and boards now hold security and executive leaders personally accountable when identity failures result in breached PHI or financial loss.1 Boards used to treat identity controls as an operational detail. That’s over.

When a synthetic caller talks a member services agent into a credential reset and PHI walks out the door, the questions in the room will be “which control failed” AND “who owned this?”
That reframing is why voice and video belong on the agenda. The risk is strategic, financial, and reputational, sitting in channels many healthcare identity programs never instrumented.

What three numbers should you bring to the board?

Bring three figures that hold up to scrutiny: the cost of a single breach event, the scale of current regulatory pressure, and the growth curve of AI-driven attacks.

1.

The cost of a single event.

The average healthcare data breach runs $7.42M, the highest of any industry for the 12th consecutive year. That’s the price tag of one bad day, before reputational fallout, regulatory penalties, and subsequent scrutiny.

2.

The regulatory pressure.

CMS suspended $5.7B in suspected fraud payments in 2025 under the CRUSH initiative. The agencies your board answers to are pushing a shift from “pay and chase” to proactive detection. Identity assurance in real time is a critical area where proactive defenses can have a significant impact.

3.

The growth curve.

Pindrop research found a 1,337% year-over-year surge in deepfake attacks. At some major healthcare organizations, bots now account for more than half of all fraud. One percent of all enterprise calls are non-human. The democratization of generative AI tools has made it easier than ever for bad actors to scale attacks.

How do voice and video channels actually expose healthcare organizations?

Voice and video are exposed reconnaissance surfaces for downstream ransomware, billing fraud, and digital breaches, and most healthcare identity programs were never instrumented to detect them.

The attack surface is well-documented:

IVR systems are a bot reconnaissance target

Bots probe IVR systems to validate member accounts and harvest detail. Synthetic callers social-engineer an agent or help desk into the access that follows. In healthcare, one call into member services can hand over enough PHI and PII to reroute claim payments, drain an HSA, or pivot into the provider portal. One synthetic caller, one credential reset, one successful help desk call is sometimes all it takes.

Video runs the same playbook, scaled with AI

Deepfake candidates in remote clinical hiring, executive impersonation in finance and approvals workflows, etc. In a Gartner survey, 41% of organizations had experienced an attack involving a deepfake and social engineering on an audio call to an employee, and 35% had seen the same on a video call.2

Existing authentication wasn’t built for synthetic threats

Many organizations fail to detect these attacks because they already have authentication methods in place. Unfortunately, it’s the wrong kind. Sixty percent of organizations report fraudsters using stolen PII to bypass KBA, and on average fraudsters bypass KBA more than 50% of the time and pass OTP challenges around 25% of the time. Breached PII has made scripted verification unreliable, and humans aren’t a backstop: people identify AI-generated audio and video correctly only about 50% of the time.

The summary for the board is short: voice and video interactions expose PHI and account access in healthcare because the underlying controls weren’t designed for synthetic, bot-driven, or deepfake actors.

What does a defensible voice and video security control look like?

A defensible control answers three questions on every interaction before trust is extended and before PHI changes hands: Is this a machine? Is this a bad actor? Is this the right human? That’s the control story you can put in front of a regulator: every call and every video meeting assessed in real time, with a documented record of how callers were verified as real and authorized, or flagged as a risk.

The Pindrop platform brings continuous identity verification to voice and video, answering these three questions on every interaction before trust is extended and before PHI changes hands.

Pindrop technology detects synthetic and bot-driven callers in about 2 seconds at 99% accuracy with under a 1% false positive rate.3 The Pindrop platform also extends the same continuous verification to video, catching real-time deepfake impersonation in clinical, executive, and hiring workflows.

The point for the board is that with the right tools, “we can demonstrate identity assurance on the phone and in video meetings.”

What’s the board’s decision, exactly?

The decision is whether to keep accepting unmanaged identity risk on PHI-bearing voice and video interactions, or to close it. Every quarter the board defers is a quarter where attackers increasingly use AI to target vulnerable voice and video channel workflows. The exposure is quantifiable. The regulatory trend is moving toward enforcement. The control is deployable now.

Want to pressure-test the pitch?

Talk to a real human at Pindrop. We’ll walk through where your voice and video channels are exposed today, what peer healthcare organizations are doing about it, and how to frame the ask so executives sign off.

Citations and sources

1Gartner, “Top Trends in Cybersecurity for 2026,” G00840672, January 2026.
2Gartner, “How to Respond to the 2026-2027 Threat Landscape,” May 2026.2Pindrop, internal dataset and testing analysis, as of May 2026.
3Pindrop, internal dataset and testing analysis, as of May 2026.

Digital trust isn’t
optional—it’s essential

Take the first step toward a safer, more secure future for your business.