Eli Lilly’s security head on how AI helps, hurts cybersecurity

Each week, we schedule our rounds with Healthcare Brew readers. Want to be featured in an upcoming edition? Click here to introduce yourself.

There’s an oft-repeated adage in healthcare right now: An AI model is only as good as the data it’s trained on.

This truth has turned patients’ health information into a hot commodity. Healthcare organizations are increasingly using it to build AI-fueled drug discovery models, digital twins, and clinical trial emulations.

Eli Lilly is one such company. The trillion-dollar biopharma not only has its own vast library of 500,000+ data points but is also collecting data from other biotech companies in exchange for allowing those companies to use its AI models.

But as the collection and use of patient health information grows, so does its risk of compromise. Around 57 million patients’ healthcare records were exposed in 2025, per a preliminary count by the HIPAA Journal.

Alongside patients’ personal information, healthcare giants also have to guard their intellectual property and trade secrets. It’s not always easy, particularly when considering that many healthcare leaders have decades’ or even a century’s worth of files, sometimes stored on outdated legacy technology.

So how do major healthcare innovators balance their ambition with caution and make sure their work is secure? Andrea Abell, chief information security officer (CISO) at Eli Lilly, sat down with Healthcare Brew at CES to discuss her role.

This interview has been lightly edited for length and clarity.

What is your day-to-day like in your job?

One of the things I love about cybersecurity is I wouldn’t say that I have a very normal day to day. We get to work across all of the aspects of Eli Lilly. I can go from one meeting where we are talking about drug discovery to another meeting talking about manufacturing, and then to another meeting where we’re talking about distribution.

We build in security by design for new things that we’re trying to implement…Legacy tech or tech debt, that’s actually the harder part of the job. Because of the threats that we have today, we have to be really creative and figure out how to make sure that an attacker can’t take advantage of technology that was never meant to withstand [modern threats].

How do you use or view AI when it comes to cybersecurity?

It’s really important that we understand AI and that we use it because it will help us the same way it helps attackers.

Think of the NCIS-type shows that you might like to watch. How they catch the bad guys is because they’ve found some fingerprint. Well, in cybersecurity, it’s very much like that, but we call them indicators of compromise. They could be IP addresses, or domain names, or they could be file names.

The Lilly ecosystem becomes a haystack where we have to search for these digital fingerprints. We can use AI to do that on repeat very quickly…much more quickly and efficiently than we could do with humans.

Do you get the sense that healthcare organizations are prioritizing cybersecurity more now than in the past?

It's tough. It’s a complex ecosystem. There’s a heavy regulatory burden, and I think that makes it complicated.

Security, initially, in some places, has taken a check-the-box approach, and I think that has allowed healthcare security to lag. But I think that’s changing, and you now have a pretty big gap between the companies that have changed and the ones that haven’t. And the ones that haven’t, it’s often not because they don’t want to but because they’re rural or community hospitals or they’re small to medium businesses, and security is expensive.

Unfortunately, a lot of those companies or hospitals are waiting for regulation to change. I think that’s where companies like Lilly, Amazon Web Services, and Microsoft—and agentic AI and some philosophical shifts like secure by default—are going to make a huge difference.

You may not be able to hire someone [to improve your cybersecurity], but you’ll be able to use an agent to do it.