Island Health enhances security and compliance of its public-facing digital careers AI chatbot

The Challenge: Island Health needed to ensure their career advisor chatbot, Shay, met compliance and brand safety standards through automated safety and security testing, reducing manual methods before public deployment.

Company Overview

Industry:
Healthcare
Location:
Vancouver Island, British Columbia
Company Size:
25,000+
Challenge:
Web chatbot deployment

Island Health achieved:

97%
reduction in testing time
99.6%
"success rate" in identifying vulnerabilities
<30
minutes to onboard non-experts
Table of Contents
Ready to stress test your GenAI application?

About

Island Health is a major healthcare provider in British Columbia, Canada, serving over 885,000 people across Vancouver Island and surrounding areas. With more than 30,000 staff, 2,000 physician partners, and 3,000 volunteers, Island Health operates a vast network of hospitals, clinics and healthcare centers, delivering comprehensive health services including community health, home care, and primary care.

Challenge

Island Health faced critical challenges in safeguarding the security, reliability, and reputation of Shay, their new AI-powered, public-facing career advisor chatbot."Our leaders consistently gave me feedback that their previous chatbot interactions felt cold and transactional...they wanted an experience that felt like talking to a real healthcare recruiter, and making a human-like connection as a first introduction to our organization," said Saini. These negative experiences with antiquated rule-based chatbots increased the urgency to deliver a chatbot that incorporated generative AI, felt personal to interact with, while adhering to strict healthcare guidelines.

The Island Health team wanted to have complete confidence that Shay would not attempt to provide medical advice or inadvertently respond with inappropriate or harmful responses. They aimed to maintain brand reputation and take a scalable approach to the adversarial testing of Shay. Their bar of excellence necessitated a thorough vulnerability check, which led them to shift their thinking from a manual, shallow approach to an intensive, automated approach.

Chatbots like Shay come with guardrails that are intended to prevent inappropriate and harmful responses, but the Island Health team understood that LLMs are not deterministic, and any chatbot that incorporates generative AI technology is prone to variable outputs or responses that could expose the Island Health brand to risk.

Initially, the team employed a manual red teaming approach, consisting of four members: two technical experts, a manager from the system development team, a non-technical project coordinator, and ebusiness partners. Throughout each iteration leading up to Shay's production version, the team invested significant time devising manual prompts and additional time executing these prompts during each iteration. They conducted hundreds of manual stress tests on Shay's chatbot interface. This method proved to be labor-intensive and inefficient, lacking the comprehensive and sophisticated attack objectives and techniques necessary for thorough testing.

For each iteration of Shay leading up to the production version, the team ran 100s of manual prompts on Shay's chatbot interface to stress-test it. This approach was laborious and inefficient, and did not incorporate wider and more elaborate attack objectives and methods. With the high frequency of new releases of Shay occurring twice weekly, the manual approach became too slow to effectively identify issues.

For instance, one version of their chatbot had a 13% error rate, which permitted inappropriate content to slip through. These inefficiencies prompted the team to seek an AI-automated red teaming tool to enhance their manual testing efforts and ensure security.

The Fuel iX Solution

Island Health soon discovered Fuel iX Fortify, an easy-to-learn, automated AI red teaming tool that can simulate thousands of real-world attacks per session to thoroughly test AI systems for vulnerabilities across multiple security dimensions.

They were drawn to Fortify’s intuitive interface, making red teaming accessible to both technical and non-technical users.

Fortify continues to provide:

  • Accelerated AI deployment while mitigating reputational and financial risks
  • Improved compliance with regulatory requirements
  • Significant time savings through AI-automated testing
  • Increased stakeholder confidence in GenAI applications
"Fortify's user interface is slick and very easy to understand," notes William McMillan, Application Coordinator at Island Health. "You can grasp all its features and functions in just about twenty minutes. The reporting features are incredibly useful too. I can easily filter and find failures in the results, and the whole question and response, along with the judge's answer for interpretation, are all in one view."

Results

Fortify significantly increased Island Health's ability to identify and rectify vulnerabilities in the Shay chatbot. By automating the testing process, Fortify enabled Island Health to conduct 1,034 tests in only one session, with only four flagged as questionable, resulting in a success rate of 99.6%.

Fortify also exposed the team to new attack patterns and nuanced ways of challenging the AI, which might not have been discovered through manual testing alone. As McMillan explains, “Fortify gave us a fast and reliable way to spot when a new build accidentally removed a guardrail or broke expected logic. It helped us quickly validate whether a core protection was still intact. If we saw a high failure rate compared to our baseline, we'd send it back to our development team to resolve before moving further with live testing.

McMillan emphasizes, "That's where I think the value is, especially when I look at a tool like this. In future instances or testing odd environments, I can say, 'Here's my standard 100 tests. If I get a failure rate of more than 1%, I'm sending it back to the vendor and saying, you gotta fix this before I test it again.' So the value the tool brought there was immense."

Fortify provided significant efficiency gains for Island Health, allowing them to run 650 prompts in just 30 minutes—a process that previously took 975 minutes, marking a 97% reduction in testing time. This scalability was essential for uncovering vulnerabilities that emerged when the AI was tasked with generating complex, layered responses or engaging in scenarios beyond its intended function. Previously, Island Health was limited to using only 100 prompts due to the constraints of manual testing.

For example, the "Discrimination by Protected Characteristics" attack category alone encompasses 19 objectives. When combined with 17 different methods, this results in 323 unique objective/method combinations, demonstrating the extensive range of testing possibilities that Fortify can achieve compared to manual approaches.

Impact

Without Fortify, Island Health risked:

  • Launching a chatbot that could give harmful or inappropriate responses
  • Ethical lapses leading to biased or harmful AI outputs
  • Delayed launch of the Shay chatbot

But with Fortify, Island Health was able to update and improve the Shay chatbot quickly and confidently, making it stronger and more reliable. The tool's automated AI red teaming helped find problems early, so the team could fix them before they became serious issues, like discriminatory comments that could harm the organization's reputation.

The automated AI red teaming covered a wide range of situations at massive scale, like giving medical advice, dealing with self-harm, and addressing sensitive social topics, making sure Shay followed strict healthcare rules.

Most importantly, leadership’s reluctance to launch a chatbot was replaced with confidence in Shay’s ability to be compliant, pleasant to interact with and safe for users. Additionally, Fortify helped to foster a culture of proactive security and compliance, encouraging continuous improvement and vigilance in AI deployments.

Ranjeet Saini
Ranjeet Saini
Director of Corporate Business Solutions
Island Health