Skip to main content

When Background Matters: Breaking Medical Vision Language Models by Transferable Attack

AuthorsAkash Ghosh et al.
Year2026
HF Upvotes3
arXiv2604.17318
PDFDownload
HF PageView on Hugging Face

Abstract

Vision-Language Models (VLMs) are increasingly used in clinical diagnostics, yet their robustness to adversarial attacks remains largely unexplored, posing serious risks. Existing medical attacks focus on secondary objectives such as model stealing or adversarial fine-tuning, while transferable attacks from natural images introduce visible distortions that clinicians can easily detect. To address this, we propose MedFocusLeak, a highly transferable black-box multimodal attack that induces incorrect yet clinically plausible diagnoses while keeping perturbations imperceptible. The method injects coordinated perturbations into non-diagnostic background regions and employs an attention distraction mechanism to shift the model's focus away from pathological areas. Extensive evaluations across six medical imaging modalities show that MedFocusLeak achieves state-of-the-art performance, generating misleading yet realistic diagnostic outputs across diverse VLMs. We further introduce a unified evaluation framework with novel metrics that jointly capture attack success and image fidelity, revealing a critical weakness in the reasoning capabilities of modern clinical VLMs.


Engineering Breakdown

Plain English

This paper introduces MedFocusLeak, a black-box adversarial attack specifically designed to fool Vision-Language Models (VLMs) used in clinical diagnostics. The attack generates imperceptible perturbations that cause models to output clinically plausible but incorrect diagnoses—meaning the wrong diagnosis looks realistic enough that it could pass a cursory review. Unlike prior work that either steals models or creates obviously corrupted images, MedFocusLeak achieves high transferability across different VLM architectures while remaining invisible to human inspection, representing a serious security vulnerability in deployed medical AI systems.

Core Technical Contribution

The core novelty is a coordinated perturbation injection strategy that combines two mechanisms: (1) targeting non-diagnostic background regions to minimize detection, and (2) an attention distraction mechanism that actively redirects the model's focus away from pathological areas. This is fundamentally different from previous adversarial medical attacks because it maintains clinical plausibility—the model doesn't output nonsense, it outputs a wrong diagnosis that fits within the realm of possible medical interpretations. The method achieves high black-box transferability, meaning an attacker without access to model weights can craft attacks using one VLM and successfully transfer them to other commercial VLMs. This combination of imperceptibility, clinical realism, and transferability had not been simultaneously achieved in prior medical adversarial attack research.

How It Works

The attack operates in a black-box setting where the attacker can query the VLM but cannot access gradients or model internals. First, the method identifies non-diagnostic background regions in medical images (e.g., the white space around an X-ray rather than the lung tissue itself) and injects carefully calibrated perturbations there. Simultaneously, an attention distraction mechanism computes which regions the VLM attends to during its prediction and applies additional perturbations to steer attention away from the actual pathological area. The perturbations are coordinated such that the multimodal fusion in the VLM (combining image and text understanding) produces a shifted diagnosis output. The attack iteratively refines perturbations through queries to maximize the model's confidence in the wrong diagnosis while keeping pixel-level changes imperceptible (measured by metrics like LPIPS or perceptual distance). Finally, the crafted adversarial image is transferred to other VLMs without retraining, exploiting the common decision boundaries across different architectures.

Production Impact

For teams deploying VLMs in clinical settings, this work reveals a critical threat model: an attacker can silently corrupt medical imaging without any visible artifacts, causing subtle but dangerous diagnostic errors. A production mitigation strategy would require multiple layers: input validation using adversarial robustness techniques (e.g., certified defenses), ensemble voting across independent VLM instances with diverse architectures to reduce transferability impact, and anomaly detection on model confidence scores and attention maps. The computational overhead would be moderate—running 3–5 independent VLM inferences instead of one, adding 3–5× latency cost—but this is justifiable in clinical contexts where diagnostic accuracy is life-critical. Organizations should also implement continuous monitoring of prediction uncertainty and flagging cases where background perturbations correlate with diagnosis changes, and conduct red-team audits with adversarial robustness benchmarks before production deployment.

Limitations and When Not to Use This

The paper assumes the attacker has query access to the target VLM, which may not always be realistic in fully air-gapped medical systems, limiting the practical scope of black-box attacks in some clinical deployments. The method's reliance on identifying 'non-diagnostic' regions requires domain knowledge or heuristics about medical image anatomy—this assumption may break down for complex multi-organ imaging or rare pathologies where the distinction is ambiguous. The paper does not explore defenses or quantify the robustness of certified defense mechanisms against MedFocusLeak, leaving open the question of how effective current adversarial training or randomization-based defenses would be. Additionally, clinical plausibility is evaluated computationally rather than with actual radiologist studies, so the real-world detectability of these attacks by expert clinicians remains unclear and could be overestimated.

Research Context

This work extends the adversarial robustness literature from generic vision tasks to the safety-critical domain of clinical AI, building on prior research in transferable adversarial attacks and multimodal adversarial perturbations. It differs from earlier medical adversarial attacks (which focused on stealing model weights or fine-tuning artifacts) by prioritizing imperceptibility and clinical realism as primary objectives. The paper contributes to the emerging field of VLM security, which has seen recent activity around prompt injection and jailbreaking but less focus on direct image-space attacks on medical systems. This work likely motivates future research into certified defenses for medical VLMs, robustness benchmarks for clinical deployment, and human-in-the-loop validation of VLM outputs in high-stakes medical settings.


:::tip Subscribe Get weekly breakdowns of papers like this in AI Letters - the newsletter for engineers building production AI systems. :::


Back to Research Lab → · Subscribe to AI Letters →

© 2026 EngineersOfAI. All rights reserved.