MedFocusLeak Attack: Background Region Adversarial Attack Against Medical Vision-Language Models

This article introduces the MedFocusLeak attack proposed in an ACL 2026 oral presentation paper—a transferable black-box multimodal adversarial attack method. By injecting tiny perturbations into non-diagnostic background regions of medical images, this attack misleads medical vision-language models (MedVLMs) into making incorrect diagnoses, revealing the security vulnerabilities of medical AI at the attention mechanism level.

Medical vision-language models (MedVLMs) can understand both medical images and clinical text simultaneously, showing great potential in tasks like radiology image analysis and pathological slide interpretation. However, while traditional wisdom holds that the key to diagnosis lies in lesion areas, recent studies have found that models are far more sensitive to background regions than expected, opening up new attack surfaces for adversarial attacks.

Attack Design Idea

Select non-diagnostic background regions (e.g., peripheral healthy tissue, device artifact areas) to inject tiny perturbations that are barely perceptible to the human eye.

Attention Transfer Mechanism

Generate specific perturbation patterns via optimization algorithms to induce the model's attention to shift from the lesion to the tampered background region, leading to incorrect diagnoses.

Black-box Transferability

No need for internal parameters of the target model; adversarial samples are trained only through input-output behavior, and are effective for MedVLMs with similar architectures, allowing large-scale replication.

Attack Success Rate

The attack success rate on standard test sets is extremely high; even models hardened by adversarial training are vulnerable, and existing defenses are ineffective against background perturbations.

Concealment Analysis

Perturbations are concentrated in non-diagnostic areas and have small magnitudes; professional doctors can hardly distinguish between original and attacked images in blind tests, which easily leads to incorrect diagnoses entering clinical workflows.

Cross-model Transfer

Adversarial samples generated for open-source MedVLMs still maintain a high success rate on closed-source commercial APIs, indicating that models share attention biases.

Attention Mechanism as a Double-edged Sword

The attention mechanism focuses on key areas but is easily manipulated; attention robustness needs to be considered instead of just output accuracy.

Background Regions Cannot Be Ignored

Traditionally, focus has been on lesion detection; MedFocusLeak proves that background regions affect model decisions, so full-image security needs to be included in training and evaluation.

New Direction for Adversarial Training

Existing defenses target pixel-level perturbations; we need to focus on semantic-level attacks (misleading the model's way of understanding) and develop defense methods against attention manipulation.

1. Multi-model Integration Verification: Use multiple independent models to analyze the same image, compare attention heatmaps and diagnostic conclusions to detect abnormal shifts.
2. Attention Supervision Learning: During training, introduce attention consistency constraints to ensure the model's attention aligns with medical priors (e.g., focusing on anatomy-related areas).
3. Input Preprocessing Hardening: Develop a preprocessing pipeline to detect and eliminate background perturbations, filtering adversarial modifications without affecting diagnostic information.

ACL 2026 selected this research for an oral presentation, reflecting the academic community's emphasis on medical AI security. As MedVLMs enter clinical practice, security becomes a key factor in product success or failure. This study promotes the establishment of strict security testing standards in the industry, urges developers to balance accuracy with robustness and trustworthiness, and helps medical AI gain the trust of doctors and patients.