HSCC Issues Guidance for Healthcare Organizations on Managing Third Party AI Risks
The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group has issued a guidance document for healthcare organizations on managing third-party AI and AI-related supply chain risks. Healthcare organizations are increasingly reliant on AI-powered third-party tools and services, such as natural language processing engines embedded in electronic health records and AI-powered remote monitoring devices. These products provide critical functions for healthcare organizations, yet they introduce complex cybersecurity challenges that traditional risk management tools and models struggle to address.
Managing risk can be difficult, as AI tools are provided by third-party vendors whose security postures, governance practices, and model integrity are difficult to verify. Further, healthcare organizations often lack visibility into the full scope of the AI components incorporated into third-party products and services, which are often sourced through layered supply chains, including subcontractors, offshore development, and open source assets, explain HSCC co-leads Ed Gaudet, Censinet, and Samantha Jacques, McLaren Health.
The HSCC Cybersecurity Working Group developed the 109-page guide – Health Industry Third Party AI Risk and Supply Chain Transparency Guide – to help healthcare organizations understand and manage third-party AI supply chain risks. The guide draws from established cybersecurity frameworks such as the NIST AI Risk Management Framework and the joint HSCC-HHS Health Industry Cybersecurity Practices (HICP), and adapts cybersecurity best practices to reflect the modern realities of AI supply chains in healthcare. The guide has been developed to meet the needs of organizations of all sizes, regardless of their level of AI adoption. The guide can be followed in its entirety, or organizations can adopt the parts that work for their organization. The guide will help them to define accountability expectations and drive performance standards across their extended AI ecosystem.
The guide provides risk managers, compliance teams, and procurement officers with scalable tools to identify and manage AI-specific risks such as hidden dependencies and cascading failure points, and address the growing gaps in discovery and disclosure processes that make AI supply chain risk so challenging to manage. HSCC encourages healthcare organizations to distribute the guidance to senior business and technical leaders and their teams, recommending that they incorporate the best practices in the guide and evaluate their own third-party and supply chain risk management practices against the best practices outlined in the document. In addition to the guide, HSCC has published a living AI Cyber Glossary reference document for establishing consistent governance-ready definitions for artificial intelligence terminology for the healthcare sector. The AI Cyber Glossary is intended to serve as the terminological foundation for all current and future HSCC AI Task Group guidance materials.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
