The Health Sector Coordinating Council Cybersecurity Working Group has issued a 109-page guidance document to assist healthcare organizations in managing risks associated with third-party artificial intelligence tools and AI-related supply chains.
Guidance Scope And Purpose
The document, titled Health Industry Third-Party AI Risk and Supply Chain Transparency Guide, addresses the growing reliance of healthcare organizations on AI-powered third-party tools and services. These tools include natural language processing engines embedded in electronic health records and AI-powered remote monitoring gadgets. These technologies perform operational functions within healthcare environments while introducing cybersecurity challenges that differ from traditional risk management models.
The guidance is intended to support healthcare organizations in identifying and managing risks associated with third-party AI systems and their supply chains. It has been developed for organizations of all sizes and levels of AI adoption. Organizations may implement the full framework or adopt selected components based on their operational requirements.
Third Party AI Risk Factors
Healthcare organizations face difficulty managing AI-related risk due to limited visibility into vendor security practices, governance structures, and model integrity. Third-party vendors provide many AI tools, and verification of their internal controls presents operational challenges.
The guidance identifies limited transparency into AI components as a risk factor. AI tools are often composed of multiple elements provided by layered supply chains, including subcontractors, open source assets, and offshore development groups. This structure creates conditions where healthcare organizations do not have full awareness of the components integrated into third-party products and services.
Hidden dependencies and cascading failure points are identified as AI-specific risks. These risks are associated with the complexity of interconnected systems and the potential for disruption across multiple components within a supply chain.
Framework Alignment And Design
The guidance document incorporates established cybersecurity frameworks, including the NIST AI Risk Management Framework and the joint Health Industry Cybersecurity Practices developed by HSCC and HHS. The document adapts these frameworks to address the characteristics of AI supply chains in healthcare environments.
The structure of the guidance provides tools that support risk managers, compliance teams, and procurement officers in evaluating AI-related risks. These tools are designed to scale across organizations with varying levels of resources and technical capability.
The document also supports the definition of accountability expectations across the extended AI ecosystem. It is structured to support the establishment of performance standards within third-party relationships and supply chain interactions.
Operational Recommendations
The Health Sector Coordinating Council recommends that healthcare organizations distribute the guidance to senior business leaders, technical leadership, and operational teams. Organizations are advised to incorporate the practices outlined in the document into their existing third-party and supply chain risk management processes.
Healthcare organizations are also directed to evaluate their current risk management practices against the approaches outlined in the guidance. This evaluation supports identification of gaps in discovery and disclosure processes related to AI systems. Any improvements in current practices need to be included in updated HIPAA training programs.
AI Cyber Glossary Resource
In addition to the primary guidance document, the Health Sector Coordinating Council has released an AI Cyber Glossary. This reference document provides standardized definitions for artificial intelligence terminology within the healthcare sector.
The glossary is intended to support consistent governance and serves as a reference point for current and future materials developed by the HSCC AI Task Group.
Image credit: ภาคภูมิ ปัจจังคะตา, AdobeStock / logo©HSCC
