The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group has released a comprehensive guidance document aimed at helping healthcare organizations manage the growing risks associated with third-party artificial intelligence (AI) tools and supply chains. As healthcare systems increasingly adopt AI-powered technologies – from natural language processing within electronic health records to remote patient monitoring devices – the need for robust cybersecurity frameworks has become more critical than ever.
The newly issued Health Industry Third Party AI Risk and Supply Chain Transparency Guide addresses the unique challenges posed by AI-driven ecosystems, where traditional risk management approaches often fall short. These technologies, while essential to modern healthcare delivery, introduce complex vulnerabilities due to their reliance on external vendors and layered supply chains.
Ed Gaudet, CEO of Censinet, and Samantha Jacques of McLaren Health, co-leads of the HSCC initiative, emphasized that managing AI-related risks is particularly difficult because organizations often lack visibility into vendor security practices, governance standards, and the integrity of AI models. The use of subcontractors, offshore development teams, and open-source components further complicates risk assessment, creating blind spots across the supply chain.
To address these challenges, the HSCC Cybersecurity Working Group developed the 109-page guide to provide a structured and scalable approach for identifying and mitigating AI-specific risks. The framework draws on established standards such as the NIST AI Risk Management Framework and the Health Industry Cybersecurity Practices (HICP), adapting them to the evolving realities of AI adoption in healthcare environments.
The guide is designed to be flexible, allowing organizations of all sizes and levels of AI maturity to adopt its recommendations either in full or selectively. It enables healthcare providers to define accountability, establish governance expectations, and drive consistent performance standards across their extended AI ecosystems.
A key focus of the guidance is addressing risks unique to AI, including hidden dependencies, opaque supply chain relationships, and cascading failure points that can disrupt operations or expose sensitive patient data. The document also highlights gaps in discovery and disclosure processes, which often make it difficult for organizations to fully understand the components and risks embedded within third-party AI solutions.
HSCC is encouraging healthcare organizations to share the guidance with senior leadership, risk management teams, compliance officers, and procurement professionals. By aligning internal practices with the recommended best practices, organizations can strengthen their third-party risk management strategies and improve overall cybersecurity posture.
In addition to the guide, HSCC has introduced a living AI Cyber Glossary designed to standardize terminology across the healthcare sector. This resource aims to support consistent governance and serve as a foundational reference for future AI-related cybersecurity initiatives led by the council.
As AI continues to transform healthcare delivery, the HSCC’s latest guidance underscores the importance of transparency, accountability, and proactive risk management in safeguarding increasingly complex digital supply chains.
Recommended Cyber Technology News :
- Acora Baseline Assessment Transforms Cyber Risk Management
- Persistent Databricks AI Boosts Merchant Risk Management
- HackerOne Stops Bug Bounty Program Over AI Risks
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
