Healthcare Organizations Get Framework to Manage AI Vendor Risks
The Health Sector Coordinating Council released guidance Wednesday to help healthcare and public health organizations manage security risks from third-party AI vendors. The 109-page guide addresses a growing problem: AI is now embedded in critical healthcare systems, from remote patient monitoring tools to electronic health records with natural language processing engines, but many organizations lack visibility into how vendors secure these systems.
Healthcare organizations struggle to verify third-party security practices, data governance, and model integrity across complex supply chains that often include subcontractors, offshore developers, and open-source technology. "We can't protect what we don't know," said Rob Suarez, vice president and CISO at CareFirst BlueCross BlueShield. Healthcare organizations need clear answers about what AI vendors are doing with patient health information and how they manage associated risks.
Who Can Use This Guide
The guidance is designed for organizations at any stage of AI adoption in healthcare. CISOs and security teams can implement the tactical governance and compliance practices outlined. Compliance teams can reference recommended business associate agreement language specific to AI. Legal and supply chain teams have access to AI contract terms. Training teams can use the included curriculum to educate staff.
The guide covers the entire lifecycle: procurement, implementation, and deinstallation at end of life. Samantha Jacques, vice president of clinical engineering at McLaren Health and vice chair of the HSCC cybersecurity working group, said organizations can adopt pieces of the guidance or use the entire process.
What the Guide Covers
The framework addresses patching, legacy product concerns, and other technical issues specific to AI systems in healthcare. It draws from established frameworks including the National Institute of Standards and Technology's AI Risk Management Framework and the Health Industry Cybersecurity Practices developed by HSCC and the U.S. Department of Health and Human Services.
HSCC also published a companion glossary of AI cybersecurity terminology and definitions. The glossary helps clinical, operational, compliance, and technical staff understand consistent language across healthcare AI resources.
The Scale of the Challenge
The vast majority of healthcare organizations have already partnered with third parties to design and implement AI solutions. Healthcare vendors are moving quickly to deploy AI capabilities, but the industry is still in early stages of understanding the security implications.
Your membership also unlocks:
