Healthcare Cybersecurity Framework Tackles Distinct AI Risks
The Health Sector Coordinating Council released a new guide this week to help hospitals and health systems govern artificial intelligence implementations without relying solely on regulatory requirements.
The "Health Industry AI Cybersecurity Governance Framework Implementation Guide" serves as both a how-to manual and incident response playbook for AI for Healthcare deployments. The HSCC's Cybersecurity Working Group designed it to address governance challenges specific to AI systems, from model drift to data poisoning and adversarial attacks.
What the guide covers
The framework addresses three distinct AI technology categories: traditional machine learning models, generative AI, and agentic AI systems capable of autonomous actions. Each category presents different cyber-risk issues requiring oversight and controls.
The guide includes:
- A five-level AI autonomy framework adapted for healthcare contexts
- Supply chain and concentration risk analysis
- Operational resilience strategies for AI-dependent clinical workflows
- Nonhuman identity management protocols
- Patient engagement and transparency requirements
- Liability and insurance considerations
- Governance requirements for research AI
It also provides baseline requirements, strongly recommended practices, optional enhancements, and templates like "The Board AI Risk Reporting Template."
Why healthcare organizations need this now
Healthcare providers are adopting AI across clinical and operational use cases at scale. Many care teams want to build their own AI tools but lack the cybersecurity expertise to identify security flaws.
John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, said the guide's "secure-by-design and implementation recommendations will help mitigate unintended cybersecurity risk and consequences of AI use in healthcare."
Part of a larger effort
This guide complements the "Health Industry Third-Party AI Risk and Supply Chain Transparency Guide," released by HSCC in April. Both publications should be used together to address the full scope of AI governance.
The HSCC's five-year strategic plan aims to upgrade the diagnosis of healthcare cybersecurity from "critical" to "stable condition" by 2029 to reduce patient safety risks.
Chris Tyberg, CWG vice chair and chief information security officer for Abbott, said when the plan launched in 2024: "We are calling on all health industry stakeholders to join us in this imperative for the benefit of patients and the overall health of the sector."
Your membership also unlocks:
