With the increasing integration of artificial intelligence into software and devices across the healthcare sector, new and complex cyber risks have emerged. In response to these challenges, the Health Sector Coordinating Council (HSCC) has released a comprehensive guide aimed at assisting healthcare organizations and public health sectors in addressing the cybersecurity concerns associated with third-party AI vendors.

This release comes at a crucial time as the healthcare sector finds itself heavily relying on AI for various critical functions, including AI-enabled remote patient monitoring and electronic health record systems equipped with natural language processing capabilities. However, according to the HSCC, overseeing third-party security, data governance practices, and ensuring model integrity has proven to be a daunting task.

The depth of vulnerability increases significantly, attributed to the intricate and multilayered nature of healthcare supply chains. These supply chains often encompass subcontractors, offshore developers, and a mix of open-source technology, all of which can introduce additional security challenges.

To mitigate these vulnerabilities, the HSCC has produced a 109-page guide, which provides actionable advice for managing risks related to the AI supply chain. This initiative was led by Samantha Jacques, who serves as the vice president of clinical engineering at McLaren Health and is also the vice chair of the HSCC’s cybersecurity working group. Jacques emphasized that the guide is designed to cater to organizations of varying sizes, enabling them to adopt elements that suit their specific operational processes or implement the comprehensive framework in its entirety. “Every organization is at a different stage in its AI adoption journey, and this guide aims to support them wherever they are,” she remarked.

According to Rob Suarez, vice president and Chief Information Security Officer (CISO) at CareFirst BlueCross BlueShield, a significant portion of healthcare organizations have collaborated with third-party entities to conceive and implement AI solutions. “While we move at light-speed, these are in fact still early days of AI,” Suarez noted, highlighting the urgent need for transparency regarding what third-party AI providers are doing and how they can collectively safeguard patients’ health and financial well-being.

Suarez articulated a fundamental concern: “We can’t protect what we don’t know.” He stressed that healthcare organizations must gain clarity from AI vendors on whether patient health information is being utilized and what measures are in place to manage associated risks.

The guide draws from established frameworks, such as the National Institute of Standards and Technology’s (NIST) AI Risk Management Framework and the voluntary Health Industry Cybersecurity Practices, which were established by HSCC in collaboration with the U.S. Department of Health and Human Services, as mentioned by Jacques. The document serves as a playbook, offering tactical strategies for governance, risk, and compliance practices that Chief Information Security Officers (CISOs) and security teams can implement, addressing various challenges related to AI technology, including the management of software patches and issues related to legacy products.

Additionally, compliance teams are encouraged to utilize the guidance for establishing business associate agreements concerning AI, while legal and supply chain professionals can leverage the recommended AI contract terms outlined in the document. Governance leadership teams within healthcare organizations can also find value in the training materials provided in the guide, which aim to educate users throughout the organization.

The comprehensive guidance not only targets the AI supply chain but also features a companion glossary of AI cyber terminologies, which has been made available for healthcare stakeholders involved in clinical, operational, compliance, and technical domains. This glossary is designed to foster understanding and clarity surrounding the terminology used in the AI landscape.

In conclusion, the guidance from HSCC is a valuable resource for healthcare organizations looking to navigate the complexities of third-party AI vendor risks. By fostering clarity and enhancing risk management practices, the HSCC aims to empower organizations to improve their cybersecurity frameworks amid the rapidly evolving landscape of artificial intelligence.