Key Takeaways

• The Health Sector Coordinating Council has released a comprehensive guide to help hospitals navigate AI-related cybersecurity risks.
• The guide outlines a seven-phase lifecycle for managing third-party AI risks, emphasizing the need for tailored risk management practices.
• Healthcare organizations often struggle with visibility and control over AI supply chains, heightening their cybersecurity vulnerabilities.

Increasing Complexity in Healthcare AI Management

Hospitals have become increasingly reliant on various healthcare vendors, and the expansion of AI technologies has further complicated the management of these vendor relationships. A new crucial challenge is the heightened risk of cybersecurity breaches, prompting the Health Sector Coordinating Council (HSCC) to publish a 109-page document titled the Third-Party AI Risk and Supply Chain Transparency Guide. This guide aims to assist hospitals in effectively managing the complexities introduced by AI technologies.

The guide, developed by an HSCC working group focused on cybersecurity, strives to fix the gaps in discovery and disclosure that make AI supply chain risks difficult to handle. The authors, led by Ed Gaudet of Censinet and Samantha Jacques of McLaren Health, identify prevalent issues such as synthetic data misuse and adversarial inference that often go unreported. They underscore that healthcare organizations often operate with outdated vendor inventories, which amplifies systemic risk.

The guide delineates a structured, seven-phase approach to managing risks associated with third-party AI technologies. These phases include:

1. Phase 0: AI Use Case Justification – Defines the problem and classifies the use case’s safety impact, ensuring accountability and alignment with risk profiles.

2. Phase 1: Vendor Evaluation – Enhances traditional vendor assessments with AI-specific governance and compliance checks, focusing on data provenance and ethical practices.

3. Phase 2: Contract Negotiation – Establishes AI-specific contract clauses that create shared responsibilities for data ownership and performance obligations.

4. Phase 3: Implementation – Focuses on threat modeling and security testing, ensuring all staff receive role-specific training during the production rollout.

5. Phase 4: Monitoring and Performance Management – Involves ongoing scrutiny of AI performance and security, especially post-vendor updates, requiring continuous auditing and re-validation.

6. Phase 5: Incident Response – Prepares organizations for AI-related incidents, detailing necessary protocols for detection and recovery.

7. Phase 6: End-of-life Management – Addresses the continuity of care and regulatory compliance during AI system discontinuation.

The authors emphasize that traditional vendor risk management practices are inadequate for the unique challenges posed by AI systems. The guide serves as a roadmap for healthcare organizations to mitigate risks effectively and ensure that AI technologies enhance, rather than compromise, patient safety and operational integrity. The full guide is available for free to all interested parties.

The content above is a summary. For more details, see the source article.