As healthcare organizations continue to adopt AI-powered tools, effective third-party risk management strategies and supply chain transparency remain essential to protecting operations. As such, the Health Sector Coordination Council (HSCC) guidance Identify significant third-party AI risks and provide recommendations for managing them.
HSCC has established an independent task group on AI Risk and Supply Chain Transparency, comprised of industry leaders, to investigate these issues. The document encouraged healthcare organizations to distribute this document to senior executives and evaluate their third-party and supply chain risk management programs against the best practices outlined in the guidance.
“The accelerated adoption of artificial intelligence in the healthcare sector has dramatically expanded reliance on third-party tools and services, creating complex cybersecurity challenges that traditional risk management models cannot adequately address,” the document states.
Third-party AI tools come with hidden risks
These risks include limited visibility of AI components procured through the supply chain, challenges in validating vendors’ security posture, and vendors using one-sided contract language to shift risk to healthcare organizations.
Additionally, issues such as unreported AI cybersecurity risks, such as leaked training data or misuse of synthetic data, can put healthcare organizations in a difficult position when it comes to managing security and compliance.
“The unprecedented rate of change in AI infrastructure, algorithms, and models is accelerating, resulting in complexity, steep learning curves, an ever-evolving set of new and updated risks, and an exponentially more complex and broader attack surface,” the document added.
The task group emphasized that organizations of all sizes and levels of sophistication can and should adopt best practices to balance AI innovation and cybersecurity risk.
Best practices, implementation guidance
HSCC has identified several best practices centered around governance, legal protections, and proven cybersecurity protocols. The document also provides detailed guidance on all stages of AI adoption, from vendor evaluation to ongoing performance management.
Under HIPAA, healthcare organizations are required to maintain technical and administrative safeguards to protect against cyber risks. However, HIPAA was enacted in 1996, long before the proliferation of AI changed the nature of the healthcare ecosystem.
HSCC’s guidance outlines AI-specific considerations against established best practices and highlights how healthcare organizations can evaluate, implement, and maintain AI-powered technologies.
Recommended best practices include developing a comprehensive AI governance policy, a model contract language that addresses AI use case legitimacy requirements, data ownership, and AI training and performance standards. The guidance also suggests that organizations include AI-specific clauses in business collaboration agreements.
Inventory and asset management, quality assurance, model validation and response and recovery planning in conjunction with AI vendors are all important to mitigating risk, the guidance document states.
Leveraging these best practices requires a thoughtful approach, which varies depending on the size and sophistication of your organization. The HSCC said healthcare organizations using AI, regardless of size, should establish an AI governance body, establish a shared responsibility model with AI vendors, and manage the AI lifecycle from initial procurement to end-of-life.
As healthcare organizations continue to integrate AI into their workflows, they must carefully consider third-party risk management and vendor transparency.
Jill Hughes has been covering health tech news since 2021.
