New HSCC guidance tackles third-party AI risk

As healthcare organizations continue to embrace AI-powered tools, effective third-party risk management strategies and supply chain transparency remain essential to safeguarding operations. As such, the Health Sector Coordinating Council (HSCC) developed guidance to identify critical third-party AI risks and provide recommendations for managing them. 

The HSCC established a third-party task group on AI risk and supply chain transparency, composed of industry leaders, to explore these issues. It encouraged healthcare organizations to distribute the document to senior leadership and evaluate their own third-party and supply chain risk management programs against the best practices outlined in the guidance. 

"The healthcare sector's accelerating adoption of artificial intelligence has dramatically expanded its dependence on third-party tools and services, introducing complex cybersecurity challenges that traditional risk management models cannot adequately address," the document stated.  

Third-party AI tools come with hidden risks 

From AI-driven clinical decision support tools to revenue cycle automation and remote monitoring devices, AI is quickly becoming embedded in healthcare systems. While these tools promise great value, they also open healthcare organizations up to unprecedented risk, the task group suggested.  

Those risks include limited visibility into AI components sourced through supply chains, challenges with verifying vendor security postures and vendors shifting risk to healthcare organizations using one-sided contract language.  

What's more, issues like unreported AI cybersecurity risks, such as training data leakage and synthetic data misuse, can put healthcare organizations in a difficult position when it comes to managing security and compliance. 

"Acceleration of change of AI infrastructure, algorithms, and models at unprecedented rates introduce complexity, steep learning curves, an ever-evolving set of new and updated risks, and an exponentially complex and broad attack surface," the document added. 

The task group stressed that organizations of all sizes and sophistication levels can and should adopt its best practices as they work to balance AI innovation with cybersecurity risk. 

Best practices, implementation guidance 

The HSCC identified several best practices centered on governance, legal protections and tried-and-true cybersecurity protocols. The document also provides detailed guidance on every phase of AI adoption, from vendor evaluation to ongoing performance management. 

Under HIPAA, healthcare organizations are required to maintain technical and administrative safeguards to protect against cyber risks. However, HIPAA was enacted in 1996, long before the widespread adoption of AI changed the nature of healthcare ecosystems. 

The HSCC's guidance outlines AI-specific considerations for established best practices, highlighting the ways in which healthcare organizations should evaluate, adopt and maintain AI-powered technologies. 

The recommended best practices include developing comprehensive AI governance policies, AI use-case justification requirements and model contract language that addresses data ownership, AI training and performance standards. The guidance also suggests that organizations include AI-specific clauses in their business associate agreements. 

Inventory and asset management, quality assurance, model validation and response and recovery planning -- in coordination with AI vendors -- are all crucial to mitigating risk, the guidance document notes.  

Putting these best practices to use requires a measured approach and will look different depending on organization size and sophistication. Regardless of size, healthcare organizations using AI should establish AI governance bodies, enact shared responsibility models with AI vendors and manage the AI lifecycle from initial procurement to end-of-life, the HSCC said. 

As healthcare organizations continue to integrate AI into their workflows, they must carefully consider third-party risk management and vendor transparency. 

Jill Hughes has covered health tech news since 2021.