New HSCC guidance confronts AI cyber risk, champions governance
HSCC released its latest installment in a series of AI-specific publications aimed at helping healthcare organizations securely adopt AI.
Responsible AI adoption in healthcare requires a strong governance structure, especially since algorithmic failures, bias and HIPAA compliance complexities associated with AI can threaten successful implementation, the Health Sector Coordinating Council posited in its new guidance document focused on AI risk and governance framework implementation.
The 87-page publication is part of a series of complementary AI-specific cybersecurity guidance developed by the HSCC's AI cyber governance task group. The task group will continue to publish guidance in the coming months. Previously, the group released guidance on tackling third-party AI risk. The publication's authors represent leading health systems and health tech companies across the country.
"Effective AI Cyber Governance integrates cybersecurity principles into the assessment, design, development, deployment, and decommissioning of AI systems," the guidance stated. "It establishes protocols for secure data handling, model protection, threat detection, and continuous monitoring of vulnerabilities such as model evasion, model inversion, data leakage, and data poisoning."
HSCC noted that the guidance specifically pertains to the cybersecurity components of an AI governance framework and should not be used in isolation. Rather, organizations should use the framework alongside existing organizational governance activities.
The publication's content spans clinical safety and ethics, specific cybersecurity and privacy controls, generative AI and large language model risks, AI supply chain and concentration risks and AI-specific incident response.
"Without proper AI governance, AI systems can leak data, disrupt operations, perpetuate biases, adversely affect populations, or fail catastrophically -- ultimately compromising patient care, causing direct harm, and damaging organizational reputation," the document stated.
As such, the HSCC AI cyber governance task group stressed the importance of managing AI governance throughout the AI lifecycle, from strategy and policy to procurement and contracting, patching, incident response and the decommissioning of tools.
The HSCC recommended that organizations establish an AI cyber governance committee, consisting of program leads, physician leaders, IT and security teams, legal experts and patient advocates.
Overall, the guidance provides insight into the reality of safe AI adoption in healthcare. It requires organizations to consider not just cyber risk, but also operational and patient care risks.
"With the ever-changing healthcare ecosystem, effective management of AI is critical to patient safety," the HSCC stated.
Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.
