On Wednesday, April 15, the Cybersecurity Working Group (CWG) of the Health Sector Coordinating Council (HSCC) released a new report, the “Health Industry Third-Party AI Risk and Supply Chain Transparency Guide,” to address gaps in discovery and disclosure processes that make AI supply chain risk hard to manage.

In an HSCC news release, the organization wrote that many healthcare organizations operate with incomplete or outdated vendor inventories, while AI-specific cybersecurity risks go unreported by vendors.

Healthcare organizations face unprecedented risks, the guide’s executive summary stated, including:

• Limited visibility into AI components sourced through layered supply chains, including subcontractors, offshore development, and open-source assets.
• Difficulty verifying vendor security postures, data governance practices, and model integrity.
• Vendors shifting risk to healthcare organizations, including those with one-sided contract terms or those unwilling to sign HIPAA Business Associate Agreements (BAAs).
• Incomplete vendor inventories and unreported AI-specific cybersecurity risks, including synthetic data misuse, training data leakage, and adversarial inference.
• The rapid acceleration of change in AI infrastructure, algorithms, and models introduces complexity, steep learning curves, an ever-evolving set of new and updated risks, and an exponentially expanding and broad attack surface.

The guide lists best practice components, advice for implementation, and some key recommendations, including:

• Creating AI governance bodies tailored to the organization's size and complexity, defining clear responsibilities for oversight, security certifications, risk levels, approval procedures, and training needs.
• Establishing shared-responsibility models with vendors by including contractual transparency requirements, providing advance notice of changes, and conducting joint validation activities.
• Improving procurement workflows to recognize AI early in the acquisition process and require thorough vetting prior to deployment.
• Proactively overseeing the entire AI lifecycle, from initial assessment to end-of-life, with a focus on update management and configuration validation.
• Aiming for vendor transparency about model training data, potential biases, and dependencies, considering the relevant use case, risk level, and business impact.
• Highlighting concealed dependencies through establishing and maintaining an active inventory, along with employing dynamic risk profiling and scalable due diligence tools.

Alongside the release of the guide, the HSCC Cybersecurity Working Group’s AI Task Group published its AI Cyber Glossary – a living reference document establishing governance-ready definitions for AI terminology across the health sector.

The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) is a government-recognized critical-infrastructure industry advisory council, according to the organization, comprising more than 480 healthcare organizations across health delivery; life sciences, lab and medical technology; health insurance and plans; health I.T. and information exchange; and public health and government agencies, partnering to identify and mitigate cyber threats to health data and research, systems, manufacturing, and patient care.