HSCC releases guidance to tackle third-party AI risks

As healthcare organizations adopt artificial intelligence, a new guide from the Health Sector Coordinating Council warns that third-party AI tools are creating unseen cybersecurity and data privacy risks. The guidance offers a roadmap for improving transparency, strengthening vendor oversight, and preventing vulnerabilities embedded deep within complex AI supply chains.

What happened

According to GovInfoSecurity, the Health Sector Coordinating Council (HSCC) has released a comprehensive 109-page guide aimed at helping healthcare organizations manage cybersecurity risks linked to third-party artificial intelligence (AI) technologies. The document, titled the Health Industry Third-Party AI Risk and Supply Chain Transparency Guide, was developed by the council’s Cybersecurity Working Group and focuses on the growing risks associated with AI-driven supply chains in healthcare.

Going deeper

The guide responds to increasing reliance on external AI vendors across healthcare systems, from electronic health records to remote monitoring tools, which introduces complex and often opaque supply chains. These systems may include subcontractors, offshore developers, and open-source components, making it difficult for organizations to fully understand or manage embedded risks.

To address these challenges, the guidance outlines best practices such as:

• Improved visibility into AI components and dependencies
• Vendor risk assessment and continuous monitoring
• Data lineage tracking and model auditability
• Post-deployment oversight and lifecycle risk management

It also aligns with established frameworks like the NIST AI Risk Management Framework and builds on earlier healthcare cybersecurity practices.

The guide is designed to be flexible, allowing organizations of different sizes and levels of AI adoption to implement relevant sections. It also provides tools for identifying hidden dependencies and potential cascading failures within AI ecosystems.

What was said

In a LinkedIn post by the HSCC, they state that “this new publication - the ‘Health Industry Third-Party AI Risk and Supply Chain Transparency Guide’ … addresses the growing gaps in discovery and disclosure processes that make AI supply chain risk so difficult to manage.” It continues to state that “many HCOs operate with incomplete or outdated vendor inventories, while AI-specific cybersecurity risks - such as synthetic data misuse, training data leakage, and adversarial inference - go unreported by vendors. To counter this, the Guide promotes proactive due diligence, dynamic risk profiling, and contractual transparency. It equips risk managers, compliance teams, and procurement officers with scalable tools to surface hidden dependencies, identify cascading failure points, and align third-party AI vendors and products with mission-critical safety, privacy, and resilience goals.”

Why it matters

The release of this guidance comes at a time when AI adoption in healthcare is accelerating rapidly, bringing both operational benefits and new cybersecurity vulnerabilities. Third-party AI tools can introduce risks such as data leakage, hidden dependencies, and system-wide failures if not properly managed.

By standardizing best practices and improving transparency, the HSCC guide aims to strengthen healthcare resilience, protect sensitive patient data, and reduce the likelihood of cyber incidents linked to external AI vendors.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

Why is third-party AI a concern in healthcare?

Many healthcare systems rely on external vendors for AI tools, which can introduce hidden risks such as data breaches, insecure software components, or lack of transparency about how patient data is used and processed.

Who should use this guidance?

It is designed for healthcare providers, payers, technology vendors, and cybersecurity professionals.

Is this guidance mandatory?

No, it is voluntary. However, organisations are strongly encouraged to adopt it as a best-practice approach to managing emerging AI risks.