Third-Party AI Risk in Healthcare

Healthcare is one of the most sensitive sectors from a cybersecurity perspective. It is highly dependent on digital systems, third party providers, medical devices, EHR platforms, cloud services, and increasingly AI-enabled tools. At the same time, the consequences of failure are not limited to financial loss or regulatory exposure. In healthcare, cybersecurity is directly connected with patient safety.

Photo: https://www.magnific.com/pl

That is why I really appreciate the new HSCC “Third-Party AI Risk and Supply Chain Transparency Guide”. It is a very practical publication that addresses the sector-specific reality of managing third-party AI risk in healthcare.

AI is already being used or considered in many areas, including:

• clinical decision support,

• radiology, pathology and diagnostic tools,

• predictive analytics for patient outcomes,

•  remote monitoring devices and wearable technologies,

•  AI-enabled medical devices,

• ambient listening and medical documentation,

• EHR-embedded AI capabilities,

• chatbots and virtual assistants,

• medical coding, billing and revenue cycle management,

•  population health analytics,

• fraud detection and compliance monitoring,

• network monitoring and threat detection.

This creates a very different risk landscape from traditional software procurement.

What I like most about the HSCC guide is that it does not treat AI risk as a single “procurement questionnaire problem.” It proposes a full lifecycle approach.

The guide provides very useful practical tools: AI governance policy examples, inventory management guidance, a RACI matrix, sample commercial contract language, sample BAA language, AI vendor assessment questions, training checklists, and QA / verification / validation guidance.

From a TPRM perspective, the contract section is especially valuable.

For me, one of the most important messages is that healthcare organizations should not assume that a vendor’s AI tool is safe because it is innovative, popular, embedded in an existing platform, or marketed as “secure.” AI must be governed, assessed, validated, monitored, and contractually controlled.

The healthcare sector is often described as less mature in cybersecurity than other highly regulated sectors, while at the same time being frequently targeted and directly connected to human life and health. In healthcare, safety should be one of the main drivers of security, including cybersecurity.

I hope similar practical guidance and sector-specific approaches will also be developed for the Polish healthcare sector.

Link

Author: Sebastian Burgemejster