The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group has released a guide on third-party artificial intelligence risk and AI supply chain transparency for healthcare organizations.
The guide sets out best practices for AI-driven supply chains, including data lineage tracking, model auditability, visibility into embedded third-party dependencies and post-deployment monitoring.
The guide is intended to align with the National Institute of Standards and Technology’s AI Risk Management Framework and to address discovery and disclosure gaps that make AI supply chain risk harder to manage.
What the guide covers and where it sits in existing frameworks
The April guide expands on a workstream HSCC previewed in November 2025. In the earlier outline, HSCC said its third-party AI and supply chain track would focus on visibility and transparency, governance and oversight, cyber and data risk, contractual and legal safeguards, lifecycle risk management and shared responsibility.
HSCC also said the workstream would cover procurement, vendor vetting, monitoring, end-of-life planning and model contract or business associate agreement clauses for data use, protected health information handling and breach reporting.
When a vendor becomes a business associate
HHS says a software vendor becomes a HIPAA business associate when it needs access to protected health information to provide its service, such as hosting software that contains patient information or accessing patient data while troubleshooting.
In these cases, covered entities are required to have a business associate agreement in place before allowing that access.
On March 5, the HHS Office for Civil Rights announced a settlement with MMG Fusion, a Maryland software company, over potential HIPAA Privacy, Security and Breach Notification Rule violations tied to a breach affecting 15 million individuals.
OCR said MMG was a business associate because its software was used to communicate directly with patients of covered entities, and it used the case to restate that business associates must safeguard protected health information and meet breach-notification duties.
Business associates in healthcare ransomware exposure
The sector’s exposure to third-party cyber risk is also documented beyond enforcement. A 2025 open-access review of U.S. healthcare ransomware incidents found that 33.8% of 831 provider-reported ransomware incidents from 2016 through 2024 involved a business associate.
The study concluded that business-associate exposure is significant in healthcare ransomware and described the pattern as a hub-and-spoke risk model, where disruption at one vendor can affect multiple providers.
How the guide fits HSCC’s broader AI risk work
In its 2023 paper on artificial intelligence and machine learning, HSCC said healthcare AI and ML systems can be vulnerable to evasion, data poisoning, model replication and exploitation of traditional software flaws.
The new third-party guide narrows that broader concern to the vendor, procurement and supply chain layer, where HSCC’s November preview said the intended outcomes were better tools for GRC, procurement and compliance teams, lower exposure to hidden risks in layered vendor chains and stronger alignment with standards including NIST, FDA, ISO and IMDRF.
The timing also matches wider standards activity around AI governance. NIST says its AI RMF is a voluntary framework for managing risks in the design, development, use and evaluation of AI systems, and on April 7 it released a concept note for a profile on trustworthy AI in critical infrastructure.