The Health Sector Coordinating Council, through its Cybersecurity Working Group, has published a guide addressing the unique cybersecurity and privacy challenges that arise as the healthcare sector adopts AI (artificial intelligence) across clinical and operational use cases. The guide focuses on identifying and mitigating AI-specific cyber risks, such as data poisoning, model drift, and adversarial attacks, while ensuring compliance with the sector’s complex regulatory environment. It covers the full spectrum of AI technologies deployed in healthcare, from traditional machine learning (reactive, non-agentic models) to generative AI and agentic AI systems capable of autonomous action.
Titled ‘Health Industry AI Cyber Governance Framework Implementation Guide,’ the HSCC document addresses unique cybersecurity and privacy challenges as the sector adopts AI across clinical and operational use cases, targeting the identification and mitigation of AI-specific cyber risks, including data poisoning, model drift, and adversarial attacks, while ensuring compliance with the healthcare sector’s complex regulatory environment. It addresses the full spectrum of AI technologies deployed in healthcare, from traditional machine learning/reactive/non-agentic models to generative AI, and agentic AI systems capable of autonomous action.
The HSCC Cybersecurity Working Group’s AI Task Group also references AI Cyber Glossary, a living reference document establishing consistent, governance-ready definitions for AI terminology across the health sector. The glossary was developed in direct response to a critical gap in managing healthcare AI and AI cybersecurity: the absence of shared, sector-specific language that clinical, operational, compliance, and technical stakeholders can use with confidence.
As AI adoption accelerates across healthcare organizations of every size, inconsistent terminology creates real risk across procurement decisions, vendor contracts, regulatory submissions, policy development, and patient safety oversight. As a living document, the Glossary is designed to serve as the terminological foundation for current and future HSCC AI Task Group guidance materials.
The HSCC defines AI Cyber Governance as the portion of AI governance focused on securing, protecting, and ensuring the resilience of AI systems throughout their lifecycle. While broader AI governance addresses organizational oversight and responsible use, AI Cyber Governance concentrates on whether AI systems remain secure, trustworthy, and resilient against cyber threats, adversarial attacks, data breaches, and operational failures.
The framework highlights that effective governance is increasingly necessary as AI systems become more complex, regulatory requirements evolve, and healthcare organizations seek sustainable AI adoption without accumulating technical debt. It also emphasizes that strong governance builds trust among clinicians, patients, and other stakeholders while helping safeguard patient safety.
To achieve these goals, organizations should integrate cybersecurity into every stage of the AI lifecycle, including assessment, development, deployment, monitoring, and decommissioning. This includes securing data, protecting models, detecting threats, and continuously monitoring vulnerabilities such as model evasion, model inversion, data leakage, and data poisoning. The document further stresses that AI cybersecurity is a shared responsibility among healthcare providers, technology vendors, and medical device manufacturers, requiring coordination across multiple organizational functions to ensure comprehensive oversight and accountability.
The AI Cyber Governance Framework Implementation Task Group is one of several task groups established under the HSCC CWG. It is charged with identifying emerging risks associated with AI and machine learning (AI/ML) products and services used in health and public health (HPH); and developing guidelines, standards, best practices and mitigation recommendations for AI safety and security. The effort aligns with Implementing Objectives 6 and 8 of the HSCC CWG’s Health Industry Cybersecurity Strategic Plan 2024-29.
AI governance structures should scale with organizational size while remaining integrated with existing oversight functions.
In smaller healthcare organizations, such as critical access hospitals, community health centers, and facilities with fewer than 200 beds, AI governance responsibilities can be incorporated into existing committees, including Quality, Patient Safety, or Compliance committees. An AI governance liaison, often an existing leader such as the CIO, CISO, Compliance Officer, or CMIO, can coordinate activities across governance bodies. A formal AI Governance Committee may become necessary once the organization reaches a defined threshold, such as managing five or more active AI systems or deploying any high- or critical-risk AI application.
For medium-sized organizations with 200 to 500 beds, including community hospitals and smaller health systems, a standing AI Governance Subcommittee should be established under an existing governance structure such as IT Governance, Quality, or Compliance. This group should include representatives from clinical operations, cybersecurity, privacy, and legal functions. The subcommittee can conduct initial reviews of AI proposals and elevate high- or critical-risk decisions to executive leadership or the parent oversight committee.
Large healthcare organizations, including integrated delivery networks, academic medical centers, and facilities with more than 500 beds, should establish a dedicated AI Governance Committee with a formal charter, clearly defined decision-making authority, and direct reporting to the board or a board-level committee. Supporting subcommittees or working groups should oversee clinical AI evaluation, cybersecurity, ethics, and vendor and supply chain risk. Close coordination with bodies such as Medical Staff, Institutional Review Boards, Pharmacy and Therapeutics Committees, and Patient Safety Committees is essential to ensure effective two-way communication.
Regardless of organizational size, AI governance must include clinical decision-makers when patient care is affected, cybersecurity leadership when security implications exist, and privacy or compliance officers when protected health or personally identifiable information is involved. Escalation pathways to the board should be formally documented and regularly tested, and existing committee charters should be updated to reflect AI governance responsibilities.
Before AI Cyber Governance can be implemented, an AI Governance system must be in place. An effective AI Governance system creates a closed loop of accountability, including policies, risk assessment processes, security controls, documentation, and continuous monitoring. Yet, as is apparent with HIPAA Covered Entities and their Business Associates, achieving good governance requires sharing responsibility among many parties.
The HSCC mentioned that boards bear fiduciary and ethical responsibility for AI deployment. They should receive regular briefings to learn about AI, on AI cyber risk posture, regulatory trends, and incident reports. Annual attestation to AI cyber governance policies may be included in corporate compliance statements.
The document recommends establishing a multidisciplinary AI Cyber Governance Committee to ensure that AI systems are deployed securely, remain resilient against emerging threats, and operate in a trustworthy manner. Rather than treating AI as solely a technology initiative, the framework emphasizes shared oversight across executive, clinical, technical, legal, privacy, and operational functions.
Leadership of the committee typically includes AI executive sponsors such as the CIO, CTO, CMIO, Chief Data Officer, or other senior leaders responsible for setting strategy, allocating resources, and maintaining accountability for AI governance decisions. Clinical leaders, including chief medical and nursing officers, play a central role in validating clinical relevance, supporting clinician adoption, and monitoring outcomes after deployment.
Technology and cybersecurity teams are responsible for managing the infrastructure that supports AI systems while addressing risks such as data poisoning, adversarial attacks, and broader system resilience. Clinical engineering teams oversee AI-enabled medical devices, while legal, compliance, and privacy leaders ensure adherence to regulatory requirements, privacy obligations, and risk management practices involving sensitive patient data.
The framework also stresses the importance of including patient advocates and medical informatics specialists. Patient advocates help ensure that patient interests are considered when AI affects care delivery, while medical informatics and clinical decision support teams oversee how AI integrates with clinical information systems and workflows.
Additional expertise may be required depending on the organization’s AI maturity and use cases. Data scientists and machine learning engineers provide insight into model performance and failure modes, while bioethicists or ethics representatives evaluate complex ethical questions surrounding AI-driven decision-making. Patient safety officers help align AI governance with existing safety programs and reporting processes.
The document further recommends involving procurement and supply chain leaders to address vendor and third-party AI risks, as well as finance and revenue cycle leaders when AI is used in billing, coding, claims processing, or prior authorization functions. For larger healthcare organizations, governance responsibilities may be divided between an executive committee and a broader membership committee to balance effective oversight with broad stakeholder representation.
The HSCC document recognizes that AI risk assessment must be completed before production deployment and revisited per risk tier schedule. Critically, AI cyber governance, covering threat modeling, security architecture review, and penetration testing, depends on this foundational governance layer being in place first.
The guidance emphasizes that clear, actionable governance is essential for ensuring AI adoption remains aligned with an increasingly complex regulatory environment. Organizations are encouraged to map AI governance controls to applicable federal and state requirements, including HIPAA Privacy and Security Rules, state privacy laws such as New York’s SHIELD Act and California’s CCPA/CPRA, transparency requirements for AI-enabled decision support systems, FDA regulations governing software and AI-enabled medical devices, and cybersecurity mandates such as Section 524B of the FD&C Act and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). By integrating these requirements into governance programs, healthcare organizations can strengthen legal compliance, improve operational resilience, and reduce regulatory risk.
To translate governance into practice, the document recommends aligning AI programs with recognized standards and frameworks, including the NIST AI Risk Management Framework, FDA guidance for AI-enabled devices, ISO/IEC 42001 and 23894, the EU AI Act and GDPR, AAMI CR515, OWASP guidance for large language models and agentic AI, MITRE ATLAS, NIST SP 800-218A, and ISO/IEC 27090 and 27091.
The guidance also highlights importance of third-party AI risk management and supply chain transparency. Organizations are encouraged to assess governance maturity across AI cybersecurity governance, regulatory alignment, and standards compliance using a five-level maturity model. Governance expectations should be proportional to risk, with high-risk systems such as clinical diagnostics requiring a more advanced level of governance maturity before deployment than lower-risk administrative applications.
In conclusion, the HSCC guidance noted that robust AI cybersecurity governance ensures that products and tools deployed to healthcare environments are adequately reviewed, and risks are identified and mitigated so that the mission and vision of organizations can be met. This guide empowers healthcare organizations to establish cyber governance frameworks for secure AI implementation to guide that work. It addresses identification and mitigation of AI-specific cyber risks and provides practical tools for tasks such as organizing roles and responsibilities, inventory management, contractual language for vendor relationships, and an AI-specific incident response playbook.
The guide also addresses AI supply chain and concentration risk, operational resilience for AI-dependent clinical workflows, non-human identity management, patient engagement and transparency obligations, liability and insurance considerations, and governance requirements for research AI. Organizations should implement the recommendations provided here to ensure safe and effective use of AI tools throughout their organization. With the ever-changing healthcare ecosystem, effective management of AI is critical to patient safety.
In April, the HSCC published a guide to help healthcare organizations manage cybersecurity risks in AI-driven supply chains. It focuses on gaps in vendor visibility and disclosure, where incomplete inventories and unreported AI-specific risks, such as data leakage and adversarial threats, complicate oversight. The guide promotes proactive due diligence, continuous risk profiling, and stronger contractual transparency, equipping organizations to identify hidden dependencies, manage third-party risks, and align AI technologies with safety, privacy, and resilience priorities.
