
Healthcare organizations adopting advanced artificial intelligence tools now confront increasing risks from their supply chains. A report by the Health Information Sharing and Analysis Center (Health-ISAC) found that traditional vendor oversight fails to address the complexities of AI systems, exposing hospitals and clinics to hidden vulnerabilities.
AI expands the attack surface
The Frontier AI in the Health Sector: Managing Supply Chain and Vendor Risk report explains that AI supply chains introduce risks beyond what conventional cybersecurity reviews detect. Many providers depend on AI integrated into electronic health records, clinical decision support, medical devices, and billing systems, often without understanding how those models were developed, trained, or updated.
These hidden dependencies create blind spots. A hospital might review a vendor’s security controls but still miss risks in the AI’s training data, third-party software, or subcontractors. Such gaps can result in security breaches, privacy violations, or compliance failures that standard procurement checks do not catch.
Related: Ari Robicsek named NCQA’s first chief medical officer
New rules for managing risk
Health-ISAC outlines five key changes for how healthcare organizations should handle AI vendors:
- Create AI-specific governance and procurement policies separate from general IT contracts.
- Require vendors to disclose details about AI models, training data, and software dependencies.
- Monitor AI systems continuously rather than only during initial security assessments.
- Incorporate AI risks into existing enterprise risk management and compliance programs.
- Add AI-specific clauses to contracts, covering incident reporting, model updates, and accountability.
The recommendations match the National Institute of Standards and Technology’s AI Risk Management Framework, which advises organizations to examine the entire ecosystem supporting AI products. That includes cloud providers, open-source components, and downstream suppliers, all of which can introduce vulnerabilities.
Supply chain attacks remain a persistent threat to healthcare. The report identified vendors as prime targets for attackers aiming to compromise multiple organizations simultaneously. AI-enabled cyberattacks were highlighted as a major concern for the sector in the near future.
Related: ACOs Deliver 2.5 Billion in Savings
For hospitals already stretched thin by cybersecurity demands, the additional responsibility of AI oversight may seem daunting. The report warns that ignoring these risks could lead to far greater consequences. A single compromised AI model—whether through malicious training data or a supply chain breach—could disrupt operations across entire provider networks.
The issue extends beyond technical challenges. Most healthcare organizations lack the expertise to evaluate AI systems, let alone the supply chains behind them. While the report does not provide a simple solution, it advises leaders to begin with practical steps: update procurement policies, ask vendors more rigorous questions, and treat AI as a distinct risk category rather than just another software component.
That strategy offers a starting point. As AI becomes more embedded in healthcare, the boundary between vendor risk and patient safety will continue to fade.