Healthcare sector rolls out 2026 cybersecurity guidance for AI systems

The Health Sector Coordinating Council (HSCC), through its Cybersecurity Working Group (CWG), has released early previews of its upcoming 2026 guidance on managing artificial intelligence (AI) cybersecurity risks. Recognizing the complexity of AI and aiming to balance its opportunities with its challenges, the HSCC plans a phased rollout of resources focused on developing sound policies and best practices for responsible adoption.

The agency announced a series of one-page summaries outlining five HSCC Cybersecurity workstreams on AI, offering an early look at the best practices and white papers the CWG plans to release throughout 2026. The forthcoming publications will address:

1. Education and Enablement

2. Cyber Operations and Defense

3. Governance

4. Secure by Design Medical

5. Third-Party AI Risk and Supply Chain Transparency

The initial foundational publication, AI in Healthcare: 10 Terms You Need to Know, has already been addressed in the current document.

The Five Focused Subgroups

The HSCC CWG formed an AI Cybersecurity Task Group last October, composed of 115 healthcare organizations, to prepare the sector with operational and organizational guidance. The complexity of AI technology used in clinical, administrative, and financial applications led the group to divide the issues into five manageable, interconnected subgroups:

• Education and Enablement: Focuses on developing common terminology, education, and training programs to help diverse healthcare users build awareness, better understand risks, and apply appropriate control measures for AI and machine learning technologies. Deliverables include top ten AI definitions and AI-assisted learning materials.

• Cyber Operations and Defense: Is creating practical playbooks to help organizations prepare for, detect, respond to, and recover from AI-related cyber incidents. It aims to define AI-driven threat intelligence processes and establish risk factors for various AI technologies beyond large language models. Deliverables include the AI Cyber Resilience and Incident Recovery Playbook.

• Governance: Is developing a comprehensive framework for managing AI cybersecurity risks across the entire health sector enterprise. It covers formal governance processes, regulatory alignment (HIPAA, FDA), and AI-specific security and data controls, referencing frameworks like the NIST AI Risk Management Framework. Key output is an AI Governance Maturity Model.

• Secure by Design Medical: Works to embed cybersecurity principles into the development of AI-enabled medical devices. It addresses unique risks like data poisoning and model manipulation, fosters cross-functional collaboration, and supports the integration of AI Bill of Materials (AIBOM) for transparency.

• Third-Party AI Risk and Supply Chain Transparency: Aims to strengthen security and resilience by improving visibility into third-party AI tools. Key activities include standardizing vendor vetting, implementing contractual safeguards for PHI handling, and encouraging bias testing and fairness in AI adoption.

The HSCC CWG urges healthcare organizations to adopt these best practices, share guidance across teams, and engage with the council to ensure that healthcare innovation is matched by a steadfast commitment to patient safety, data privacy, and operational resilience. The workstreams are slated to publish their guidance documents in succession through the first quarter of next year, starting in January.