The Health Sector Coordinating Council (HSCC), through its Cybersecurity Working Group, has released the Systemic Risk Mapping Toolkit, a new resource designed by the sector for the sector. The toolkit helps healthcare organizations track and manage critical third-party services that support essential workflows, providing templates and a methodology to visualize, identify, and measure systemic risks posed by technology, software, and communication services vital to clinical, administrative, and manufacturing operations. The Health Industry Cybersecurity Sector Mapping and Risk Toolkit (SMART) represents 16 months of cross-sector collaboration among 80 organizations spanning patient care, health insurance, laboratories, pharmaceutical and blood services, medical technology, public health, and health IT.
The SMART Toolkit is intended for cybersecurity, supply chain, risk, operational, and administrative executives across health industry organizations of all sizes and subsectors, including healthcare providers, insurance, plans, and manufacturers. The recommended practices directly address imperatives for third-party risk management in the Health Industry Cybersecurity Strategic Plan 2024-2029 released by the CWG last year.
Larger organizations have dedicated resources to improve the resiliency of their critical functions, but many small-to-medium-sized organizations lack similar scale and need support with tools appropriate to their size, capability, and resource constraints.
The HSCC CWG plans to review and update the toolkit as experience and recommended improvements emerge. Stakeholders who have implemented these risk mappings are invited to provide feedback on their use to help strengthen and refine the critical functions risk management program.
For now, the group did not consider AI as a separate component of the sector risk maps. For solutions, software, or applications that include AI, organizations can call these out as part of the mapping process. As of this writing, the HSCC CWG is engaging several AI task groups to consider these third-party and other risks to the sector. Those resulting publications will become available throughout 2026.
The SMART Toolkit provides them with actionable guidance and methods for managing systemic risks related to their critical functions and dependencies within the health system. It empowers these organizations to demand secure products and high-availability of services from their suppliers, thereby driving improved standards for critical functions across the entire healthcare ecosystem. In situations where customer leverage is insufficient to influence third-party security, the SMART tool can help organizations anticipate potential incidents and develop backup and resiliency plans.
“Critical functions in the health sector form a complex ecosystem of interdependent organizations of all sizes, including patient care, payment and data management systems, pharmaceutical, manufacturing, technology research, and public health administration,” Samantha Jacques, vice chair of the HSCC CWG and co-lead of the SMART Task Group, said in a recent media statement. “A cybersecurity event affecting a single supplier or third-party support for critical functions across healthcare workflows poses ‘one-to-many’ impact. A disruption to one payment clearinghouse, for example, can shut down a significant portion of the nation’s healthcare delivery.”
“The impact of a cyber disruption on critical functions can include loss of patient data and payment information, theft of intellectual property, or exploitation of medical device vulnerabilities that lead to disruption of functionality or patient harm,” Adrian Mayers, a co-lead of the SMART Task Group and Premera BlueCross chief information security officer, observed. “The growth of ransomware threatens the availability of critical functions and systems, leaving organizations unable to provide services or products relied upon by patients and health professionals.”
The first phase of the SMART toolkit focuses on identifying systemic risk through a structured, repeatable process. Whether the organization is a small rural hospital or a large enterprise, the same pre-work is necessary to pinpoint critical third-party functions. The goal is to recognize essential vendors, understand dependencies, and define what makes a service or process “material” to the organization’s continued operation.
The process begins with forming a collaborative planning team that draws from multiple disciplines such as risk management, cybersecurity, legal, compliance, IT, finance, operations, and executive leadership. In larger organizations, sub-teams with subject matter expertise may handle specific workflows or functions. This cross-functional approach ensures that no single department’s perspective dominates and that systemic interdependencies are fully captured.
Next, the team develops a common understanding of materiality, aligning on what qualifies as critical to business continuity and patient safety. This definition often follows the inherent risk rubric that evaluates business, financial, safety, and regulatory impact. Senior leadership and boards ultimately approve these thresholds to align with strategic and regulatory goals. A shared definition prevents confusion and ensures that the analysis focuses on genuinely high-impact systems or vendors.
Once materiality is defined, the team determines which critical function maps apply to the organization. These maps, drawn from the toolkit’s appendix, illustrate key healthcare workflows such as laboratory operations, medical device manufacturing, or pharmacy distribution. Teams review these templates, select those relevant to their operations, and prioritize them based on materiality and potential impact.
The next step is to customize the critical function maps to reflect the organization’s actual workflows. Teams review each map, adding or adjusting elements to capture internal processes, data flows, and third-party integrations. Collaboration with subject matter experts is essential here to ensure accuracy. These iterations continue until the workflows represent the real operational picture.
After the workflows are finalized, the team proceeds to identify vendors and their services or products tied to each critical function. This includes all third-party entities that support the workflow—cloud providers, software vendors, data processors, and supply chain partners. The process must also account for hidden dependencies like APIs and automation tools that link systems together. This step builds a comprehensive vendor inventory mapped directly to operational functions.
The final task in Phase 1 of the SMART Toolkit is to conduct a Critical Function Analysis to prioritize vendors. This involves simulating disruption scenarios where a vendor or service becomes unavailable without warning. Teams assess operational impacts, existing mitigations, and the scope of material effect, whether isolated or organization-wide. They then identify chokepoints and risk concentrations that could lead to cascading failures. The result is a prioritized list of vendors and services requiring focused attention in the next phase.
By the end of this phase, organizations have a clear understanding of which functions and third-party relationships present the highest systemic risk. This structured process helps shift risk management from reactive problem-solving to proactive resilience building, ensuring the organization can anticipate and withstand disruption rather than scramble to recover from it.
The second phase of the SMART Toolkit centers on mitigating risks identified during the earlier assessment of critical vendors. It aims to create management plans that strengthen resilience and reduce potential disruption. The process begins when a business owner initiates a vendor risk assessment. Each vendor is asked to complete a detailed questionnaire that captures its security posture, adherence to controls, and data protection practices. A Risk Assessor reviews the responses, identifies weaknesses, and documents findings. Vendors are notified about any areas needing improvement and asked to take corrective action.
In some cases, further discussions are held with vendor teams to clarify technical or operational details. These discussions may involve topics such as architecture, data handling, backup procedures, or recovery capabilities. Organizations are encouraged to prioritize vendors based on size, scope, and scalability, particularly when managing a large vendor base.
Next, vendors are classified according to their business criticality and the amount of protected health information they handle. High-tier vendors, whose services are essential or sensitive, undergo more frequent and detailed reviews, while lower-tier vendors are evaluated less often. This tiering approach allows for proportional oversight and balanced resource allocation. It also helps in differentiating contract terms and monitoring efforts based on vendor importance and risk exposure.
Standardization of workflows is essential at this stage. Establishing consistent documentation procedures and setting clear expectations for assessments ensures transparency and repeatability. Every risk assessment follows the same structure, reducing confusion and ensuring accountability across teams.
Once risks are identified, the Risk Assessor or team develops action plans. These plans address not only vulnerabilities linked to the vendor’s product or platform but also those related to the supporting infrastructure. Each action plan is tracked and monitored until completion. For high-priority issues, proof of remediation is required. For medium or low-priority issues, maintaining a plan of action is sufficient.
When a vendor fails to respond or address concerns, the matter is escalated to senior management. Communication tools or platforms can be used to coordinate with vendors and track responses efficiently.
Beyond assessment and follow-up, organizations develop mitigation and operational plans that enhance long-term resilience. The CISO team revisits vendor assessments to verify compliance with regulations and best practices such as contingency planning, patch management, software bill of materials, and secure design principles. Any unresolved risks are documented, discussed with the vendor, and monitored regularly.
Contracts are reviewed and updated to include clauses for incident reporting timelines, audit rights, and other security obligations. Vendors’ compliance with these clauses is tracked periodically to ensure accountability. Business owners are also expected to build downtime and disaster recovery plans tailored to their operations. These plans are tested through tabletop exercises to ensure staff readiness and refine procedures.
In conclusion, the HSCC identifies that by forming collaborative planning teams, creating common lexicons, and customizing critical function maps, organizations can effectively identify and prioritize their critical vendors and products.
“The document emphasizes the importance of understanding materiality, conducting thorough risk assessments, and developing robust mitigation strategies to ensure the resilience of critical functions,” the document added. “By following the outlined steps and leveraging the provided templates, organizations can enhance their preparedness, ensure business continuity, and safeguard patient care and safety. Using this defined process can help organizations focus on remediating risks from prioritized high-risk vendors found during risk assessments, instead of just conducting numerous risk assessments and assuming all vendor risk is equal.”
Clearly, this proactive approach to risk management is essential for maintaining the integrity and availability of critical functions in the ever-evolving healthcare landscape.
In May, the HSCC CWG highlighted the significant cybersecurity challenges facing America’s resource-constrained healthcare providers. A recent report noted that these challenges stem from a limited workforce and expertise, outdated systems, and inadequate funding. The report, submitted to the U.S. Department of Health and Human Services, the White House, and the House and Senate Rural Health Caucuses, urges both the government and the broader healthcare community to invest in workforce development, financial support, and strategic partnerships to strengthen cybersecurity and safeguard patient safety.
link
