The Health Sector Coordination Council (HSCC), through its Cybersecurity Working Group, has released the Systemic Risk Mapping Toolkit, a new resource designed by and for the health sector. This toolkit helps healthcare organizations track and manage critical third-party services that support critical workflows, providing templates and methodologies to visualize, identify, and measure systemic risks posed by technology, software, and communication services essential to clinical, administrative, and manufacturing operations. The Healthcare Industry Cybersecurity Sector Mapping and Risk Toolkit (SMART) represents a 16-month cross-functional collaboration between 80 organizations spanning patient care, health insurance, laboratories, pharmaceutical and blood services, medical technology, public health, and health IT.
The SMART toolkit is aimed at cybersecurity, supply chain, risk, operations, and management executives across healthcare industry organizations of all sizes and subsectors, including healthcare providers, insurance, plans, and manufacturers. The recommended practices directly correspond to the third-party risk management imperatives in the Healthcare Industry Cybersecurity Strategic Plan 2024-2029, which the CWG released last year.
While large organizations have dedicated resources to improve the resiliency of critical functions, many small and medium-sized organizations do not have the same scale and need support with tools appropriate to their size, capabilities, and resource constraints.
The HSCC CWG will review and update the toolkit as experience and recommended improvements emerge. Stakeholders who have implemented these risk mappings are asked to provide feedback on their use to help strengthen and refine critical function risk management programs.
For now, the group does not consider AI as a separate element of its sector risk map. For solutions, software, or applications that include AI, organizations can invoke them as part of the mapping process. At the time of writing, the HSCC CWG is working with several AI task groups to consider third-party and other risks to the sector. These publications will be available throughout 2026.
The SMART Toolkit provides practical guidance and methods for managing systemic risks associated with critical functions and dependencies within health systems. This enables these organizations to demand high availability of safe products and services from their suppliers, helping to raise standards for critical functions across the healthcare ecosystem. In situations where customer leverage is insufficient to impact third-party security, SMART tools can help organizations anticipate potential incidents and develop backup and recovery plans.
“The critical functions of the healthcare sector form a complex ecosystem of interdependent organizations of all sizes, including patient care, payment and data management systems, pharmaceuticals, manufacturing, technology research, and public health administration,” Samantha Jacques, vice chair of the HSCC CWG and co-leader of the SMART task group, said in a recent media statement. “Cybersecurity events that impact a single supplier or third-party support for critical functions across healthcare workflows have a ‘one-to-many’ impact. For example, a disruption to one payment clearing house can halt a significant portion of the nation's healthcare delivery.”
“The impact of cyber disruption to critical functions can include loss of patient data or payment information, theft of intellectual property, and exploitation of vulnerabilities in medical devices that can disrupt functionality or harm patients,” said Adrian Meyers, co-leader of the SMART task group and Premera BlueCross chief information security officer. “The rise in ransomware threatens the availability of critical functions and systems, making it impossible for organizations to deliver the services and products patients and healthcare professionals rely on.”
The first phase of the SMART toolkit focuses on identifying systemic risks through a structured and repeatable process. Whether your organization is a small local hospital or a large enterprise, the same up-front work is required to accurately identify critical third-party functions. The goal is to recognize critical vendors, understand dependencies, and define what services and processes are “critical” to the ongoing operations of the organization.
This process begins by assembling a collaborative planning team that leverages multiple disciplines, including risk management, cybersecurity, legal, compliance, IT, finance, operations, and executive leadership. In large organizations, sub-teams with subject matter expertise may handle specific workflows or functions. This cross-functional approach ensures that no single department's perspective dominates and that system interdependencies are fully understood.
The team then develops a shared understanding of materiality and aligns on what is important for business continuity and patient safety. This definition often follows a unique risk rubric that assesses business, financial, safety, and regulatory impacts. Senior management and the board ultimately approve these thresholds in alignment with strategic and regulatory objectives. Shared definitions reduce confusion and allow analysis to focus on the systems and vendors that are truly impacted.
Once materiality is defined, the team determines which material capability maps apply to the organization. These maps, created from the toolkit's appendices, illustrate key healthcare workflows such as laboratory operations, medical device manufacturing, and pharmacy distribution. Your team reviews these templates, selects those that are relevant to your business, and prioritizes them based on importance and potential impact.
The next step is to customize the key feature map to reflect your organization's actual workflows. Your team reviews each map and adds or adjusts elements to understand internal processes, data flows, and third-party integrations. Collaboration with subject matter experts is essential to ensure accuracy. These iterations continue until the workflow represents the actual operational situation.
Once the workflow is finalized, the team moves on to identifying vendors and the services and products associated with each critical feature. This includes all third-party entities that support the workflow (cloud providers, software vendors, data processors, supply chain partners). This process also needs to consider hidden dependencies such as APIs and automation tools that link the systems together. This step builds a comprehensive vendor inventory that maps directly to operational capabilities.
The final task in Phase 1 of the SMART toolkit is to perform a critical feature analysis to prioritize vendors. This includes simulating disruption scenarios where a vendor or service becomes unavailable without warning. The team assesses the operational impact, existing mitigations, and scope of significant impacts, whether individually or across the organization. Next, identify choke points and risk concentrations that can lead to cascading failures. The result is a prioritized list of vendors and services that require focused attention in the next phase.
By the end of this phase, organizations will have a clear understanding of which functions and third-party relationships pose the highest systemic risk. This structured process helps move risk management from reactive problem-solving to proactive resilience-building, allowing organizations to anticipate and withstand disruptions rather than scrambling to recover from them.
The second phase of the SMART toolkit focuses on mitigating risks identified during the initial assessment of key vendors. The aim is to develop management plans that strengthen resilience and reduce potential disruptions. This process begins when business owners begin a vendor risk assessment. Each vendor is asked to complete a detailed questionnaire that understands their security posture, administrative compliance, and data protection practices. Risk assessors review responses, identify weaknesses, and document results. Vendors are notified of areas that require improvement and asked to take corrective action.
In some cases, further discussions are held with the vendor team to clarify technical or operational details. These discussions may include topics such as architecture, data processing, backup procedures, and recovery features. Organizations are encouraged to prioritize vendors based on size, scope, and scalability, especially when managing large vendor bases.
Vendors are then categorized by business criticality and the amount of protected health information they handle. Top vendors whose services are essential or sensitive receive more frequent and detailed reviews, while lower-tier vendors receive less evaluation. This layered approach allows for proportional monitoring and balanced resource allocation. It also helps differentiate contract terms and monitor efforts based on vendor criticality and risk exposure.
Standardization of the workflow is essential at this stage. Establishing consistent documentation procedures and setting clear expectations for evaluations ensures transparency and reproducibility. All risk assessments follow the same structure, reducing confusion and ensuring accountability across teams.
Once risks are identified, a risk assessor or team creates an action plan. These plans address vulnerabilities related to the vendor's products or platforms as well as supporting infrastructure. Each action plan is tracked and monitored until completion. For high priority issues, evidence of remediation is required. For medium or low priority issues, maintaining an action plan is sufficient.
If the vendor fails to respond or address your concerns, the issue will be escalated to senior management. Use a communication tool or platform to coordinate with vendors and efficiently track responses.
Beyond assessment and follow-up, organizations develop mitigation and operational plans that strengthen long-term resilience. The CISO team reviews vendor assessments and verifies compliance with regulations and best practices such as contingency plans, patch management, software bill of materials, and secure design principles. All unresolved risks are documented, discussed with vendors, and regularly monitored.
Contracts are reviewed and updated to include provisions regarding incident reporting timelines, audit rights, and other security obligations. Vendor compliance with these terms is regularly tracked to ensure accountability. Employers are also expected to create downtime and disaster recovery plans tailored to their operations. These plans will be tested through tabletop exercises to ensure staff readiness and refine procedures.
In conclusion, HSCC confirms that by forming a collaborative planning team, creating a common vocabulary, and customizing a critical capability map, organizations can effectively identify and prioritize critical vendors and products.
“This document highlights the importance of understanding the criticality, conducting a thorough risk assessment, and developing strong mitigation strategies to ensure the resilience of critical functions,” the document added. “By following the steps outlined and leveraging the templates provided, organizations can increase preparedness, ensure business continuity, and protect patient care and safety. This defined process allows organizations to focus on remediating risks from high-priority, high-risk vendors discovered during risk assessments, rather than simply conducting numerous risk assessments and assuming that all vendors are at equal risk.”
Clearly, this proactive approach to risk management is essential to maintaining the integrity and availability of critical functions in an ever-evolving healthcare environment.
In May, the HSCC CWG highlighted the significant cybersecurity challenges facing America's resource-constrained healthcare providers. A recent report notes that these challenges stem from limited workforce and expertise, outdated systems, and inadequate funding. The report, presented to the U.S. Department of Health and Human Services, the White House, and the House and Senate Local Health Caucus, calls on both the government and the broader health care community to invest in workforce development, financial support, and strategic partnerships to strengthen cybersecurity and protect patient safety.
