Holmgren A Jay, Apathy Nate C, Kanter Genevieve P
Division of Clinical Informatics and Digital Transformation, University of California, San Francisco, CA 94131, United States.
Department of Health Policy and Management, University of Maryland, College Park, MD 20742, United States.
Health Aff Sch. 2025 Aug 18;3(8):qxaf164. doi: 10.1093/haschl/qxaf164. eCollection 2025 Aug.
Over the past decade, the electronic health record (EHR) market has become increasingly consolidated, with the majority of care delivery organizations now using 1 of 2 vendors -Epic and Oracle Health. This consolidation creates a "single-point-of-failure" tail risk for cybersecurity: 1 successful attack could expose millions of patients' private data and could potentially impact documentation, billing, and clinical care across thousands of sites. Moreover, dependence on other technology vendors, such as shared cloud hosts, broadens the potential attack surface beyond vendors' core firewalls. Given that reversing consolidation is unlikely due to high EHR switching costs, it is critical that policymakers establish safeguards that ensure robust protections for patients' sensitive data. The Assistant Secretary for Technology Policy plays a critical role in mandating certain security features through the Certified Electronic Health Record Technology Program, and this role should be expanded to provide additional oversight, given the risks presented by the current market structure. Sustained investment in regulatory oversight and continued partnerships between policymakers, care delivery organizations, and EHR vendors are essential to contain the catastrophic risk involved from this ongoing market consolidation.
在过去十年中,电子健康记录(EHR)市场日益集中,现在大多数医疗服务提供机构都在使用Epic和甲骨文医疗这两家供应商中的一家的产品。这种集中化给网络安全带来了“单点故障”的尾部风险:一次成功的攻击可能会暴露数百万患者的私人数据,并可能影响数千个医疗机构的文档记录、计费和临床护理。此外,对其他技术供应商(如共享云主机)的依赖,扩大了潜在攻击面,超出了供应商核心防火墙的范围。鉴于由于电子健康记录转换成本高昂,逆转市场集中化不太可能,政策制定者必须建立保障措施,确保对患者敏感数据进行强有力的保护。技术政策助理部长通过认证电子健康记录技术计划在强制要求某些安全功能方面发挥着关键作用,鉴于当前市场结构带来的风险,这一角色应予以扩大,以提供更多监督。持续投资于监管监督,并在政策制定者、医疗服务提供机构和电子健康记录供应商之间持续建立伙伴关系,对于控制当前市场集中化所涉及的灾难性风险至关重要。
