Abstract
Over the past decade, the electronic health record (EHR) market has become increasingly consolidated, with the majority of care delivery organizations now using 1 of 2 vendors -Epic and Oracle Health. This consolidation creates a "single-point-of-failure" tail risk for cybersecurity: 1 successful attack could expose millions of patients' private data and could potentially impact documentation, billing, and clinical care across thousands of sites. Moreover, dependence on other technology vendors, such as shared cloud hosts, broadens the potential attack surface beyond vendors' core firewalls. Given that reversing consolidation is unlikely due to high EHR switching costs, it is critical that policymakers establish safeguards that ensure robust protections for patients' sensitive data. The Assistant Secretary for Technology Policy plays a critical role in mandating certain security features through the Certified Electronic Health Record Technology Program, and this role should be expanded to provide additional oversight, given the risks presented by the current market structure. Sustained investment in regulatory oversight and continued partnerships between policymakers, care delivery organizations, and EHR vendors are essential to contain the catastrophic risk involved from this ongoing market consolidation.