Abstract
Over the past decade, the electronic health record (EHR) market has become increasingly consolidated, with the majority of care delivery organizations now using 1 of 2 vendors —Epic and Oracle Health. This consolidation creates a “single-point-of-failure” tail risk for cybersecurity: 1 successful attack could expose millions of patients' private data and could potentially impact documentation, billing, and clinical care across thousands of sites. Moreover, dependence on other technology vendors, such as shared cloud hosts, broadens the potential attack surface beyond vendors' core firewalls. Given that reversing consolidation is unlikely due to high EHR switching costs, it is critical that policymakers establish safeguards that ensure robust protections for patients' sensitive data. The Assistant Secretary for Technology Policy plays a critical role in mandating certain security features through the Certified Electronic Health Record Technology Program, and this role should be expanded to provide additional oversight, given the risks presented by the current market structure. Sustained investment in regulatory oversight and continued partnerships between policymakers, care delivery organizations, and EHR vendors are essential to contain the catastrophic risk involved from this ongoing market consolidation.
Keywords: health information technology, cyber security, electronic health records, market consolidation, privacy
Introduction
In January 2025, Oracle Health, 1 of the 2 largest electronic health record (EHR) providers in the United States, experienced a records breach that affected 6 million patients.1 This incident underscores the catastrophic cybersecurity risk posed by extreme market concentration in the EHR market. That only 2 firms dominate the EHR market creates a “single-point-of-failure” risk for cybersecurity: 1 successful attack could expose millions of patients' private data and could potentially impact documentation, billing, and clinical care across thousands of sites.
This “single-point-of-failure risk” is part of a larger trend. As cybersecurity incidents in health care have surged,2,3 the breadth of targets for ransomware attacks and data breaches has become more diverse, including hospitals and health systems, central data processors like Change Healthcare, and EHR vendors. Like Change Healthcare, the EHR vendor Oracle Health has a far more extensive reach across US health care than a single hospital or even a large health system.4 This article analyzes extreme cybersecurity threats posed by consolidation in the EHR market and discusses potential policy and regulatory solutions.
Electronic health record markets are increasingly consolidated
While the EHR vendor market was relatively diversified at the outset of the HITECH (Health Information Technology for Economic and Clinical Health Act) era, classified as a “competitive” environment measured as of 2012, the market has since shifted. Over the last decade, health systems have begun to consolidate around the 2 largest EHR vendors, Epic and Cerner (now Oracle Health). These 2 vendors now dominate the EHR landscape, covering 71.7% of the national inpatient market and 69% of the ambulatory EHR market.5,6 As a result, the EHR market is now considered “highly concentrated.”
This consolidation has been driven by a variety of factors, including network effects, mergers and acquisitions, high regulatory burden more readily borne by incumbent firms, and a revealed preference by health systems for the feature-rich products offered by these leading vendors. Market concentration is not inherently problematic if it arises from superior product offerings and efficient service delivery rather than anticompetitive behaviors. The dominance of Epic and Oracle Health has brought measurable benefits, including improved interoperability and patient safety.7 However, this highly concentrated market structure introduces substantial “tail risk” of low-probability, high-impact events. Specifically, concentration within the EHR vendor market means that a cybersecurity breach at 1 of these dominant vendors could have catastrophic and far-reaching consequences, significantly affecting patient safety, data security, and health care operations nationwide.
Electronic health record vendors and cybersecurity
Concentration in the EHR vendor market has, in some ways, been good for EHR cybersecurity. Leading vendors like Epic and Oracle Health possess significant resources and expertise dedicated to cybersecurity, resulting in robust defensive measures. Large-scale software firms that handle sensitive data have strong incentives to protect their reputations, motivating investment in cybersecurity measures that far outstrip the capabilities of individual health systems. Further, health systems and patients impacted by an EHR vendor breach are likely to seek legal redress directly from vendors, providing additional incentive for these vendors to invest in security. Relative to previous eras, when many health systems used self-developed EHRs that lacked advanced security features, today's health data ecosystem is more resistant to low-sophistication threats that had rattled earlier health systems.
However, this concentrated market structure could amplify the impact of EHR cybersecurity breaches. Breaches could propagate quickly to scores of hospitals and office practices wholly dependent on a single vendor, threatening care delivery to millions of patients, delaying clinical documentation required for payments, and indiscriminately releasing sensitive health information. For example, in April 2025, a mistake by Oracle Health database engineers led to a 5-day outage at 45 of Community Health Systems' 71 hospitals.8 While not a cyberattack, it highlights the risks of centralized systems.
Moreover, although a direct attack on Epic or Oracle Health is unlikely to be successful because of heightened security at these central hubs, EHR services may be more vulnerable at other entry points, through business-associate relationships. Like all software companies, EHR vendors themselves rely on technology vendors for database infrastructure, cloud hosting for applications, and other utilities upon which these systems run. For example, any database or application hosting for which EHR vendors use Amazon Web Services (AWS) would be potentially vulnerable to attacks targeting AWS. There may be also vulnerabilities in vendors' legacy equipment or protocols, which can fail to keep up with innovations among threat actors.
Indeed, the January 2025 Oracle Health breach has been attributed to a legacy server used for data migration to its cloud platform.1 Prior to this incident, the only other large known breach associated with an EHR vendor was reported in July 2020, involving a small vendor and affecting 2500 patients.9 These incidents and the highly concentrated EHR market point to a very real potential for catastrophic risk.
Policy and regulatory initiatives are key to ensuring the data security
Unlike hospital and health insurance markets, EHR vendor consolidation does not appear to be driven by anticompetitive behavior. Antitrust enforcement is therefore unlikely to be an effective solution. Further, EHR switching costs are extremely high for health systems, making it unlikely that the market will become less concentrated even if there were more EHR vendors. Policymakers committed to ensuring the security of sensitive patient health data and guarding against the risk induced by EHR vendor market consolidation should instead focus on expanding and strengthening the powers of regulatory entities that oversee EHRs.
The Assistant Secretary for Technology Policy (ASTP), formerly known as the Office of the National Coordinator for Health Information Technology, has historically been a key policy actor in regulating EHRs. It has wielded significant influence over the functionalities of EHRs through the EHR certification program10 and has shown remarkable foresight in crafting a regulatory framework that has minimized large-scale attacks on EHR vendors. For instance, an investigation into the Change Healthcare breach revealed that a lack of multifactor authentication (MFA) was a significant contributor to the breach. Although MFA is an optional certification criterion in the EHR certification program, virtually every product listed in the Certified Health IT Product List (CHPL) includes this functionality, indicating the proactive stance that EHR vendors have adopted in response to ASTP guidance.
However, much of ASTP's current regulatory scope for EHR vendors has focused on “front-end” EHR functionality and interoperability, rather than the security practices and digital business infrastructure of EHR vendors themselves. An expansion of this scope could help ensure that regulatory mechanisms are in place to enforce EHR security standards and adapt to emerging cybersecurity threats. First, ASTP should prioritize expanding cybersecurity functionality requirements via the existing EHR Certification Program (eg, making the MFA criteria mandatory) and continually update these requirements as new technologies and threats develop. Second, ASTP should explore replicating their cybersecurity toolkits, a set evidence-based best practices and self-assessments for patients and providers developed and publicly provided by ASTP. An additional toolkit could be developed with recommendations for EHR developers in addition to their resources for patients and providers. Third, ASTP should proactively engage the largest EHR vendors via the Electronic Health Record Association to develop collaborative workgroups on cybersecurity. These efforts could also include funding vendor-agnostic research on emerging cybersecurity threats and the development of new security technologies, design principles, and best practices for EHR vendors. Proactive engagement with developers and other private sector partners is critical to ensure that mandating security functionality in the EHR Certification Program does not stifle private innovation or crowd out other important functionalities (eg, those that improve EHR usability).
In addition, ASTP should work with the Department of Health and Human Services (HHS) Office for Civil Rights to develop guidance and requirements to strengthen security provisions in contractual arrangements between EHR firms and their business associates. Strong provisions like indemnification can provide potent incentives for third-party vendors to buttress their security practices. Importantly, these recommendations are not comprehensive, and other federal agencies and regulators may also wish to pursue their own cybersecurity-related initiatives in partnership with or in parallel to ASTP.
The HHS has recently proposed that ASTP be absorbed into the “Office of the Chief Technology Officer” within the Office of the HHS Secretary. The proposal effectively reduces the staffing, funding, and mandate of ASTP, further limiting its ability to counter EHR cybersecurity threats. The continued effectiveness of ASTP's regulatory oversight depends on sustained federal commitment, including maintaining technical expertise, fostering ongoing communication between vendors and regulators, supporting advisory bodies such as the recently suspended Health Information Technology Advisory Committee (HITAC), and engaging with stakeholders including payers, health systems, and patients. In the face of increasing ransomware attacks, policymakers, health care leaders, and regulators must collectively recognize and proactively mitigate the cybersecurity risks inherent in a concentrated EHR marketplace to safeguard the critical infrastructure underpinning health care delivery in the United States.
Supplementary Material
Contributor Information
A Jay Holmgren, Division of Clinical Informatics and Digital Transformation, University of California, San Francisco, CA 94131, United States.
Nate C Apathy, Department of Health Policy and Management, University of Maryland, College Park, MD 20742, United States.
Genevieve P Kanter, Price School of Public Policy, University of Southern California, Los Angeles, CA 90089, United States.
Supplementary material
Supplementary materials available at Health Affairs Scholar online.
Funding
None declared.
Notes
- 1. Muoio D. Hospitals extorted after Oracle Health server breach: reports. Fierce Healthcare. Updated March 31, 2025. Accessed May 20, 2025. https://www.fiercehealthcare.com/health-tech/unannounced-oracle-health-server-breach-leads-hospital-extortions-reports-say
- 2. Neprash HT, McGlave CC, Cross DA, et al. Trends in ransomware attacks on US hospitals, clinics, and other health care delivery organizations, 2016-2021. JAMA Health Forum. 2022;3(12):e224873. 10.1001/jamahealthforum.2022.4873 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 3. Jiang JX, Ross JS, Bai G. Ransomware attacks and data breaches in US health care systems. JAMA Netw Open. 2025;8(5):e2510180. 10.1001/jamanetworkopen.2025.10180 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 4. Kanter GP, Rekowski JR, Kannarkat JT. Lessons from the change healthcare ransomware attack. JAMA Health Forum. 2024;5(9):e242764. 10.1001/jamahealthforum.2024.2764 [DOI] [PubMed] [Google Scholar]
- 5. Holmgren AJ, Apathy NC. Trends in US hospital electronic health record vendor market concentration, 2012–2021. J Gen Intern Med. 2023;38(7):1765–1767. 10.1007/s11606-022-07917-3 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 6.Definitive Healthcare. 10 Best Ambulatory EHR Vendors. Updated October 31, 2024. Accessed May 22, 2025. https://www.definitivehc.com/blog/top-ambulatory-ehr-systems
- 7. Classen DC, Holmgren AJ, Co Z, et al. National trends in the safety performance of electronic health record systems from 2009 to 2018. JAMA Netw Open. 2020;3(5):e205547. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 8. Capoot A. Oracle engineers caused dayslong software outage at U.S. hospitals. Updated April 28, 2025. Accessed May 22, 2025. https://www.cnbc.com/2025/04/28/oracle-engineers-caused-days-long-software-outage-at-us-hospitals.html
- 9. U.S. Department of Health and Human Services Office for Civil Rights. Accessed May 22, 2025. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- 10. Holmgren AJ, Adler-Milstein J, McCullough J. Are all certified EHRs created equal? Assessing the relationship between EHR vendor and hospital meaningful use performance. J Am Med Inform Assoc. 2018;25(6):654–660. 10.1093/jamia/ocx135 [DOI] [PMC free article] [PubMed] [Google Scholar]
Associated Data
This section collects any data citations, data availability statements, or supplementary materials included in this article.