They say that hindsight is 20/20, and certainly that holds true for regulations and safeguards in the US healthcare system. For rules to change, the risk must have been realized and pain must be felt acutely. In other words, that event/incident/disruption that everyone feared most already happened, leaving long-lasting damage for patients, healthcare providers, health insurers, and other stakeholders across the ecosystem.

Change Comes When Risk Has Been Realized

To take note and call attention to the change that must occur, stakeholders suffer extensive injuries — from huge financial losses to depletion of consumer trust. Those who don’t recognize the affliction typically downplay the event at first, only to be dragged before congressional hearings to explain how/why no one saw this coming. While the bar may feel high, the healthcare industry has experienced a series of such events in the first half of 2024 and should expect events to repeat themselves unless big changes happen soon.

This is why, after years of ignoring costly cyberattacks on the healthcare system, even after the industry continues to register new records for the highest costs of a data breach for three years in a row, now both the US Department of Health & Human Services (HHS) and the US Department of Justice (DOJ) are taking action to combat concentration risk and root out the single points of failure in the industry.

Healthcare Regulators Finally Act

The US HHS recently launched a project to create a map of cybersecurity risks inherent in having a single dominant supplier in the market. The start will be a visual mapping of interdependencies to identify companies that could potentially become industry chokepoints, which is precisely what Change Healthcare’s $13 billion merger with UnitedHealth Group in 2022 created. The company operated the nation’s largest data clearinghouse, processing over 50% of all health insurance claims and about 44% of all funds processed in the US healthcare system (not to mention also being the largest employer of physicians — you do the math).

Similarly, the US DOJ recently launched a task force to address widespread competition concerns, including “issues regarding payer-provider consolidation, serial acquisitions, labor and quality of care, medical billing, healthcare IT services and access to and misuse of health care data.” The assistant attorney general of the DOJ’s Antitrust Division, Jonathan Kanter, shared in a statement that the task force will “identify and root out monopolies and collusive practices that increase costs, decrease quality, and create single points of failure in the healthcare industry.”

What’s Next And Upcoming Research

While these are much-needed first steps to understand healthcare’s technology oligopoly (a market dominated by a small number of large players) that compounds even small mistakes and provides the conduit for small breaches to become widespread attacks, the HHS and DOJ must address all sources of concentration risk. Look for upcoming research from Arielle Trzcinski and myself on the impact of concentration risk in healthcare and what you can do to mitigate it.

Have more questions? Want to share how your healthcare organization is tackling concentration risk? Schedule an inquiry or guidance session with us to discuss. Not a Forrester client? Contact your Forrester account team now to learn more.