“Before” versus “After” (FYI, “Before” is better)

Medical devices must be FDA-approved *before* they can harm patients. Cars must meet safety standards *before* they can crash. Pharmaceuticals must pass clinical trials *before* they reach your medicine cabinet.

But under HTI-5, health IT systems won’t need to prove security *before* they’re breached.

ONC proposes eliminating pre-market certification requirements for health IT security. The rationale? “These requirements are covered by other regulations.”

Here’s the problem: Post-incident enforcement is not equivalent to pre-market assurance. This shift puts patient data at unacceptable risk.

The Shift Being Proposed

The current model is prevention. ONC certification requires vendors to demonstrate security capabilities before deployment. Independent testing validates that features work as claimed. Hospitals can rely on certification when purchasing systems. Problems get caught in the lab—not in production with real patient data.

The proposed model is punishment. No pre-market verification of security capabilities. The entire system relies on HIPAA enforcement *after* breaches occur. OCR investigates and fines healthcare organizations post-incident. Vendors face no pre-market scrutiny.

This is a fundamental shift in how we approach health IT security. And it’s the wrong direction.

Why Pre-Market Certification Matters

It catches problems before patient harm

Software vulnerabilities found in a testing environment can be fixed before deployment to thousands of hospitals. Consider: certification testing discovers that encryption isn’t implemented correctly. The vendor fixes it before go-live. Without certification? That flaw is discovered only after a breach exposes millions of records.

It creates clear minimum standards

Vendors know exactly what’s required for certification. This reduces ambiguity and compliance risk. It enables apples-to-apples comparison during procurement. Most importantly, it establishes a market baseline that prevents a race to the bottom.

It shifts liability appropriately

With certification, the vendor proves the software has security features. Without certification, the hospital must verify vendor claims—and most hospitals lack the expertise or resources to do this effectively.

Here’s a real scenario: A hospital procurement team evaluates five EHR vendors. All claim to have “robust security.” How does the hospital verify those claims? Hire penetration testers for each vendor? That’s cost-prohibitive. With certification, independent verification is already done.

It enables innovation within guardrails

Clear requirements let vendors innovate in *how* they meet standards. This removes regulatory uncertainty that actually stifles development. Compare to FDA: device makers innovate constantly within a defined safety framework. The framework doesn’t prevent innovation—it channels it.

Post-Incident Enforcement Doesn’t Work for Software

The enforcement gap

HIPAA violations are investigated after breaches—it’s inherently reactive. The average time from breach to detection is 207 days. The average OCR investigation takes 18-24 months. Penalties are applied years after the vulnerability was introduced.

The wrong defendant problem

HIPAA fines healthcare organizations, not software vendors. The hospital gets penalized for using software that couldn’t meet requirements. Meanwhile, the vendor has already sold that same product to hundreds of other hospitals. There’s no mechanism to recall or fix defective software across the market.

Inadequate deterrence

OCR has limited resources: roughly 30 settlements per year versus thousands of covered entities. Low probability of enforcement means weak deterrence. Contrast with certification: 100% of products are tested before market entry.

The industry outlier

Look at how other industries handle this:

The perverse incentive

Without pre-market certification, the cheapest compliant strategy is: skip security features, pay the fine if caught.

Expected cost = (probability of enforcement) × (fine amount).

For many vendors, that’s less than the cost of implementing security properly. This makes non-compliance economically rational.

Real-World Consequences

Scenario 1: The new entrant

A startup builds an EHR without multi-factor authentication—it saves development cost. They market to small rural hospitals (the most price-sensitive buyers). Fifty hospitals adopt it over two years. Year three: massive breach due to credential stuffing attack. OCR investigates hospital #1 that reported the breach. The other 49 hospitals remain vulnerable with the same defective software.

Scenario 2: The race to the bottom

An incumbent vendor maintains security features, which increases their cost. A competitor removes “optional” security to undercut on price. The incumbent loses market share. They must either match (remove security) or exit the market. Result: industry-wide degradation of security standards.

The patient impact

Beyond the corporate dynamics, there are real people affected: financial fraud from stolen PHI. Identity theft. Erosion of trust in the healthcare system. Reduced willingness to share sensitive information with providers—which directly impacts care quality.

The “Trust the Market” Fallacy

ONC implies that market forces will maintain security standards. But this ignores basic information economics.

Information asymmetry means hospitals can’t effectively evaluate security claims. Split incentives mean the vendor profits from the sale while the hospital bears breach costs. This is a well-documented market failure in information security.

The market won’t fix this. That’s exactly why certification exists.

What Needs to Happen

Prevention is better than punishment—in medicine and in cybersecurity. Pre-market certification is not “duplication.” It’s the essential first line of defense.

If you work in healthcare IT, if you’re a patient who cares about your data, if you believe in evidence-based regulation: submit a comment to ONC opposing the removal of these requirements.

The comment period is open. Use it.

Next in the series: How Loper Bright changes the regulatory landscape for healthcare IT—and why that makes strong pre-market requirements more important, not less.

Other articles in this series