Healthcare pushes governance into architecture

A health insurer deciding whether you can get a scan used to sound like paperwork. In 2026, it can also mean software making the first cut, while hospitals are getting hit harder than any other sector by ransomware at the exact moment more patient data is flowing through new tools. (kffhealthnews.org) (aha.org) Prior authorization is the insurer’s permission slip before a test, drug, or procedure happens. Traditional Medicare mostly avoided it, but private insurers use it widely, especially in Medicare Advantage plans run by private companies for older adults and disabled people. (kffhealthnews.org) Now artificial intelligence is moving into that permission-slip process. KFF Health News reported on April 10 that major insurers and even Medicare are using artificial intelligence in coverage decisions, while class action lawsuits accuse insurers of using it to wrongly withhold treatment. (kffhealthnews.org) The federal government is not just watching this happen. A Medicare pilot announced last year is set to use artificial intelligence to review some prior authorization cases in Arizona, Ohio, Oklahoma, New Jersey, Texas, and Washington from January 1, 2026 through 2031. (kffhealthnews.org) That changes what “governance” means inside a hospital or insurer. If a model can delay chemotherapy, rehab, or imaging, then a human override stops being a customer-service promise and starts looking more like an emergency brake built into the system itself. (kffhealthnews.org) The same shift is happening on the privacy side. Ars Technica reported in April that Californians sued over an artificial intelligence tool used to record doctor visits, turning a familiar exam room conversation into a fight over consent, storage, and who gets to process the audio. (arstechnica.com) Once software is listening to a clinic visit or scoring a treatment request, the technical design starts deciding legal risk. Where the data is processed, how long logs are kept, and whether a staff member can reconstruct the exact reason for a denial become product decisions, not compliance footnotes. (arstechnica.com) (kffhealthnews.org) Security makes that more urgent. The American Hospital Association said on April 10, citing the Federal Bureau of Investigation’s annual internet crime report, that health care and public health was the top sector targeted in 2025, with 460 ransomware attacks and 182 data breaches, for 642 total cyber events. (aha.org) Financial services was next at 447 total events, which puts health care far enough ahead to erase any idea that these are isolated incidents. A hospital adding artificial intelligence to claims review or visit documentation is doing it in the most-targeted cyber environment in the country. (aha.org) States are already trying to slow this down. KFF Health News reported in March that at least four states — Arizona, Maryland, Nebraska, and Texas — enacted laws last year to rein in how artificial intelligence can be used in health insurance decisions. (kffhealthnews.org) So the new architecture is not just “add an artificial intelligence feature.” It is local processing where possible, audit trails that survive a lawsuit, and a human reviewer with authority to reverse the machine before a denial becomes a medical event. (kffhealthnews.org) (aha.org)