Most legacy HIT infrastructure is a poor fit for highly data-driven healthcare. The outdated environments lack the agility and scalability required to rapidly aggregate, analyze and secure vast data sets from a boundless number of sources. Meanwhile public cloud platforms such as Azure and AWS have made the need for a data center full of physical servers practically obsolete — providing on-demand compute and storage with unlimited scalability, with customers paying only for what they use when they use it.

This begs the question…

What happens to existing IT infrastructure?

In order to answer this question, first conduct or refer to your existing in-depth inventory of your technology and information assets. Take the time to refresh your understanding of who uses which applications. Keep in mind, though, that moving to the cloud is not a matter of moving everything in your inventory from one end of the wire to the other. Migrating to the cloud provides an opportunity for a business, clinical and strategic revaluation of your application portfolio. Over time, can you consolidate or reduce applications as a part of your roadmap to the cloud?

Note that — if the idea of taking an inventory of years’ worth of IT infrastructure, applications and files is overwhelming — there are consultants and cloud providers that specialize in assisting with this important step.

Taking inventory shows where you can shed the bloat, including costly service level agreements and equipment no longer needed in the cloud. If you don’t need them, why keep paying for them? What you have pre-cloud is almost surely more than you’ll need to commission in the high performance environment of cloud computing. You may want to develop some level of total cost of ownership (TCO) comparison that demonstrates the financial rationale for moving to the cloud beyond the key benefits of increased agility and security.

Another important consideration is what to do with PHI stored on legacy devices—there are standards and guidance that give insight on how to properly dispose of and reallocate assets that house this data and other sensitive information. Details related to secure data disposal are not found within the HIPAA Privacy and Security Rule, nor the updated HITECH Act. However, technical guidance such as that found in the NIST Special Publications is extremely helpful and prescriptive. In addition, health organizations can turn to businesses certified in disposing of PHI according to independent best practices for data destruction.

For some, instead of starting with moving core production applications, a good starting point for moving to the cloud is backup and disaster recovery. HIPAA requires providers to back up PHI, and using the cloud as an offsite backup location is usually less expensive and more secure. The cloud eliminates capital equipment, maintenance and labor costs associated with backup and recovery, while presenting fewer security and recovery risks than tape drives and car trunks or secondary sites that are a short distance away.

When it comes to HIPAA compliance, probably the most common lack of awareness centers on PHI inventory, including where it’s stored and who has access to it. Yet, in the wake of an actual breach, the first question organizations will be asked is if they can provide a full accounting of all their PHI. If they can’t, it’s a given they won’t be able to prove measures are in place to safeguard this data. With the cloud, organizations have the opportunity to cost-effectively store, manage, and securely share their data from a single or at least reduced set of providers.

An IT environment pieced together out of legacy and leaky infrastructure is a recipe for breaches. Moving to a cloud environment, especially one managed by specialists who are completely focused on the administrative, physical, and technical aspects of cloud security — with deep expertise in safeguarding healthcare data — could be an organization’s best strategy for data security.

As for hardware, look for buyback programs from various vendors. Three to five years is a common target timeframe for replacing servers in most enterprises — a turnover that translates to frequent capital expense outlays. When decommissioning servers, instead of using capital dollars to buy new ones, move the data to the cloud and let the cloud provider worry about subsequent hardware updates. And don’t overlook service agreement savings now that ongoing support and maintenance of hardware is no longer needed.

On the software side, most applications can migrate quickly and easily to the cloud, while others may require some re-coding. The age of the app will be the deciding factor — those net-new apps that are built for or easily configure to the cloud will be the first to move. If an app is based on a recent OS and tools, it should be able to move to the cloud with only a few tweaks at most. Others may not be able to make the trip due to constraints, including previous custom software configuration mapped to specific hardware.


As the saying goes, change is inevitable. In terms of moving healthcare IT infrastructure from legacy to cloud environments, change is ultimately a win-win proposition. Healthcare is experiencing an unprecedented opportunity to improve clinical and financial outcomes, thanks to the availability of massive amounts of information, the tools to manipulate it and the cloud to securely host it.

As for IT staff, there’s no denying that almost all IT roles will eventually have to evolve. A move to the cloud affects all roles, from help desk managers to project managers to clinical application support teams to network and systems security.

While all this change sounds a bit stressful — and it can be — working within a cloud environment to deliver improved security, agility and cost savings to the healthcare organization may actually be welcome for IT professionals long ready for an infusion of new energy and challenge in their careers.

Editor’s note: Part 1 of this feature delved into what happens to IT staff when data and apps are migrated to the cloud.

Originally published November 2, 2016 by Health Data Management