Healthcare Cloud Migration: A Technical Playbook for CTOs

Table of Contents

Heading

EXCLUSIVE LAUNCH

AI Implementation in Healthcare Masterclass

Start the course

Key Takeaways

Healthcare cloud migration requires a PHI data map before any infrastructure work begins: every data store, queue, and log destination that touches patient data needs to be identified and classified, because HIPAA controls attach to the data path, not just the primary database.
The biggest technical risk in healthcare cloud migration is not downtime during cutover. It is the period after cutover when two systems are running simultaneously and the audit trail needs to cover both.
AWS HealthLake, Azure Health Data Services, and GCP Healthcare API each provide HIPAA-eligible managed services for clinical data, but "HIPAA-eligible" is not the same as "HIPAA-compliant" — your configuration, access controls, and BAA coverage determine compliance, not the service designation.
Zero-downtime migration for clinical systems requires a dual-write phase where both legacy and cloud systems receive writes simultaneously, with a reconciliation process that validates consistency before the legacy system is decommissioned.
HealthStack, Momentum's open-source Terraform library for AWS healthcare infrastructure, provides pre-configured HIPAA-compliant AWS infrastructure modules that cut initial cloud environment setup from weeks to days.

Is Your HealthTech Product Built for Success in Digital Health?

Download the Playbook

Introduction

Healthcare cloud migration carries a different risk profile than migrating a retail or SaaS application. The data moving through the system is protected health information under HIPAA. Every data store in the cloud environment requires a Business Associate Agreement with the cloud vendor, encryption at rest and in transit, access logging, and a documented access control policy. Those requirements apply to your primary database, your message queues, your log aggregation service, your backup buckets, and any temporary staging environment that touches PHI during the migration itself.

Healthcare CTOs planning a cloud migration typically underestimate the scope of that PHI surface area. The technical migration work sits on top of a compliance foundation that has to be built correctly before any data moves. This guide covers both layers: the HIPAA infrastructure controls that cloud environments need before PHI arrives, and the migration patterns that work for clinical systems that cannot tolerate unplanned downtime or data inconsistency.

Our HIPAA compliance guide for healthcare CTOs covers the full control set in detail.

Pre-Migration: PHI Data Mapping and Compliance Readiness

Healthcare cloud migration starts with a PHI data map, not with infrastructure provisioning. The data map identifies every system, database, cache, queue, and log store that contains or processes patient data. In most healthcare applications that have been running for several years, this list is longer than the initial estimate by 30-50%. Log aggregators often store request/response payloads that include PHI. Message queues used for appointment notifications contain patient identifiers. Temporary files written during ETL processes may hold partial records.

Each item on the PHI data map requires a corresponding cloud service selection and a BAA confirmation. AWS maintains a list of HIPAA-eligible services; not every AWS service is on that list. Running PHI through a non-eligible service in a technical migration creates a HIPAA violation regardless of whether the data is encrypted. Map first, select services second.

Compliance readiness for the cloud environment before migration includes four categories of controls. Access controls: IAM policies that restrict PHI access to the minimum necessary for each service role. Encryption: AWS KMS keys for data at rest, TLS 1.2 or higher for data in transit. Audit logging: CloudTrail for all API calls, VPC Flow Logs for network traffic, with logs retained for at least six years per HIPAA requirements. Backup and recovery: automated backups for all PHI data stores with recovery point objectives and recovery time objectives documented and tested before go-live.

For teams starting from scratch on AWS healthcare infrastructure, HealthStack is an open-source Terraform library that provides pre-configured modules for all of these controls. The HIPAA-compliant infrastructure setup guide with HealthStack covers what the setup process looks like in practice.

Selecting Cloud-Native Clinical Data Services

For FHIR data specifically, the cloud provider options each have tradeoffs. AWS HealthLake is a fully managed FHIR R4 data store with built-in search, SMART on FHIR authentication support, and integration with AWS analytics services. Our SMART on FHIR with AWS HealthLake implementation guide covers the Terraform configuration. Azure Health Data Services and GCP Healthcare API provide comparable managed FHIR stores on their respective platforms.

The case for migrating to a managed clinical data service rather than lifting and shifting a self-managed FHIR server is operational: managed services handle availability, scaling, backup, and security patching. The case against is migration complexity and vendor lock-in.

For HL7 v2 message processing, the FHIR and HL7 foundation guide covers what each message type contains and what transformations are typically needed when moving from on-premises HL7 processing to cloud-based ingestion.

For EHR integration with the cloud environment, the architecture typically keeps the EHR vendor's FHIR API as the authoritative source and builds the cloud data layer as a downstream consumer. Migrating to cloud does not move the EHR; it changes where the application processing and storage happens. See our EHR integration guide for the details.

Healthcare Cloud Migration: Zero-Downtime Patterns for Clinical Systems

Clinical systems that support active patient care cannot tolerate unplanned downtime during migration. A scheduling system going offline during business hours has direct patient care impact. Zero-downtime healthcare cloud migration uses a dual-write pattern during the transition period.

The application writes to both the legacy system and the new cloud infrastructure simultaneously, starting with a shadow mode where cloud writes are not authoritative and the legacy system remains the source of truth. This shadow phase runs long enough to validate that every write path in the application is covered, that the data arriving in the cloud environment matches the legacy system, and that the cloud environment performs within acceptable latency bounds under production-representative load.

The reconciliation layer during dual-write is where most migrations encounter unexpected complexity. Write operations that succeed in the legacy system and fail in the cloud need to be detected and retried. The reconciliation process is not a one-time job; it runs continuously during the dual-write phase and generates a report that the migration team reviews before advancing to the next phase.

Cutover from legacy to cloud moves the authoritative source of truth from the legacy system to the cloud environment. For most clinical systems, this is a scheduled maintenance window during which the legacy system accepts no new writes, the final reconciliation pass runs, and the cloud environment is promoted to primary.

Rollback planning needs to be explicit before cutover starts. What specific criteria trigger a rollback? What is the rollback procedure if a critical data issue surfaces 12 hours after cutover? These questions need documented answers that the migration team has rehearsed.

HIPAA Controls During the Migration Window

The migration window itself creates a compliance risk that is often underestimated: PHI is in transit between systems, potentially sitting in intermediate staging environments or data export files that fall outside the normal access control and audit log scope.

Four controls apply specifically to the migration window. First, any staging environment or migration tooling that handles PHI needs the same HIPAA controls as production. Second, PHI exported from the legacy system should be encrypted at the file level before leaving the legacy environment, with decryption keys managed separately from the data files. Third, the audit trail during migration needs to capture both the legacy system's activity log and the cloud environment's activity log. Fourth, any third-party migration tooling that processes PHI requires a BAA before the tool touches data.

The HIPAA-compliant software development checklist covers the control categories. The AI and HIPAA compliance overview addresses BAA and data processing requirements for AI-assisted migration tooling.

Post-migration, access to the decommissioned legacy system needs to be revoked or restricted immediately. Legacy systems left accessible after migration are a common source of unauthorized PHI access.

Post-Migration Validation for Clinical Systems

Data completeness validation compares record counts and checksums between the legacy system and the cloud environment across every PHI data store. Missing records in a clinical context are not acceptable, so this validation needs to be thorough, not sampled.

Functional validation tests that every application workflow that touches clinical data produces correct results in the cloud environment. A workflow that worked correctly in the legacy system may fail in the cloud environment due to schema differences, timezone handling differences, or character encoding differences in legacy data.

Performance validation measures query and write latency under production-representative load. Cloud environments do not automatically outperform on-premises systems, particularly for database queries that were optimized for on-premises infrastructure.

Security validation confirms that the access control configuration is correct: each role can access the data it needs and cannot access data it should not. For healthcare systems with complex role-based access control, this validation requires test accounts for each role type and a documented test matrix.

For organizations preparing for AI implementation post-migration, the making healthcare data AI-ready guide covers the additional data quality and structure requirements that AI use cases impose.

Healthcare Cloud Migration Timeline and Cost Factors

A healthcare cloud migration for a production clinical system takes 16-28 weeks from assessment to decommission of the legacy system.

Weeks 1-4 cover assessment and planning: PHI data mapping, compliance readiness gap analysis, cloud service selection, and migration architecture design. Organizations that skip this phase typically encounter scope changes in weeks 8-12 that cost more time than the assessment would have taken.

Weeks 5-10 cover cloud environment buildout: HIPAA-compliant infrastructure provisioned with Infrastructure as Code, BAAs confirmed for all cloud services in scope, network architecture validated, and security controls tested. For AWS-based migrations, HealthStack use cases covers the specific infrastructure patterns relevant to healthcare applications.

Weeks 11-20 cover dual-write setup, data migration execution, and reconciliation validation. Plan for this phase to surface problems that extend the timeline by 2-4 weeks in complex migrations.

Weeks 21-28 cover cutover, post-migration validation, and legacy system decommission. The cutover window itself is typically 4-8 hours, but the validation period before the legacy system is decommissioned runs 2-4 weeks in most clinical deployments.

Cost factors that healthcare CTOs consistently underestimate include: BAA review and legal counsel for new cloud vendor agreements, clinical validation effort, and the operational overlap period where both legacy and cloud environments are running simultaneously.

Momentum's infrastructure and security services cover healthcare cloud migration across AWS, Azure, and GCP, including HIPAA-compliant infrastructure buildout with Terraform, PHI data mapping, dual-write migration architecture, and post-migration security validation.

Frequently Asked Questions

How long does a HIPAA-compliant healthcare cloud migration take?

For a production clinical system, budget 16-28 weeks from assessment to legacy system decommission. The range depends on PHI surface area complexity, application re-architecture requirements, and clinical validation scope. Migrations that start with thorough PHI data mapping and compliance readiness assessment in weeks 1-4 typically stay closer to 16 weeks.

Does moving to the cloud make a healthcare application HIPAA compliant?

No. Cloud providers offer HIPAA-eligible services and will sign Business Associate Agreements, but compliance depends on your configuration, access controls, audit logging, and policies. AWS HealthLake being HIPAA-eligible means AWS will sign a BAA for that service; it does not mean any workload you run on it is compliant.

What is the biggest technical risk in healthcare cloud migration?

Data inconsistency during the dual-write phase, combined with inadequate reconciliation coverage. If the application has write paths that are not covered by the dual-write pattern, records can diverge between legacy and cloud systems without detection. Thorough audit of all write paths before dual-write begins, combined with continuous reconciliation during the migration window, is the primary mitigation.

Can a healthcare organization do a lift-and-shift migration or does the application need to be re-architected?

Both approaches are viable depending on the application architecture and clinical data requirements. Lift-and-shift is faster and lower-risk for migrations where the application is already cloud-compatible. Re-architecture makes sense when the migration is an opportunity to move from a self-managed FHIR server to AWS HealthLake, or when the existing architecture has scalability problems that the migration can address simultaneously.

What cloud infrastructure does a HIPAA-compliant healthcare application need?

At minimum: a VPC with private subnets for all data stores containing PHI, encryption at rest for all storage services, TLS for all data in transit, CloudTrail enabled for all API activity, VPC Flow Logs, managed key rotation via KMS, and IAM policies following least-privilege access. All services that process PHI require a BAA with the cloud provider.

How should organizations handle EHR integration during cloud migration?

EHR integration endpoints typically remain unchanged through a cloud migration. The migration needs to ensure that the cloud environment's network configuration allows outbound connections to EHR API endpoints, that authentication credentials are migrated to cloud-native secrets management, and that any webhook or callback URLs from the EHR to your application are updated to the new cloud endpoints.

What happens to the legacy system after cloud migration is complete?

The legacy system should have write access revoked immediately after cutover validation passes. Most organizations keep the legacy system accessible in read-only mode for 60-90 days post-migration, then complete decommission once all post-migration audit and validation activities are finished.

Written by Bartosz Michalak

Director of Engineering

He drives healthcare open-source development at the company, translating strategic vision into practical solutions. With hands-on experience in EHR integrations, FHIR standards, and wearable data ecosystems, he builds bridges between healthcare systems and emerging technologies.