Third Pillar

Healthcare Technology Assessment & Funded Cloud Remediation

The Seven Flows identify governance failures. The Constitutional Transition Matrix identifies domain crossings. The technology assessment answers the next question: can your infrastructure enforce governance programmatically — and who pays to fix it?

Technology is not an end in itself. It is the enabler of governance and the vehicle for remediation. The technology assessment is diagnostic — it identifies what infrastructure exists at each boundary, what it can do, what it cannot do, and what it would need to do to close the governance gaps the audit has identified. It does not prescribe specific vendor solutions. The remediation roadmap presents infrastructure requirements that any compliant solution must satisfy. Commercial decisions about implementation are the client’s to make.

Book a Boundary Scoping Call

The Digital Clinical Safety and NHS IT Compliance Gap

Despite the strict legal mandate of DCB 0129 and DCB 0160 under the Health and Social Care Act 2012, a 2025 JMIR cross-sectional study of 239 NHS organisations found that 70.1% of 14,747 active digital health technology deployments possess no documented clinical safety assurance. The technology assessment begins with this baseline: if internal clinical safety assurance is this deficient, the boundary dimension — where these systems exchange data with other organisations — is structurally unassessed.

The Data Use and Access Act 2025 (s.121) grants binding statutory powers to mandate information standards covering system functionality, interoperability, data portability, and security. The NHS Ten Year Plan mandates cloud-first digital strategy and modular architectures. The technology assessment is a statutory necessity, not an optional enhancement.

Read our analysis of DCB 0129 compliance at organisational boundaries →

What We Assess

Four Healthcare IT Assessment Domains

Technical Footprint Discovery

We map the client’s current technical estate at each organisational boundary: the APIs, data feeds, messaging systems, and manual processes through which the Seven Flows must operate.

Complete inventory of integration points at each boundary
Server dependency mapping showing which systems support which flows
Software licensing analysis identifying lock-in, expiry dates, and migration constraints
Network topology showing how clinical data physically traverses boundaries
Identification of unmonitored APIs — integration points with no logging, no governance, and no clinical safety coverage

Interoperability Readiness

We assess readiness for the interoperability standards mandated by the Ten Year Plan and DUA 2025.

FHIR API maturity at boundaries
GP Connect readiness for primary care boundaries
Transfer of Care compliance for discharge summaries and outpatient letters
Federated Data Platform integration preparedness
EMIS-X migration planning and API transition strategy
National Data Opt-Out propagation across all boundary integrations

Security & Compliance Posture

Assessment against mandatory frameworks at every boundary:

NHS DSPT: current status, NDG 10 data security standards, gap between self-assessed and actual capability
NCSC Cloud Security: 13 recommended actions for secure cloud environments
DCB 0129/0160: does a clinical safety case exist for every health IT system at a boundary?
ISO 27001/27002: coverage of boundary integrations within ISMS scope
MHRA Medical Devices: for boundaries involving AI-assisted clinical decision-making or SaMD

Cloud Maturity & Migration Readiness

Six-dimension assessment determining whether the organisation is ready for infrastructure modernisation:

Business alignment
Process maturity
People and skills
Platform capability
Operational readiness
Security posture

Produces: current state classification, workload suitability analysis, skills gap assessment, total cost of ownership modelling, and clinical risk assessment for migration itself.

Can your infrastructure enforce responsibility transfer?

MVRT — Minimum Viable Responsibility Transfer — is the normative governance control at the centre of the assessment. But governance policy alone is insufficient. The infrastructure must be able to enforce it. For every boundary identified, the technology assessment asks:

Can the sending system confirm that the receiving system has acknowledged receipt?
Can the infrastructure prevent a responsibility transfer from completing without bilateral acknowledgement?
Is there a defined escalation pathway if acknowledgement is not received within a clinically safe timeframe?
Can the system identify and flag unowned patients — those in transit between organisations with no named responsible clinician?
Does the infrastructure log MVRT events as auditable governance artefacts that feed into the Clinical Safety Hazard Log?

Where the infrastructure cannot enforce MVRT, the remediation roadmap specifies the architectural requirements. This is the most safety-critical technology requirement at any boundary.

Read the MVRT governance thesis →

Platform Transitions

EHR Interoperability: The Systems at Your Boundaries Are Changing

The technology assessment accounts for the specific platform transitions underway among major EHR and HealthTech providers. Their APIs represent the literal boundaries where clinical responsibility transfers — and where MVRT is most often violated.

Acute Care Boundaries — Epic and Oracle Health

Epic and Oracle Health dominate the acute care EHR landscape. As these environments become fully cloud-native, their ability to expose FHIR endpoints via managed health data services fundamentally alters how they govern Provenance and Identity flows at external boundaries. Oracle Health’s NHS modernisation work — including the Hospital Episode Statistics pipeline — demonstrates the scale of cloud-native transformation underway.

The audit evaluates how your acute care systems integrate at boundaries: what FHIR resources are exposed, what governance wraps the API layer, and whether the boundary integration has clinical safety coverage in the hazard log.

Primary Care Boundaries — EMIS-X Migration

The migration from legacy EMIS Web to the cloud-native EMIS-X platform is the most significant primary care infrastructure change in a decade. Initial EMIS-X integration capabilities launched in early 2025, with full migrations accelerating through 2026 and EMIS Web sunsetting by 2027.

EMIS-X supports FHIR-based messaging for GP Connect, the Electronic Prescription Service, and the Transfer of Care Initiative. But the transition itself creates acute boundary risk: organisations migrating between platforms risk loss of Clinical Intent, Consent, and Responsibility signals during cutover. The technology assessment evaluates migration plans, API transition timelines, and governance of the cutover period.

Virtual Care & Platform Boundaries

Virtual care and telehealth platforms operate inherently at organisational boundaries. Every clinical interaction on these platforms crosses at least one boundary. The platform IS the boundary.

For these providers, enforcing Alert & Responsibility is a matter of clinical survival. When a remote monitoring algorithm detects a deteriorating patient, the alert must cross the API boundary into an acute or primary care setting with an explicit declaration of who assumes clinical risk. Without infrastructure facilitating this transfer, the risk of undetected deterioration rises.

Some platforms are particularly complex: an insurer subsidiary delivering NHS care via a digital platform simultaneously occupies multiple constitutional domains through a single technology stack — insurance, NHS provider, and digital platform all at once.

Read our guide on managing EMIS-X cloud migration risk →

Infrastructure Requirements

Clinical System Integration: What Compliant Infrastructure Must Do

Where the technology assessment identifies infrastructure gaps, the remediation roadmap specifies vendor-neutral requirements. These define what the infrastructure must do, not how it must be built.

Secure Multi-Tenancy at Clinical Boundaries

When clinical data crosses an organisational boundary, the infrastructure must provide verifiable isolation between tenants. This includes: data segregation between distinct clinical entities, attribute-based access control evaluating clinician identity, organisational context, clinical intent, and patient consent in real time, centralised auditable policy management, and Zero Trust architecture where no implicit trust exists between organisations sharing a boundary.

Private Connectivity for Clinical Data

Clinical data traversing boundaries must not be exposed to public internet threat vectors. The target architecture requires: private connectivity bypassing public internet, secure HSCN integration for NHS boundaries, encrypted auditable channels for cross-constitutional boundaries, and native integration with FHIR API gateways for private inter-organisational data exchange.

Landing Zone Architecture

For organisations requiring infrastructure modernisation, the roadmap specifies a secure, multi-account cloud environment: account segregation aligned to organisational and constitutional boundaries, centralised logging and audit trail for all boundary data flows, continuous compliance monitoring against NCSC, DSPT, and DCB 0129/0160, automated detective guardrails, infrastructure-as-code deployment, and alignment with the NHS cloud-first strategy.

Commercial Model

Healthcare Cloud Migration Funding: How to Fund the Fix

A critical output of the technology assessment is the identification of available funding mechanisms that offset the cost of infrastructure remediation. For NHS organisations and their partners, significant public sector funding exists specifically for cloud migration and modernisation. The audit identifies which vehicles are applicable and builds a financial model into the remediation roadmap.

AWS Migration Acceleration Program (MAP)

The primary funding mechanism for NHS cloud modernisation. Designed to offset the financial burden of running legacy and new infrastructure simultaneously during transition.

Tier	ARR Range	Description
MAP Standard	$500k–$10M ARR	Enterprise workloads. Full three-phase funding.
MAP Lite	$100k–$500k ARR	Mid-market migrations. Streamlined funding.

Funding releases across three phases:

Phase	Funding	Application to Boundary Audit
Assess	5% of projected ARR as partner cash (up to $75k)	Directly funds the initial Boundary Risk Assessment including technology assessment.
Mobilize	20% of post-migration ARR as partner cash	Funds detailed migration planning, landing zone deployment, and remediation of boundary governance infrastructure.
Migrate & Modernize	25% of post-migration ARR as customer credits	Offsets operational run costs post-migration.

Strategic Partner Incentives (SPIs)

Additional funding for deep architectural modernisation:

SPI	Funding	Relevance
Modernization	10% of ARR, up to $100k cash	Re-architecting boundary integration layers from monolithic to cloud-native microservices.
VMware	10% of ARR, up to $200k cash	Escaping legacy VMware environments facing restrictive licensing changes. Many NHS trusts affected.
Move to AI	Scope-specific	AI capabilities at boundaries: clinically safe discharge summarisation, AI-driven triage, voice analytics.

UK Public Sector — OGVA 2.0

The One Government Value Agreement between AWS and Crown Commercial Service treats the entire UK public sector as a single enterprise client. Under the Prime Tier, NHS trusts committing to a three-year plan receive: significant baseline consumption discounts, up to $250,000 in promotional credits, and dedicated funding pools for AI proofs-of-concept, legacy data centre exits, and VMware migrations.

Stacking strategy: By combining OGVA 2.0 discounts with MAP cash and SPIs, the remediation roadmap can present a largely self-funding commercial proposition. The technology assessment quantifies this for each client, showing exactly how governance remediation and infrastructure modernisation can be funded through available mechanisms.

Cloud platform neutrality: While AWS MAP and OGVA 2.0 are detailed as the most developed public sector pathway, the audit’s requirements are cloud-agnostic. Azure offers comparable incentives through Azure Migrate and Modernize. Google Cloud provides healthcare-specific migration support. The roadmap identifies the applicable mechanism for the client’s existing platform.

Outputs

What the technology assessment delivers

Deliverable	Content
Boundary Integration Map	Visual and tabular mapping of every integration point at each boundary — which systems communicate, through what protocols, with what logging and governance.
MVRT Compliance Matrix	Per-boundary assessment of whether infrastructure enforces explicit responsibility transfer or allows implicit assumption. Red/amber/green per boundary.
DCB 0129/0160 Technology Risk Register	Health IT systems at boundaries lacking clinical safety assurance, with risk severity based on the flows they support. Feeds directly into the CSO’s Hazard Log.
Interoperability Readiness Score	Per-boundary FHIR API maturity, GP Connect readiness, Transfer of Care compliance, and FDP integration preparedness.
Cloud Maturity Assessment	Six-dimension readiness assessment. Skills gaps, cost implications, migration risks.
Infrastructure Remediation Roadmap	Sequenced, costed pathway from current to target architecture. Vendor-neutral requirements. Applicable funding mechanisms with projected values.
Funded Business Case	Board-ready financial model: total cost of ownership comparison, available funding stack, projected timeline. Designed for CFO presentation alongside the governance scorecard.

These deliverables integrate with the governance scorecard and constitutional analysis. The Boundary Integration Map shows WHERE the Seven Flows must operate. The MVRT Compliance Matrix shows WHERE responsibility transfer fails. The DCB Technology Risk Register feeds the CSO’s Hazard Log. The Remediation Roadmap presents the funded pathway to close the gaps. Together, the three pillars produce a unified audit connecting statutory obligation to operational reality to infrastructure capability.

Do you need access to our IT systems? ▾

The technology assessment is governance-focused, not a penetration test. We conduct structured interviews with IT and integration leads, review integration specifications, API documentation, and network topology. We may request a guided walkthrough of live boundary integrations (Observed evidence level) but we do not require administrative access to production systems.

Is the remediation roadmap tied to a specific cloud vendor? ▾

No. The roadmap specifies vendor-neutral infrastructure requirements. While we detail AWS MAP and OGVA 2.0 as the most developed public sector funding pathway, equivalent programmes exist for Azure and Google Cloud. The requirements are cloud-agnostic. Platform and implementation partner decisions are the client’s to make.

Who the technology assessment is for

Chief Information Officers (CIOs)
Chief Clinical Information Officers (CCIOs)
Enterprise IT Architects
Clinical Safety Officers (CSOs)
CFOs managing digital transformation budgets
Integration & Interoperability Leads

Written by Julian Bradder, Founder & CEO, Inference Clinical. Architect of the Seven Flows governance framework. Previously AWS Principal Consultant at Contino, leading complex cloud transformation programmes for high-trust clients.