Architecting for Agility: Why Modernization Requires a Zero Trust Backbone
By Nick O’Connor, Chief Technology Officer – VP Product Engineering, Trinity Health
As a Chief Technology Officer, my mandate is simple: ensure the technology stack enables the business to move fast. In a healthcare environment, “moving fast” isn’t a metaphor; it translates directly to how quickly a clinician can access patient data, whether they are in the ER, a remote clinic, or their home office.
For years, security and agility were at odds. We built rigid perimeters and forced traffic through bottlenecks in the name of safety. But in a digital-first world, that legacy architecture is no longer a shield; it is an anchor. To modernize effectively, we must maintain a sharp focus on decoupling access from the underlying infrastructure.
Our Chief Information Security Officer focuses on tackling threats and ensuring regulatory compliance, while we collaborate on designing strategies that create a secure environment by default and deliver an excellent user experience. Zero Trust goes beyond being just a security feature; it’s now considered the modern standard for enterprise connectivity architecture.
Legacy healthcare applications often require custom proxy configurations, and engineering teams must pivot from CLI-based router management to policy-based orchestration.
The Friction of Legacy Infrastructure
The traditional healthcare network was built on “flat” topologies and expensive, static private circuits. This model created a massive amount of technical debt. We were backhauling cloud traffic through centralized data centers just to secure it, introducing latency to SaaS applications that frustrated users. When clinicians deal with slow VPNs and dropped connections, they find workarounds, and those workarounds create Shadow IT.
Being Cloud Smart, Not Cloud First
Modernization does not mean recklessly dumping every workload into a hyperscaler. At Trinity Health, we adopted a “Cloud Smart” approach. This is an engineering decision, not a mandate.
We realized that you cannot scale a digital transformation strategy if you are limited by physical hardware provisioning. We needed a redesign that was software-defined, identity aware, and capable of supporting our cloud smart strategy.
This approach has also unlocked our ability to move even advanced clinical platforms, such as imaging, to the cloud. By focusing on latency and criticality, we can migrate these workloads responsibly; delivering the performance clinicians expect while leveraging the scalability and flexibility of cloud infrastructure. This means we’re not just shifting basic collaboration tools, but also enabling high-performance clinical applications to benefit from cloud advancements, without sacrificing user experience or reliability.
To make this hybrid model work without drowning in complexity, we had to modernize our transport layer. We moved away from rigid circuits to Software-Defined Wide Area Networking (SD-WAN).
From a CTO’s perspective, SD-WAN is a game changer for operations and resiliency. It allows us to bond multiple transport types, broadband, fiber, 5G into a single logical connection. As an example of resiliency, if a carrier has an outage, the software-defined platform is immediately aware and will modify routing instantly, while keeping the application session alive. It also allows us to treat the internet as our primary transport, secured by software, which significantly reduces our operational expenses compared to legacy dedicated lines.
Identity = Control Plane for Modern Security
We integrated this transport layer with a Secure Access Service Edge (SASE) architecture. This is where the partnership with the CISO becomes the engine of modernization. By adopting Zero Trust Network Access (ZTNA), we stopped managing IP addresses and started managing identities.
In the old world, a VPN placed a user directly on the network. If that user was compromised, the attacker had a clear line of sight to the rest of the enterprise. In our modernized architecture, users are never on the network; they are connected directly to the specific applications they are authorized to use. We retired legacy VPN concentrator hardware that was cumbersome to patch and maintain and replaced them with a cloud native broker.
The Operational Payoff
This shift was not just about stopping hackers; it was also about operational capability. For example, mergers and acquisitions are common in healthcare. Traditionally, integrating into a new hospital network took months of routing de-confliction and firewall changes. With SASE and ZTNA, we don’t need to merge IP schemes immediately. We just federate identities, allowing onboarding of new facilities in days.
It also simplifies how we handle third-party access. We rely on vendors to support complex medical equipment and software, but giving them network access is a liability. Now, we give them access to only the specific application they support. It simplifies onboarding, reduces liability, and keeps our perimeter clean.
Designing for the Future
Transitioning to this architecture requires a significant engineering lift. Legacy healthcare applications often require custom proxy configurations, and engineering teams must pivot from CLI-based router management to policy-based orchestration. But the effort yields a foundation ready for the next wave of technology.
Our network is now better segmented and more intelligent by design, putting us in a position to manage the spread of IoT and the integration of AI. Zero Trust and SD-WAN are the pillars of our modernization. They allow us to be resilient and “Cloud Smart.” As a CTO, this architecture lets me say “yes” to business innovation without compromising the stability or security of the enterprise.
About the Author:
Nick O’Connor is VP of Product Engineering and Chief Technology Officer at Trinity Health. Nick leads enterprise technology strategy and serves to enable large-scale digital transformation programs across a nationwide healthcare network.