Deploying Azure landing zone in hospitals: 5 steps to a secure and compliant foundation.

Blogs Azure Gitte Thijssen

15-4-2026

This article is automatically translated using Azure Cognitive Services, if you find mistakes, please get in touch

Why an Azure landing zone is indispensable for hospitals

For hospitals, the move to the cloud is no longer a technological preference but an administrative necessity. The demand for flexibility, scalability and predictable costs is rising, while IT budgets are coming under further pressure. The NVZ reported that by 2025, both cloud costs and spending on security software will have increased by 53%. This development underlines that hospitals can only keep a grip on risks, costs and continuity with a well-designed cloud architecture.

An Azure landing zone helps hospitals to set up their cloud environment from the ground up: secure, complained and ready to scale up. This creates a foundation that complies with NEN 7510 from day one, offers clear frameworks and leaves room for future healthcare innovation.

Step 1: Determine your cloud strategy and setup

For many hospitals, a hybrid approach makes sense, for example through existing (legacy) systems. A commonly used design is the hub-spoke model: a central environment for matters such as security, identity and connections, surrounded by separate environments for specific applications, such as the EHR or data analysis.

The way you structure your environment also determines how you keep a grip on governance and ownership. By making a clear separation between the base (platform) and the applications (applications), both control and flexibility are created.

Step 2: Get a grip on governance and compliance (NEN 7510)

For hospitals , NEN 7510 is the standard for information security. In the coming period , cure organizations will switch to the updated version (7510:2024), making it important to arrange this properly from the ground up.

By establishing clear frameworks in your cloud environment , such as where data may be stored, how resources are set up and how security and logging are arranged, you ensure that new environments automatically meet these requirements. This prevents deviations and keeps a constant grip on compliance.

Step 3: Ensure strong security and control over access (Zero Trust)

Hospitals are an attractive target for cyberattacks. That is why it is important not to see security as an extra layer, but as a starting point. With a Zero Trust approach, no one automatically gains access. Every user and every action is continuously monitored.

In practice, this means that you put identity first, always ask for extra verification (such as multi-factor authentication) and only give access to what is really needed. By setting this up properly, you reduce the risk of abuse and prevent an incident from spreading throughout the environment.

Step 4: Provide insight and rapid follow-up in the event of incidents

A good landing zone does not stop at design alone. It is just as important to have continuous insight into what is happening and to be able to intervene quickly in the event of deviations. That is why many hospitals opt for continuous monitoring and rapid follow-up of threats (MxDR), so that suspicious activities are immediately picked up and risks are limited.

By continuously monitoring activities, security signals and usage, you can immediately identify suspicious situations, such as unusual login attempts. This prevents small deviations from growing into major incidents.

Step 5: Keep a grip on costs (FinOps)

The cloud offers flexibility, but without good agreements, costs can quickly add up. That is why it is important to keep a grip on expenses from the start.

By having a clear understanding of where costs arise, setting budgets and regularly evaluating them, you avoid surprises afterwards. This way you can see in time where adjustments are needed and keep the environment efficient.

Platform landing zone vs. application landing zones

A cloud environment consists of two layers, each with its own role. The platform landing zone forms the central basis: here you arrange matters such as security, access, logging and governance for the entire organization.

The application landing zones are the environments where the actual applications run, such as the EHR, data analysis or patient portals. These are set up per domain or team, so that they can work independently within the framework of the platform.

By making this distinction, you combine central control with flexibility for teams.

Steering on control

There are several ways to set up a landing zone. The choice is not about the technology itself, but about the degree of control and consistency that you want to guarantee as an organization. It starts with clear principles: what do you organize centrally, where is ownership and how do you ensure that you meet requirements regarding security, logging and compliance from day one.

A well-thought-out design prevents fragmentation and ensures that your environment remains manageable and in line with policy and regulations. By focusing on standardization and repeatability, you lay a solid foundation for further growth.

Ultimately, it's about making sure your environment doesn't just work today, but is ready for scale, security, and future developments. How healthy is your landingzone?

Take the step towards a secure and governed Azure foundation

A landing zone is just the beginning. The question is how to keep that environment structurally secure, compliant and future-proof without unnecessary operational pressure on your own teams. With Wortell Managed Azure , you retain control over architecture, policy and decision-making, while we ensure continuity, monitoring and compliance with NEN 7510 and cloud governance.

Quick scan

Azure landing zone

Curious about how your hospital can set up an Azure landing zone safely, compliantly and scalably? With a quick scan you quickly gain insight into your current situation and concrete tools to build further.