Technical Debt Must be Tackled, but Cloud & AI Bring their Own BCP Challenges, Says Parkview Health CISO

As health systems intensify efforts to modernize infrastructure, the risks associated with technical debt, fragmented applications, and over reliance on cloud and AI tools are becoming more pronounced. For Darrell Keeling, PhD, Senior Vice President of IT and CISO at Parkview Health, navigating this minefield requires not only technical insight but also business acumen and diplomacy.

The Fort Wayne-based system comprises 14 hospitals and employs more than 16,000 staff across Indiana and Ohio. It also extends its Epic platform to affiliated hospitals via a Community Connect model. Despite its size and resources, Parkview—like most health systems—carries some legacy IT systems and niche applications that accumulate over time and resist consolidation.

Fragmented Systems and the Rationalization Challenge

Keeling said that technical debt stems from both aging infrastructure and the accumulation of overlapping applications—many of which serve narrow functions but persist due to entrenched user preferences.

“We’re probably using maybe 50% of the functionality of what some systems can actually do,” he said, noting that organizations often purchase tools with broad capabilities but ultimately implement only a subset. The result is application sprawl, which increases maintenance costs and expands the attack surface for cyber threats.



Efforts to rationalize applications face significant headwinds, Keeling explained, because each tool typically has at least one internal stakeholder advocating for its retention. “It takes time to influence leaders,” he said, “especially in a system with hundreds of decision-makers.”

The challenge is compounded during mergers and acquisitions, when health systems inherit the technical debt of affiliated organizations. According to Keeling, most acquisitions proceed based on business considerations, with IT assessments occurring largely after the deal is signed. “The cost to upscale an organization after you purchase it is costly,” he said, citing the millions required to stabilize and secure outdated systems.

While security teams are increasingly involved in pre-acquisition assessments, including inquiries into prior breaches or unpatched vulnerabilities, technical readiness rarely influences whether a deal proceeds. “It’s a risk-based decision,” he said. “You look at all businesses—they were built on risk considerations.”

Cloud Mandates Introduce New Dependencies

Cloud migration has become a preferred strategy for reducing technical debt, particularly as vendors discontinue on-prem support. But Keeling cautioned that moving to the cloud is not a panacea—and that it carries its own risks.

“Even the cloud has technical debt,” he said. “It’s still going to have outdated operating systems and unsupported components unless actively managed.” He also noted that cloud subscriptions often come with hidden infrastructure costs, particularly when layering third-party security tools onto public platforms like AWS or Azure.

Beyond cost, the shift to cloud computing introduces new business continuity risks. “If the internet goes down or there’s a cyber incident, and everything is in the cloud, then what?” Keeling said. For mission-critical systems like EHRs or AI-driven clinical workflows, cloud outages can be just as disruptive as ransomware attacks.

He pointed to hybrid models as a likely outcome for most health systems, particularly where local control of patient data or medical device integration remains essential. “You don’t want all your controllers running in the cloud,” he said. “If there’s a disconnect, it could shut down your facility.”

Keeling acknowledged that some vendors are accelerating this shift by offering only cloud-based products, with defined timelines for deprecating on-prem versions. While this helps vendors scale features across a multi-tenant architecture, it can strain health systems that lack robust inter...