Subscribe to our newsletter
The overhead fluorescents buzz just loudly enough to set everyone’s teeth on edge. Paper coffee cups—Starbucks, Dunkin’, the gas station down the street—crowd around a bank of aging KVM switches. Maya Chen, the interface analyst, squints at a terminal that keeps spitting out ACK timeout errors. Somewhere two floors up, a trauma surgeon is waiting on a CBC that refuses to cross the wire.
CFO Denise López finally breaks the tension.
“We paid $312 million for this merger,” she says, tapping her pen like a metronome. “Tell me why we’re still faxing lab results in 2025.”
Nobody answers. The question, of course, is much bigger than one balky HL7 feed: Do we double down on building our integration stack, or do we call a vendor on Monday morning?
Why Hospitals Can’t Punt on Integration Any Longer
The pressure isn’t just in the M&A war room; it’s coming from every direction. The slow, piecemeal approach to system integration has become strategically untenable.
| Driver | Flash Point | Source |
| M&A Frenzy | 72 U.S. hospital deals were announced in 2024, with a record 30.6% involving a financially distressed party. | Kaufman Hall, M&A in Review 2024 |
| AI Use-Case Tsunami | The number of physicians reporting weekly AI use nearly doubled in the last year, jumping from 38% in 2023 to 66% in 2024. | AMA Digital Health Survey 2024 |
| Regulatory Crunch | The HTI-2 final rule solidifies requirements for nationwide FHIR-based exchange under TEFCA, with key provisions effective in January 2025. | ONC Fact Sheet |
| Cyber Risk | The average cost of unplanned downtime for a hospital has climbed to an estimated $9,182 per minute. | Ponemon Institute, Cost of Downtime 2025 |
In other words, integration has migrated from the basement server room to the executive agenda. The wrong choice can leak millions—or, worse, patient trust.
Five Lenses for the Build-vs-Buy Decision
We interviewed 14 CIOs, three clinical operations leaders, two venture-funded CMIOs, and a former CFO who has since become a board member. Five themes surfaced again and again:
- Speed to Value
- Total Cost of Ownership (TCO)
- Risk & Compliance
- Strategic Control
- Scalability & Future-Proofing
Let’s break them down.
1. Speed to Value
“Merger Day + 90” is the new yard-stick, says Dr. Ravi Kulkarni, CMIO of a five-hospital system in Ohio. “If we can’t normalize lab results and medication histories in three months, clinicians tune out. They find workarounds, and we lose the data fidelity we were trying to achieve in the first place.”
| Build | Buy |
| 4–6 months for a single complex interface (e.g., Epic ↔ Cerner) when coded from scratch. | 4–8 weeks with pre-built connectors from established iPaaS vendors. |
Case in Point — The Des Moines Snowstorm
During a blizzard last January, Lutheran Health’s in-house integration engine struggled with a 3× spike in ADT (Admission, Discharge, Transfer) messages. A temporary SFTP workaround kept the ER afloat, but pathology turnaround times doubled. Two weeks later, facing a revolt from their lab directors, they signed a managed middleware contract; the full cut-over was finished before the spring thaw.
2. Total Cost of Ownership (TCO)
A “cheap” build can morph into an annuity of hidden costs. The initial software license is just the tip of the iceberg.
| Cost Element | Build | Buy |
| Talent | A senior HL7/FHIR engineer commands a $168k median salary, plus benefits. A full team costs multiples of that. | Platform admin salary is lower (≈$98k); vendor absorbs specialized developer salaries. |
| Tooling | DevOps pipeline, test harnesses, on-prem servers or cloud compute bills, monitoring software. | Subscription tiers bundle tooling and infrastructure costs into a predictable operational expense. |
| Certifications | Internal SOC 2 & HITRUST audits every 12–18 months, consuming hundreds of staff hours. | Vendor supplies their attestation reports; client performs annual vendor due diligence. |
| Downtime Liability | The hospital eats the full financial and reputational loss. | Often contractually shifted via Service Level Agreement (SLA) credits and uptime guarantees. |
Downtime Liability: The hospital bears the full financial and reputational loss. Often contractually shifted via Service Level Agreement (SLA) credits and uptime guarantees.
3. Risk & Compliance
According to the 2025 Verizon Data Breach Investigations Report, healthcare breaches linked to third-party or supply chain issues have surged, underscoring the risk of poorly secured interfaces.
The Build Path: You own the entire risk surface. You’re responsible for patch cadence, encryption standards, and generating audit evidence. One Florida IDN told us it burns 0.7 FTE per month, just mapping its internal SOC 2 controls to the specifics of HIPAA §164.308.
The Buy Path: You transfer a significant portion of the risk, but you must verify. Trust but verify is the mantra. Demand:
- A SOC 2 Type II report that is less than 12 months old.
- A HITRUST r2 Certification (the gold standard) or, at a minimum, a validated i1 assessment.
- Clear evidence of a zero-trust architecture (e.g., device posture checks, MFA on all endpoints, micro-segmentation).
Board audit committees are increasingly requesting the tri-combo SOC 2, HIPAA mapping, and HITRUST letter. Skip one, and expect to be asked pointed questions.
4. Strategic Control
When does integration itself become your secret sauce? This is the most important strategic question.
- BUILD if you’re Memorial Sloan Kettering inventing a novel oncology-specific data ontology that no vendor offers.
- BUY if you’re a regional health system standardizing routine admission/discharge messages across a dozen community hospitals.
A telling quote from Julie Bennett, a CFO at a Minnesota academic center:
“Custom code feels empowering—until the engineer who wrote it leaves for a start-up in Austin, and no one else knows how to patch it.”
5. Scalability & Future-Proofing
Tomorrow’s interfaces won’t look like yesterday’s. The data streams are changing.
- FHIR Subscriptions will push real-time event streams, not just flat files.
- Edge AI inference for clinical decision support will require millisecond-latency data hooks.
- Confidential Computing will demand enclave-aware middleware to process sensitive data without decrypting it.
Vendors who invest upwards of 20% of their revenue in R&D can shoulder that roadmap more easily than most hospital IT shops, which average just 3.4% of their operating budget for R&D, according to the 2024 CHIME Digital Health Budget Report. Buying, in this sense, is outsourcing your future-proofing.
The Finance Lens: A Breakeven Timeline for Your CFO
Visualizing the cumulative spending over five years makes the TCO argument tangible.
At Month 38, the in-house cost curve finally dips below the vendor spend—unless a 20% scope overrun is reached, in which case breakeven is pushed beyond five years. Hand this slide to your CFO; let the numbers speak for themselves.
Pilot-to-Scale: A 90-Day Playbook for Innovation Ivy
For leaders like Ivy, chartered with delivering quick wins, a disciplined pilot is everything.
| Phase | Day 1–30 | Day 31–60 | Day 61–90 |
| Goal | Sandbox spins up; pick one high-value integration (e.g., a sepsis alert feed to the rapid response team’s pagers). | Connect, map, and test with de-identified data. Baseline KPIs: latency, error-rate, message transformation accuracy. | Limited go-live with a champion unit. Measure clinician effort, calculate NPV, and present an executive go/no-go recommendation. |
A structured approach, such as Logicon’s Co-Pilot Accelerator, slots neatly into this cadence.
The Clinician Workflow: Before & After for Ops Director Omar
The ultimate test is whether the technology helps or hinders the person delivering care. After a middleware platform went live at a Texas hospital, Nurse Reyes in 4 West reduced the average number of clicks required for a standard patient admission by 26. That’s eight minutes saved per patient—or roughly the length of “Here Comes the Sun” blasting from the ward’s ancient ceiling speakers.
Red Flags & Reality Checks
No path is without pitfalls. Here’s what to watch for.
| Approach | Watch for | Why It Matters |
| Build | Key-person risk and undocumented “spaghetti” code.Security drift. | Talent turnover is at an 18-year high. When your guru leaves, your platform is instantly at risk. |
| Buy | Vendor lock-in clauses >3 years; hefty exit or data migration fees. | You patch it, no one else will. The burden of vigilance is 100% on you.This limits your negotiating leverage at renewal time and stifles agility. |
| Adopt | Alert fatigue from boiler-plate mappings that don’t understand clinical context. | If clinicians get too many false-positive alerts, they start ignoring all of them—which is dangerously unsafe. |
If clinicians receive too many false-positive alerts, they tend to ignore them all—which is a dangerously unsafe practice.
Peering Over the Horizon
The ground is already shifting for the next five years. Any platform choice made today must account for the following:
- FHIR Subscriptions 1.1: The ballot for this update is due in December 2025, promising a move to true, event-driven publish/subscribe models.
- FDA CDI Guidance: A new draft guidance may classify certain integration logic as Class II medical software, which would have significant implications for validation and documentation requirements.
- Quantum-Safe Cryptography: NIST is finalizing standards, and pilots for quantum-safe TLS are expected to begin in 2026. Any new platform should be built with cryptographic algorithm agility in mind.
The Boardroom Question
When the next acquisition lands—or the next cyberattack hits—will you still be faxing PDFs from a chaotic war room, or will your data be moving at the speed of care?
The choice is yours, but the clock is ticking.
Next Steps
- Download our 15-Point Integration RFP Checklist — A free, no-spam PDF to vet potential partners
- Book a 30-minute architecture consultation with a Logicon integration fellow to map your path forward because 3am war rooms are overrated.