Container Technologies in Swiss Hospital Operations

The conception of the container architecture was based on a multi-stage approach, ranging from needs analysis to regulatory evaluation. Central methods were:

• Interviews and requirements analyses with practice partners (Leitwert AG, TIE AG, Eviden/Atos AG)
• Market analysis of existing container orchestration solutions (e.g., Docker Swarm, OpenShift, AKS)
• Iterative architecture development using Azure components
• Evaluation of legal framework conditions

The results can be divided into several sub-areas that are necessary for the successful introduction of containers:

Technical Perspective:

• Azure Kubernetes Service (AKS) was chosen as the central platform because it optimally combines scalability, security, and interoperability in this use case. However, there are also alternative providers that would be possible

• The network architecture follows a hub-and-spoke topology with clear separation of subnets for security and governance.

• Through containerization, applications can be developed modularly and reused across hospitals.

• Infrastructure-as-Code guarantees reproducibility and auditability of the entire environment (SHIFT A.1 D04, 2023).

Central Services of the Tech Foundation (as Hub):

This requires several technical prerequisites and components that were identified as necessary for the considered use case:

• Network Firewall: Protection and filtering of network traffic

• VPN Gateway: Secure access from the corporate network or remotely to the cloud environment

• Identity Management: Identities are managed and access is controlled via Microsoft Entra ID

• Monitoring: Azure Monitor monitors the systems and collects logs

• API Gateways: Control of external data access, e.g., via Azure Application Gateway

• Key Vault: Secure storage of access credentials, keys, and certificates

Regulatory Implementation:

An important aspect, especially in the healthcare sector, is the consideration of regulatory requirements. The following considerations were made:

• The architecture considers requirements of the nDSG (e.g., through logging, access controls, Key Vaults).

• Medical device-relevant modules are strictly separated, so that only certification-required components are subject to the MDR.

• Patient data is processed locally in Switzerland; cloud resources follow the principle of digital sovereignty.

This results in the following practical recommendations:

• Use Kubernetes (e.g., AKS) as the standard for container orchestration
• Use modular architecture building blocks for reusability and scaling
• Integrate regulatory requirements (nDSG, MepV) early in architecture planning
• Rely on Infrastructure-as-Code to ensure governance and traceability
• Clearly separate medical device-relevant from generic components

Conclusion and Outlook
The architecture model of SHIFT A.1 demonstrates that modern container and cloud technologies can be used in compliance with regulations in the hospital environment. They enable a resilient technical foundation for digital health applications and offer advantages in rapid provisioning and flexible adaptation to new circumstances. In the future, the development towards sovereign, interoperable cloud environments for healthcare will be central to better meet new requirements.