IP Whitelisting

I have long maintained a lot of externally-facing and internally-facing websites for a large healthcare system. My external sites are hosted on a fully managed VPS with DreamHost. My internal sites are hosted on a Windows server running PHP that sits behind our firewall. Now, however, I’ve been asked to look into moving the various Intranets (about a dozen in all) to DreamHost for a couple of reasons: my server continues to be flagged during security scans and our networking guys are not comfortable maintaining & patching PHP.

I know I could move the Intranets to DreamHost and then restrict access by IP address (from within the htaccess file). I could also add Sitelok to the various sites and assign all 1k employees a user ID and password.

I would love to hear any feedback from people who have experience in this area. Is IP whitelisting secure enough or do I need to add Sitelok? Any other possible solutions?