Hospital Network Security: 4-Site Case

The Hospital Network Security Challenge

The technical state was fairly typical for a hospital group that had grown by acquisition. Four hospitals, four IT teams, four different switch vendors, one shared HIS backend stretched across all of them via private MPLS. Endpoints, servers, lab analysers, IP CCTV, and IoT all sat on the same broad subnets. There was a perimeter firewall but it had no visibility internally.

The hard part was not designing the segmentation — it was rolling it out without breaking clinical workflows. A wrong VLAN ACL on the imaging server during an emergency would put us on the front page.

Our Hospital Network Security Approach

We worked the problem in three phases:

1. Inventory before architecture. Three weeks. Active discovery (Nmap, mDNS, SNMP) plus passive (SPAN-port traffic capture) plus walking the wards. The IoT inventory was the most surprising — we found 41 devices nobody on the IT team knew were on the network.
2. Segmentation rollout, hospital by hospital. Started with the smallest hospital as a pilot. Migrated VLANs over three nights per hospital, with rollback plans for every change.
3. Host-based + identity-aware second layer. Defender for Endpoint pushed via Intune to all clinical workstations; Cloudflare Access for remote vendor support replacing the old IPSec-from-anywhere setup.

What We Built for Hospital Network Security

• 12 VLANs per hospital, grouped by function: clinical workstations, lab analysers, imaging, finance, HR/admin, IP CCTV, medical IoT, guest WiFi, BYOD, vendor management, server zone, infrastructure management.
• Default-deny inter-VLAN ACLs on FortiGate 100F at each location, with a documented allow-list per service.
• EDR on 100% of clinical workstations (Microsoft Defender for Endpoint P2).
• Cloudflare Access replacing legacy VPN for the ~30 vendor support accounts that previously had broad network reach.
• Centralised logging to Microsoft Sentinel, with custom detections for the post-exploitation patterns we expected attackers to use.

Hospital Network Security Outcomes

• Red-team validation. Two weeks after rollout, a red-team partner attempted full-chain compromise from a phished cafeteria PC. They reached two adjacent endpoints in the same VLAN and were blocked at the VLAN boundary. Imaging and HIS were unreachable.
• HIPAA-equivalent gap closure. 14 of 17 control gaps in the prior assessment closed; 3 remained open with documented compensating controls (legacy ICU monitors that cannot run modern crypto).
• Operational benefit, not just security: the broadcast-domain split also cut DHCP storms in two hospitals, which had been silent recurring incidents.

What We'd Do Differently

The IoT inventory should have been week 1, not week 2. We found a category of devices late — wireless drug-dispensing carts — that needed a dedicated VLAN with very specific allow-rules, and that drove rework on the design we had already shared with the client. We now treat hospital IoT discovery as a hard prerequisite gate before any segmentation design starts.

Second: we under-budgeted training time for the local IT teams. Each hospital had 1–2 sysadmins who needed to operate the new ACLs after we left. We added a 5-day handover and three months of office-hours support to subsequent engagements.

Stack & Tools

• FortiGate 100F (perimeter at each hospital), Cisco Catalyst 9300 (core), Aruba 6300 (access)
• Microsoft Defender for Endpoint P2, Microsoft Intune for deployment
• Cloudflare Zero Trust (Access + Gateway)
• Microsoft Sentinel SIEM
• Nmap, Nessus Pro, Wireshark, custom passive-discovery scripts during inventory

FAQ

Did clinical workflows ever break during cutovers?

Once. A specific PACS workflow used a non-standard port we had missed in the allow-list; the radiology team noticed within 8 minutes and we had the rule added in 12. We logged it as a near-miss in the rollout post-mortem and added a “shadow mode” period to subsequent engagements where ACLs log-only for 48 hours before enforce.

How do you handle medical IoT devices that cannot run modern protocols?

Quarantine VLAN with very tight allow-rules — only the specific server IPs and ports they need. Anything else is dropped. We document every exception in the segmentation design as a known compensating control.

What did the red-team start with?

An assumed-phishing scenario — a malicious Office macro on a low-privilege cafeteria workstation. They had local admin within the first hour but were unable to move beyond that VLAN segment.

How is the segmentation maintained as new devices arrive?

We left the client with a “device intake” runbook and a VLAN allocation policy. New devices land in a holding VLAN until classified by IT. The local sysadmins use a small Forti-DBM workflow we set up; we audit it twice yearly.

Hospital Network Security as a Multi-Year Discipline

Hospital network security is the rare engagement where the architecture matters more than the toolset. Hospital network security has to survive clinical workflow constraints, medical-IoT device limitations, and 24/7 uptime expectations — none of which the standard enterprise security playbook anticipates. Effective hospital network security in 2026 is segmentation-first, EDR-second, and identity-third. The hospital network security engagement we delivered for this 4-hospital group hardened the perimeter; the hospital network security review next year will harden the segmentation rules and the IoT inventory. This is multi-year work, by design.

Further reading: VITI Security cybersecurity services · CISA Healthcare Sector guidance.