Zero Trust Security
Improving hospital security without disrupting doctors and nurses
14
Facilities migrated
Zero
Clinical workflow disruptions
< 4 min
Mean detection time
A large hospital network with fourteen facilities was operating on perimeter-based network security — a model where anything inside the network boundary was treated as trusted. An internal red team exercise had revealed that a single compromised endpoint could reach clinical systems, administrative systems, and patient records without further authentication. The security team knew the architecture needed to change. The operational constraint was that any security change that interrupted clinical workflows or created friction for clinical staff would not be tolerated.
The outcome
We redesigned the network so nothing is trusted by default — every device and user is verified before getting access. Security became part of how the system works, not a separate checklist.
The hidden cost of perimeter security in clinical environments
The hospital network's existing security model dated to a time when clinical systems were largely standalone and the network perimeter was a meaningful boundary. Neither of those conditions still held. Clinical staff carried personal mobile devices that connected to the hospital network. Medical equipment increasingly ran embedded operating systems that couldn't be updated on a standard IT patch cycle. Third-party vendors accessed clinical systems remotely for maintenance and support. The perimeter had so many legitimate exceptions that it no longer functioned as a control — it was a formality. The red team's findings had made this visible to leadership in a way that routine vulnerability assessments hadn't: they had moved laterally from a compromised nursing workstation to a medication dispensing system in eleven minutes, without triggering a single alert.
Mapping the access landscape before changing anything
We spent the first twelve weeks doing nothing except observing. We deployed network monitoring across all fourteen facilities — passive sensors that recorded traffic patterns without inspecting payload content. We inventoried every device on the network: clinical endpoints, medical equipment, administrative workstations, vendor access terminals, and the building management systems that most security programs overlook. We documented every access relationship: which systems communicated with which, on which ports, at which frequencies. At the end of this phase, we had a complete access map of the network as it actually operated — not as it was documented in the network diagrams, which were significantly out of date. The access map revealed 340 active communication relationships that had no corresponding documentation, including seventeen cases where medical equipment was communicating with external IP addresses for purposes that no one in the IT or clinical engineering teams could explain.
Implementing microsegmentation without disrupting care
We designed the segmentation architecture around clinical workflows rather than around network topology. A traditional network segmentation approach divides the network into zones by function — clinical systems in one zone, administrative systems in another, guest WiFi in a third. This approach is straightforward to implement but creates friction: a clinical staff member who needs to access both clinical and administrative systems encounters barriers at zone boundaries. Our approach segmented by identity and device posture rather than by network location. A physician accessing clinical systems from a hospital-managed device with current patches gets access to clinical systems. The same physician accessing the same systems from an unmanaged personal device gets access to a limited view that doesn't include system-level data. Access decisions happen at the application layer, not at the network perimeter. This approach required deploying an identity-aware proxy for clinical applications — a component that evaluates the identity and device posture of every access request before forwarding it to the application. The proxy operates transparently for compliant devices and users: they experience no change in their workflow. The segmentation is enforced without visible friction.
Device posture for medical equipment that can't run security agents
The most technically difficult part of the Zero Trust implementation was handling medical equipment. Clinical devices — infusion pumps, imaging systems, patient monitoring equipment — run embedded operating systems that cannot be modified by the hospital's IT team. They cannot run endpoint detection agents. They cannot participate in a standard device posture assessment. We solved this with network-based behavioral profiling. Each device category — infusion pumps, imaging systems, monitoring equipment — has a characteristic communication pattern: specific protocols, specific destination addresses, specific traffic volumes at specific times. We built behavioral baselines for each device category based on the access map data collected during the observation phase. Any device whose communication pattern deviates from its baseline triggers an alert and, depending on the severity of the deviation, is quarantined to a restricted network segment automatically. This approach doesn't require modifying the medical equipment. It monitors the network behavior of devices that can't be directly managed, and treats anomalous behavior as a security signal.
Operational results and sustained compliance posture
The migration to the new architecture took eighteen months across all fourteen facilities, with each facility completing its transition in a four-week window during which both old and new controls operated simultaneously. There were no clinical workflow disruptions during the transition — the proxy-based access model was invisible to clinical staff on managed devices, and the medical device profiling system operated passively without touching clinical equipment. In the first six months of full operation, the system detected and quarantined eleven devices exhibiting anomalous behavior — nine of which turned out to be medical equipment with firmware issues rather than security incidents, and two of which were confirmed compromised endpoints. Both compromised endpoints were contained to their device segments; neither was able to reach clinical systems. The hospital network's annual compliance audit produced a materially improved assessment, with the auditors noting specifically that the device inventory and access documentation were more complete than they had seen in comparable healthcare environments.
Facing a similar infrastructure challenge?
We're happy to have a technical conversation about your specific environment — no commitment required.