If a ransomware attack breaches one workstation in your practice, how far can it spread before someone notices? In a flat network, where every device, system, and user shares the same network segment with unrestricted internal traffic, the answer is: everywhere. The front desk computer, the EHR server, the imaging workstation, the billing platform, the Wi-Fi network your patients connect to in the waiting room. Once an attacker gains a foothold, they can move laterally across every system in the environment because nothing stands in their way.
Healthcare network segmentation is designed to prevent exactly this scenario. By dividing a network into isolated zones with controlled access between them, segmentation limits an attacker’s ability to move from one compromised system to another. It contains the blast radius of a breach, protects critical systems from peripheral vulnerabilities, and enforces the access boundaries that HIPAA has always required in principle. Under the proposed HIPAA Security Rule update, network segmentation moves from a best practice to a mandatory requirement. For healthcare organizations of all sizes, this is one of the most operationally significant changes in the proposed rule.
What the Proposed Rule Requires
The proposed update to the HIPAA Security Rule introduces network segmentation as a mandatory implementation specification under 45 CFR § 164.312(a)(2)(vi). Regulated entities will be required to “implement technical controls to segment their electronic information systems in a reasonable and appropriate manner.” The requirement applies to all covered entities and business associates, regardless of size.
The intent, as articulated in the proposed rule and supporting documentation from HHS, is to create clear boundaries between systems that store, process, or transmit ePHI and systems that do not. This includes separating clinical systems from administrative systems, isolating IoT and connected medical devices from the broader network, restricting vendor and third-party access to only the systems they need, and ensuring that guest Wi-Fi networks are completely isolated from systems containing patient data.
The proposed rule also requires that segmentation be supported by a technology asset inventory and a network map illustrating how ePHI moves through the organization’s electronic information systems. These documentation requirements are not standalone obligations; they are foundational to the segmentation requirement itself. You cannot segment what you haven’t mapped, and you cannot map what you haven’t inventoried.
Why Flat Networks Are a Problem
A flat network is one where all devices share the same network segment with little to no restriction on internal communication. In many small and mid-sized healthcare practices, this is the default configuration. The EHR, the billing workstation, the front desk computer, the imaging equipment, the office printer, the smart thermostat, and the patient Wi-Fi all coexist on a single network. Everything can talk to everything.
This architecture is simple to set up and inexpensive to maintain, which is why it persists. But it creates a single point of failure for security. If an attacker compromises any device on the network, whether through a phishing email, a vulnerable IoT device, or a misconfigured remote access point, they can potentially reach every other system on the network. Ransomware deployed on one workstation can propagate across the entire environment in minutes. A compromised smart device in the waiting room can become a pivot point into the EHR. The lack of internal boundaries means there is nothing to slow the attack down, contain it, or limit the damage.
OCR’s enforcement experience reinforces this concern. Breach investigations have repeatedly revealed that attackers gained access through a peripheral system and then moved laterally into systems containing ePHI precisely because the network had no segmentation in place. The proposed rule’s segmentation mandate is a direct response to this pattern.
What Segmentation Looks Like in Practice
For large hospital systems, network segmentation often involves sophisticated microsegmentation platforms, zero-trust architectures, and dedicated security teams managing complex policy engines. For small and mid-sized practices, the approach needs to be proportionate to the organization’s size, complexity, and resources. The proposed rule’s “reasonable and appropriate” language provides room for practices to implement segmentation in a way that fits their environment.
At its most fundamental level, segmentation for a small practice means separating the network into distinct zones based on function and risk level. A practical starting point includes at least three segments: a clinical zone for systems that store or access ePHI (the EHR, billing platform, and clinical workstations), an administrative zone for general business operations that do not require direct access to patient data (email, internet browsing, office productivity tools), and a guest or IoT zone for patient Wi-Fi, smart building devices, and any connected equipment that does not need access to clinical systems.
Most modern business-grade routers and firewalls support VLAN (Virtual Local Area Network) configuration, which provides the foundation for basic segmentation without requiring a complete network redesign. Firewall rules between VLANs control which traffic is permitted between zones, ensuring that devices in the guest zone cannot communicate with systems in the clinical zone, and that administrative workstations can only access clinical systems through defined, authenticated pathways.
The Connected Device Problem
One of the most compelling reasons for the segmentation mandate is the proliferation of connected devices in healthcare environments. IoT devices, including networked printers, IP cameras, environmental sensors, smart displays, and internet-connected medical devices, have expanded the attack surface of healthcare networks dramatically. Many of these devices run outdated firmware, lack the ability to be patched or updated, and were never designed with security as a priority.
When these devices share a network segment with systems containing ePHI, they become potential entry points for attackers. A compromised IP camera or a vulnerable smart thermostat can serve as a launchpad for lateral movement into clinical systems. Segmentation isolates these devices so that even if one is compromised, the attacker cannot reach the systems that matter most. For practices that have adopted connected medical devices, from digital imaging equipment to remote patient monitoring tools, this isolation is not just a compliance requirement. It is a fundamental security control.
Vendor Access and Third-Party Risk
Small practices frequently grant vendors remote access to clinical systems for maintenance, troubleshooting, or software updates. EHR vendors, managed IT providers, billing services, and medical device manufacturers may all have some level of network access. In a flat network, that vendor access is often unrestricted: the vendor connects to the network and can see everything.
Segmentation addresses this by creating controlled access pathways. Vendor traffic can be routed through a dedicated segment with access limited to only the specific systems the vendor needs to reach. Combined with MFA and audit logging, this approach ensures that vendor access is documented, restricted, and monitored. Under the proposed rule, where business associates must provide annual written verification of their security controls, the ability to demonstrate that vendor access is segmented and controlled will be an important component of compliance documentation.
Getting Started Without Rebuilding the Network
The prospect of implementing network segmentation can feel overwhelming for practices that have been running a flat network for years. The good news is that basic segmentation does not require tearing down the existing infrastructure and starting from scratch. For most small practices, the path forward involves a series of incremental steps.
Begin with the asset inventory and network map that the proposed rule already requires. Document every device on the network, identify which systems contain or access ePHI, and map how data flows between them. This exercise alone will reveal the boundaries where segmentation should be applied.
Work with your IT provider or MSP to configure VLANs that separate clinical systems from administrative systems and guest or IoT devices. Implement firewall rules that restrict inter-zone traffic to only what is necessary. Ensure that guest Wi-Fi is fully isolated from any system that touches patient data. Test the configuration to confirm that segmentation is functioning as intended without disrupting clinical workflows. And document everything: the segmentation architecture, the firewall rules, the rationale for each zone, and the testing results. This documentation is the evidence that auditors and regulators will evaluate.
Containing the Blast Radius
Network segmentation is not about preventing every possible attack. It is about limiting the damage when an attack succeeds. In a segmented environment, a compromised workstation stays a compromised workstation rather than becoming a practice-wide catastrophe. The proposed HIPAA Security Rule makes this control mandatory because the evidence is clear: flat networks in healthcare are contributing to the scale and severity of breaches that segmented architectures would have contained.
At Axeleos, we help healthcare practices implement security controls that meet regulatory requirements without overwhelming limited resources. Sentraeus360 provides the compliance framework and tools to build your asset inventory, map your data flows, and document the segmentation architecture that auditors expect. Contact us today to start building the boundaries that protect your practice from the inside out.
