On April 18, 2026, a San Antonio cardiology practice discovered an unauthorized device had been connected to their network for 23 days. The device, a consumer-grade smart TV brought in by a staff member for the break room, had connected automatically to the practice's open Wi-Fi and was communicating with external servers in Eastern Europe. The TV had no business on a medical network, no security controls, and no visibility to the practice's IT staff. It was discovered only when network monitoring flagged unusual outbound traffic patterns during a routine security review.
Network Access Control (NAC) has become essential for Texas medical practices facing an explosion of connected devices. Medical equipment, staff smartphones, patient tablets, guest devices, and IoT equipment all demand network access, but each introduces potential security risks. In Q1 2026, 67% of Texas medical practices reported discovering unauthorized devices on their networks during security assessments, with an average of 12 unknown devices per practice.
The San Antonio practice's experience is typical. Their network had grown organically over years, with devices added without formal provisioning processes. They had 47 known medical devices, 23 staff workstations, and an estimated 60 personal devices connecting daily. But they also had 14 devices they could not identify, including the smart TV, a wireless printer installed by a vendor without documentation, and several personal tablets that had cached network credentials from previous staff members.
The Device Proliferation Challenge
Medical practices face unique device management challenges that make traditional network security models inadequate:
Medical device diversity. Modern practices deploy a wide range of connected medical equipment, from imaging systems and patient monitors to infusion pumps and diagnostic devices. These devices often run embedded operating systems that cannot receive traditional security agents. They may have hardcoded credentials, unpatched vulnerabilities, and limited management interfaces. The San Antonio practice had 23 different medical device types from 14 vendors, each with unique network requirements and security profiles.
BYOD prevalence. Staff expect to use personal smartphones and tablets for work communication, EHR access, and clinical reference. Patients increasingly expect Wi-Fi access for their devices during visits. Without proper controls, these devices can introduce malware, create data exfiltration pathways, and provide pivot points for network attacks. The San Antonio practice's staff used an estimated 34 personal devices for work purposes daily.
Guest and vendor access. Medical practices regularly host visitors who need network access, including pharmaceutical representatives, equipment vendors, and visiting specialists. Traditional approaches either deny access entirely or provide open guest networks that create security risks. Vendor devices used for equipment maintenance often require network connectivity but lack security oversight.
IoT and operational technology. Beyond medical devices, practices deploy building automation systems, security cameras, HVAC controls, and other IoT equipment. These devices often have minimal security, default credentials, and automatic update mechanisms that can introduce vulnerabilities. They frequently connect to the same network as patient data systems without segmentation.
How Network Access Control Works
Network Access Control provides zero-trust device security by authenticating and authorizing every device before granting network access:
Device identification and profiling. NAC systems automatically discover and identify devices connecting to the network. They analyze device characteristics including MAC address, operating system, hardware type, and network behavior to build device profiles. This identification happens before any network access is granted, preventing unknown devices from communicating with production systems.
Authentication and authorization. Each device must authenticate before receiving network access. Authentication methods vary by device type: domain-joined workstations use Active Directory, medical devices may use certificate-based authentication, and guest devices use captive portal registration. Authorization policies determine what network resources each device can access based on identity, device type, and security posture.
Posture assessment and compliance. NAC systems evaluate device security posture before granting access. For managed devices, this includes checking antivirus status, patch levels, and security configuration. Non-compliant devices are quarantined to remediation networks where they can receive updates but cannot access production systems. The San Antonio practice's NAC implementation now verifies that all Windows devices have current patches and active endpoint protection before allowing EHR access.
Segmentation and access control. Based on device identity and authorization, NAC enforces network segmentation that limits device communication to required resources only. Medical devices may access only their vendor cloud services and internal management systems. Guest devices receive internet access only. Staff devices access resources based on their role and authentication. This segmentation prevents lateral movement and contains potential compromises.
NAC Implementation for Medical Practices
Implementing NAC in medical environments requires addressing specific healthcare requirements:
Medical Device Integration
Medical devices often cannot run traditional NAC agents or participate in authentication protocols. Implementation must support agentless profiling, MAC authentication bypass for legacy devices, and certificate-based authentication where supported. Device profiles should be created for each medical device type with appropriate network segmentation and monitoring.
Clinical Workflow Preservation
NAC cannot disrupt clinical operations. Implementation must ensure that medical devices receive immediate network access without authentication delays that could affect patient care. Emergency override procedures should allow rapid network access for critical devices while maintaining audit trails for compliance.
Guest and Visitor Management
Visitor access should be self-service through captive portals with sponsor approval workflows. Access should be time-limited and bandwidth-restricted. Visitor devices must be isolated from clinical networks regardless of authentication status. The San Antonio practice implemented guest access that expires after 8 hours and requires daily re-registration.
Vendor and Contractor Access
Third-party access requires special controls including pre-registered device lists, time-limited access windows, and activity monitoring. Vendor devices should never have unrestricted network access. Remote vendor support should use secure jump hosts rather than direct network connection.
Continuous Monitoring and Response
NAC is not a one-time authentication event. Systems must continuously monitor device behavior and network activity, automatically responding to anomalies by quarantining devices, alerting security staff, or triggering incident response procedures. The San Antonio practice's NAC now automatically isolates devices exhibiting suspicious traffic patterns.
Zero-Trust Architecture Benefits
NAC enables zero-trust security principles that are essential for modern medical practice protection:
Never trust, always verify. Zero-trust assumes that no device should be trusted by default, regardless of network location or previous access. Every device must authenticate and demonstrate compliance before accessing resources. This approach prevents attackers from leveraging network access to move laterally and access sensitive systems.
Least-privilege access. Devices receive only the minimum network access required for their function. A medical device that only needs to communicate with its vendor cloud service cannot access the EHR server. A guest device cannot see internal network resources. This containment limits the damage from compromised devices.
Assume breach. Zero-trust architecture assumes that breaches will occur and designs controls to contain their impact. Network segmentation prevents a compromised smart TV from accessing patient data. Device isolation prevents malware on a staff smartphone from spreading to medical systems. Monitoring and response capabilities detect and contain threats quickly.
Texas Medical Practice NAC Trends
Q1 2026 data shows significant NAC adoption among Texas medical practices:
Adoption rates by practice size. Practices with 10+ providers show 54% NAC deployment, while smaller practices lag at 23%. The complexity of device management in larger practices drives adoption, but smaller practices face proportionally similar risks from unmanaged devices.
Integration with EHR security. Leading implementations integrate NAC with EHR access controls, ensuring that only compliant devices can access patient data systems. This integration addresses OCR expectations for technical safeguards and provides audit trails for compliance documentation.
Cloud-managed solutions. Cloud-based NAC platforms are gaining popularity among Texas practices, reducing infrastructure requirements and enabling rapid deployment. These solutions provide centralized policy management and threat intelligence integration without requiring on-premises appliance infrastructure.
Immediate Action Items
Given the device proliferation risks and NAC's proven effectiveness, immediate action is essential:
This Week: Conduct a device inventory to identify all connected devices on your network. Use network scanning tools to discover unknown devices. Document medical equipment, staff devices, guest access, and IoT systems. Identify devices that cannot be accounted for or properly managed.
This Month: Evaluate NAC solutions appropriate for your practice size and complexity. Consider cloud-managed options for simplified deployment. Develop policies for device authentication, guest access, and medical device integration. Plan implementation phases that preserve clinical operations.
This Quarter: Implement NAC with initial focus on unknown device discovery and guest network segmentation. Expand to medical device profiling and staff device compliance checking. Integrate with EHR access controls for comprehensive protection. Establish monitoring and response procedures for policy violations.
Conclusion
The San Antonio cardiology practice's smart TV discovery illustrates the device management challenge facing Texas medical practices. Unmanaged devices connect to clinical networks daily, introducing vulnerabilities that traditional security controls cannot address. Network Access Control provides the zero-trust architecture necessary to authenticate every device, enforce least-privilege access, and contain potential compromises.
The 67% of Texas practices discovering unauthorized devices during assessments indicates widespread gaps in device visibility and control. Each unknown device represents a potential attack pathway, data exfiltration channel, or compliance violation. As medical practices deploy more connected equipment and accommodate BYOD expectations, these risks will continue growing without proper access control implementation.
NAC implementation requires investment in technology, policy development, and operational processes. But the alternative, accepting unknown devices on networks containing patient data, creates unacceptable risk given modern threat landscapes. Texas medical practices must implement zero-trust device security to protect patient information, satisfy compliance requirements, and maintain operational integrity in an increasingly connected healthcare environment.
67% of Texas medical practices discovered unauthorized devices on their networks in Q1 2026, with an average of 12 unknown devices per practice. If you cannot account for every device connecting to your network, you have potential security vulnerabilities that NAC can address.