For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
In March 2026, a ransomware attack hit a cloud EHR provider's shared infrastructure. Within hours, the malware had spread laterally through their network, reaching customer data across 400 medical practices. Practices using the affected cloud service were compromised through no fault of their own. They simply happened to share infrastructure with a vulnerable neighbor.
Meanwhile, a Dallas orthopedic practice on private infrastructure continued seeing patients without interruption. Their EHR server was isolated on a segmented network with no pathway for external threats to reach it. The ransomware spreading through cloud infrastructure could not touch their systems because their systems were not connected to that infrastructure.
This is the power of network segmentation, and it is the most underutilized security control in medical practices today.
Network segmentation is the practice of dividing your network into isolated zones, each with specific access rules. Think of it as creating separate rooms in your practice with locked doors between them, rather than one giant open floor plan.
Proper segmentation for a medical practice typically includes:
Each segment is separated by firewalls with explicit allow rules. Traffic cannot flow between segments unless specifically permitted. If one segment is compromised, the damage is contained.
Cloud EHR vendors talk about security, but they cannot offer true network segmentation to individual practices. Here is why:
Shared Infrastructure: Your data lives on servers shared with hundreds or thousands of other practices. You are all on the same network, separated only by software controls. When another customer is compromised, your data is at risk.
Always-On Connectivity: Cloud EHRs require constant internet connectivity to function. Your most sensitive systems are always connected to the public internet, creating permanent attack surface.
No Network Control: You cannot see, configure, or monitor the network that carries your patient data. The segmentation that matters is completely outside your control.
Network segmentation is the foundation. Zero-trust architecture builds on it with a simple principle: never trust, always verify.
In a zero-trust model, even users and devices inside your network must authenticate for every access request. Just because a device is on the clinical network does not mean it can access the EHR. Each access requires explicit verification of identity, device health, and authorization level.
The 2026 HIPAA updates specifically reference zero-trust as an expected security standard. OCR is now asking auditors about zero-trust implementation as part of risk assessment reviews.
Medical devices represent a unique segmentation challenge. Imaging machines, patient monitors, and diagnostic equipment often run outdated operating systems with known vulnerabilities. Yet they must connect to your network to function.
A March 2026 HIMSS survey found that 60% of health systems cannot properly protect unmanaged medical devices. This gap is being exploited by ransomware groups who specifically target vulnerable medical equipment as entry points.
Proper medical device segmentation creates isolated device networks with strict controls. Devices connect to dedicated isolated segments with no internet access. Communication to EHR systems passes through secure gateways. Vulnerable devices cannot be reached from other network segments.
In February 2026, a San Antonio cardiology practice experienced a phishing attack that compromised an administrative assistant's computer. The malware attempted to spread laterally, seeking patient data and EHR access.
But the practice had implemented proper network segmentation six months earlier. The compromised administrative workstation could only reach other administrative systems. It had no network pathway to the clinical segment where EHR servers resided. The practice cleaned one infected computer and resumed operations within hours.
When your infrastructure is on-premises, you control the network completely. We implement segmentation that cloud EHRs cannot match:
Physical Network Isolation: Clinical systems run on physically separate network hardware from administrative systems. Air-gapped where appropriate. No shared switches, no shared routers, no shared vulnerability.
Microsegmentation: Beyond broad network segments, we implement microsegmentation isolating individual systems. Your EHR database server can communicate only with your application server, not with any other system.
Software-Defined Perimeters: We deploy zero-trust software-defined perimeters that make your critical systems invisible to unauthorized devices. If a device is not explicitly authorized, it cannot discover that your EHR exists.
Continuous Monitoring: Our security operations center monitors cross-segment traffic for anomalies. Any unexpected attempt to communicate between segments triggers immediate alerts and automatic blocking.
For practices beginning segmentation implementation, we recommend a phased approach:
Phase 1: Basic Separation (Weeks 1-4)
Separate guest WiFi from practice networks. Isolate medical devices onto dedicated network segments. Document current network architecture and access flows.
Phase 2: Clinical Isolation (Weeks 5-12)
Create dedicated clinical network segments for EHR and critical systems. Implement firewall rules limiting cross-segment traffic. Deploy multi-factor authentication for segment access.
Phase 3: Zero-Trust Implementation (Weeks 13-24)
Implement software-defined perimeters. Deploy continuous monitoring and behavioral analytics. Establish automated response workflows for segmentation violations.
Book a free network security assessment. We will map your current network architecture, identify segmentation gaps, and show you how private infrastructure provides the security controls cloud EHRs cannot offer.
Call 469-252-7016 or schedule online. We secure medical practices throughout Texas.