Infrastructure By Industry Healthcare
Vertical · Healthcare

Medical devices on their own island.

Healthcare networks carry EHR traffic, imaging, medical-device telemetry, and clinician-mobility sessions on the same wire. Netcom designs the segmentation that keeps an infusion pump from being two TCP hops away from an attacker-controlled workstation — while keeping Epic, Cerner, and athena under 200ms.

Talk to an Engineer See Reference Architecture
HIPAA
Security Rule-aligned design with BAA-ready managed service and audit trail
600+
medical-device classes profiled for VLAN assignment and policy enforcement
Zero
clinical downtime targeted during cutover — every change has a reversible window
Healthcare · Mid-Market Reference
Healthcare reference architecture: FortiGate 600F HA cluster with Aruba ClearPass profiling, device-class VLANs (medical IoT, imaging, clinician, admin, guest), FortiClient ZTNA for telehealth, and EHR QoS plane
Healthcare-specific pain

The medical-device problem is a network problem.

Most medical devices were designed without security as a first-class concern — and many of them can't be patched on your schedule because they're FDA-cleared as-is. The result: a typical clinic carries dozens of device classes that must coexist on the same physical network with clinician workstations, guest Wi-Fi, VoIP phones, and the EHR itself.

The solution isn't "buy a better infusion pump." It's architecture: dynamic VLAN assignment at the switch port, role-based policy at the firewall, and zero east-west trust inside the data center. When an unpatchable device gets compromised, the blast radius is one VLAN — not the whole clinic.

Netcom designs healthcare networks around three anchors. Segmentation by device class (not just by location). Clinician mobility via Zero Trust access (no VPN). And QoS that guarantees EHR and imaging get the pipe they need while guest Wi-Fi is rate-limited and isolated. Cutover always happens in reversible windows — the night before is never more important than the morning clinic.

Compliance & Frameworks

Aligned to the frameworks your compliance team already cites.

HIPAA Security Rule
HITRUST CSF v11
HHS 405(d) HICP
NIST 800-66 r2
FDA pre/post-market guidance for medical devices
21st Century Cures Act · FHIR interoperability
Reference Architecture

Segmented by device class. Enforced in hardware.

Sized for a multi-clinic group (3–50 clinics) or a mid-sized hospital campus. Enterprise health systems extend the same pattern to Cisco Catalyst + ISE.

Healthcare mid-tier: device-class VLANs (110 medical IoT, 120 imaging, 130 clinician, 140 admin, 190 guest) with east-west deny-by-default and per-VLAN policy driven by Aruba ClearPass medical-device profiling
Healthcare · 3–50 clinics or mid-sized hospital campus · 500–5,000 endpoints

FortiGate HA cluster + Aruba ClearPass device profiling

FortiGate 600F HA pair at the data-center core runs NGFW, SSL inspection with HIPAA-carveouts, and IPS tuned for medical-device protocols. Aruba ClearPass profiles every endpoint at the switch port — infusion pumps, ultrasound carts, nurse stations, guest phones — and dynamically assigns VLAN + role-based policy. FortiClient ZTNA replaces VPN for telehealth clinicians. Epic/Cerner/athena traffic gets explicit QoS on the WAN path; guest Wi-Fi is captive-portaled and rate-limited.

RoleVendor & ModelNotesLicense
Data-center NGFW (HA)Fortinet FortiGate 600F · active-passive12 Gbps threat-inspected · HIPAA-aware policyUTP Bundle
Clinic edgeFortiGate 80F + FortiExtender 511F5G cellular built-in for circuit redundancyUTP Bundle
Access switchingAruba CX 6300M-48G-PoE4+60W PoE · dynamic VLAN from ClearPassFoundation
Clinical Wi-FiAruba AP-635 (Wi-Fi 6E)Tri-band · 6 GHz for new clinician devicesFoundation + ClearPass
Device profiling + NACAruba ClearPass600+ medical device fingerprints · auto-VLANPer-endpoint
Clinician Zero TrustFortiClient ZTNATelehealth + remote clinician · no VPNPer-user
EHR QoSFortiGate app-aware + SD-WANEpic/Cerner/athena classified + priority-queuedIncluded
Logging + auditFortiAnalyzer + Splunk forwarderHIPAA-aligned retention · immutable logsPer-ingest
Guest Wi-FiSeparate SSID · captive portalIsolated VLAN · bandwidth capped · no LAN accessIncluded
Case Stories

Composite examples from healthcare engagements.

Illustrative customers drawn from real deployment patterns. Names are fictional; scope, vendors, and outcomes reflect actual Netcom work.

Regional Clinic Group · 42 clinics

Harbor Point Medical Group · HIPAA-aligned refresh

Audit cycle flagged flat-network findings across 42 clinics. Netcom designed FortiGate 600F core with Aruba ClearPass profiling every port, new VLAN plan per device class, cutover sequenced around clinic hours. Two surprises during rollout: a vendor-supplied ultrasound cart shipped with a hardcoded IP address that couldn't be DHCP'd, forcing a per-device static reservation rule at eight clinics. One clinic had an undocumented lab-analyzer VLAN that only appeared on the wire at 9pm — caught cutover night when results stopped routing, patched before morning draw. 16-week plan held; zero clinical downtime; some long nights.

0
clinical downtime
during 16-wk cutover
Surgical Specialty · Hospital Campus

Summit Valley Surgical Partners · OR/imaging isolation

New-construction Epic deployment required strict isolation of the operating-room network, imaging (PACS/DICOM), and anesthesia devices. Netcom delivered dedicated Catalyst 9300-48UXM stacks per OR with TrustSec SGTs, a 9500 StackWise Virtual core, and prioritized paths to the radiology array. Had to pivot mid-design: original plan used a shared 100G uplink aggregation to radiology — turned out PACS peak draw during M-Tu-Th morning rounds overwhelmed one side of the LAG. Reconfigured to dual active-active 100G with per-modality flow hashing. Latency hit target on retrofit.

<50 ms
PACS retrieve latency
under peak load
Multi-Location Dental · 60 sites

Cedar Creek Dental Network · cellular-backed refresh

Dental network with 60 locations on a mix of low-bandwidth DSL and cable. Netcom deployed Meraki MX67 + Cradlepoint S700 5G failover, new imaging SSID isolated from guest, remote-worker FortiClient ZTNA for administrative staff. Not every location went smooth: three rural offices had cellular signal too weak for reliable primary, requiring roof-mounted Panorama MIMO antennas with 25-foot LMR-400 runs. One practice owner refused the antenna on aesthetic grounds and ended up accepting a bonded-DSL upgrade instead. 56 of 60 sites live on the uniform standard; four on per-site carve-outs documented in the runbook.

60
locations on uniform
SD-WAN + cellular

Pillars that matter most for healthcare

Security & Firewall

FortiGate HA · NGFW policy tuned for medical-device protocols · HIPAA-aligned logging.

Explore →

Zero Trust Architecture

Device-class VLAN via ClearPass · FortiClient ZTNA for clinician mobility · no implicit trust.

Explore →

Wireless

Wi-Fi 6E for clinical mobility · guest isolation · imaging-class AP density where warranted.

Explore →

Ready to get medical devices off the flat network?

Tell us your clinic count, device inventory (rough), and EHR platform. Within 10 business days you'll get a segmentation plan, a BOM, and a cutover schedule sequenced around clinic hours.

Request an Architecture Review Back to Infrastructure