Back to all insights
Network SecuritySegmentationHealthcareHIPAA

Why Guest Wi-Fi Should Never Touch Your Clinical Network

B Byzantine Technologies · · 8 min read

One Network, Many Strangers

Walk into a typical small clinic and ask how the network is laid out, and the honest answer is often: everything is on one network. The front-desk computers, the EHR workstations, the patient Wi-Fi in the waiting room, the smart thermostat, the networked printer, the digital X-ray sensor, the VoIP phones — all of it sharing the same flat network, able to talk to each other freely.

This is convenient. It is also a quiet liability. A flat network means that anything which gets compromised — a patient’s malware-infected phone on the guest Wi-Fi, a vulnerable IoT device, a printer with default credentials — has a direct path to the systems that hold electronic protected health information (ePHI). Network segmentation is the discipline of building walls inside your network so that a problem in one area cannot freely spread to another. For a healthcare practice, the most important wall is the one between guest Wi-Fi and the clinical network.

The HHS/OCR proposed updates to the HIPAA Security Rule, published in early 2025, would make network segmentation a more explicit expectation. The current Security Rule already requires reasonable and appropriate technical safeguards, and segmentation is squarely within that. But you don’t need a regulatory mandate to see the logic: a guest should never be able to reach the EHR.

Why Guest Wi-Fi Is the Highest Priority

Guest Wi-Fi exists to give patients and visitors internet access. By design, you have no control over the devices that connect to it. A patient’s phone might be running outdated software, carrying malware, or actively compromised. A visitor’s laptop might be part of a botnet. You cannot patch these devices, you cannot scan them, and you cannot trust them.

If that guest network shares the same broadcast domain as your clinical systems, then every one of those untrusted devices is, from a network perspective, a neighbor of your EHR workstation. An attacker who controls a device on the guest network can attempt to discover and reach clinical systems directly. The fix is architectural: guest Wi-Fi must be isolated so that it provides internet access and nothing else — no visibility into, and no route to, the clinical network.

“Guest Wi-Fi should do exactly one thing: get visitors to the internet. The moment it can also reach a clinical workstation, it has become an attack path that you’ve invited into your waiting room.”

The Other Devices That Need Their Own Lane

Guest Wi-Fi is the clearest case, but it is not the only category of device that should be kept away from clinical systems. Effective segmentation groups devices by trust level and function.

IoT and Building Systems

Smart thermostats, networked security cameras, smart TVs in waiting rooms, building automation controllers — these “Internet of Things” devices are notorious for weak security. Many ship with default credentials, receive infrequent firmware updates, and are difficult to monitor. They serve a useful purpose, but they have no business sitting on the same network segment as ePHI. A dedicated IoT segment contains the risk if one of these devices is compromised.

Patient and Personal Devices

Beyond the guest Wi-Fi, consider any patient-facing technology — check-in kiosks, tablets used for intake forms, patient entertainment systems. These interact with the public and should be segmented according to their actual need. A kiosk that submits intake data to the EHR needs a controlled, specific path to do so — not full membership on the clinical network.

Printers and Multifunction Devices

Networked printers and multifunction copiers are easy to overlook, but they are full-fledged networked computers. They often hold cached copies of documents — including PHI — in memory or on internal storage, and they frequently run outdated firmware with default administrative passwords. A printer on a flat network is both a target and a pivot point. Segmenting print devices, and locking down their management interfaces, removes a commonly exploited weak link.

Medical Equipment

Networked medical devices — digital imaging systems, diagnostic equipment, lab analyzers — present a particular challenge. They may run old, unsupported operating systems that cannot be patched, because the device manufacturer has not certified updates. You cannot always secure the device itself, but you can control its blast radius. Placing legacy medical equipment on a tightly restricted segment, with strict rules about what it can communicate with, lets you keep using necessary equipment without letting its vulnerabilities endanger everything else.

What Good Segmentation Looks Like

Segmentation does not require enterprise-grade complexity. For a small practice, a sensible structure might include:

  1. A clinical/trusted segment for EHR workstations, servers, and the systems that directly handle ePHI — tightly controlled and monitored.
  2. A guest segment that provides internet-only access, fully isolated from all internal resources.
  3. An IoT/building segment for cameras, thermostats, smart devices, and other low-trust hardware.
  4. A device segment for printers and shared peripherals, with management interfaces locked down.
  5. A restricted segment for legacy medical equipment that cannot be patched, with explicit rules governing its limited communication needs.

The walls between these segments are enforced with VLANs and firewall rules that default to denying traffic and only allow the specific connections each segment legitimately needs. The principle is least privilege applied to the network: a device can reach exactly what its job requires and nothing more.

Common Mistakes

“Guest” Wi-Fi that isn’t actually isolated. Some practices create a separate guest SSID but route it onto the same internal network, providing the appearance of separation without the substance. Naming a network “Guest” does nothing if it can still reach the EHR.

No rules between segments. Creating VLANs but allowing them to communicate freely defeats the purpose. Segmentation is only as strong as the firewall rules that govern traffic between segments.

Forgetting the wireless side. Wired segmentation is sometimes done carefully while the wireless network remains flat. Both have to be segmented consistently.

Set-and-forget. New devices get added over time — a new camera, a new piece of equipment, a new smart display. Without a process to place each new device on the correct segment, the network slowly flattens again.

The Byzantine Takeaway

A flat network treats a patient’s phone and your EHR server as equals. Segmentation corrects that by grouping devices according to how much you trust them and controlling the traffic between groups. The single most important boundary is between guest Wi-Fi and the clinical network — guest access should provide the internet and nothing else. From there, give IoT devices, printers, and unpatched medical equipment their own restricted lanes so that a compromise in one area cannot spread to the systems that hold ePHI. It is one of the highest-impact architecture decisions a practice can make, and it aligns directly with where HIPAA expectations are heading.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.
May 26, 2026·8 min read

Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security

Cyber insurers now expect MFA, EDR, tested backups, patching, incident response, and vendor oversight before they'll write a policy. The good news: those same controls map directly to HIPAA expectations.
May 21, 2026·9 min read

HIPAA Security Rule 2026: What Small Medical and Dental Practices Need to Know Now

There are two layers to the HIPAA Security Rule landscape in 2026: the current enforceable rule and a proposed update from HHS. Here is a calm, practical breakdown of what's required today and what's coming.