HIPAA Medical Device Security Network Segmentation Healthcare IT

The Infusion Pump on the Same Network as Your EHR

Healthcare auditors check the EHR. They don't check the infusion pumps on the same network. Why this gap matters for HIPAA and patient data.

centrexIT Team
5 min read

There’s a question we ask healthcare IT leaders that almost always lands in silence: when was the last time your HIPAA auditor looked at your infusion pumps, your imaging carts, or your patient monitors — not just your EHR?

The answer, usually, is never. And that’s the problem.

How this shows up in real practices

A 90-person clinic we walked through earlier this year had a clean HIPAA posture on paper. Encrypted EHR. MFA on clinician logins. Documented access controls. A SOC 2 vendor for their hosted records system. Their last assessment came back fine.

Then we mapped their network.

The EHR servers sat on the same flat VLAN as 40-plus connected medical devices — infusion pumps running an unsupported embedded OS, two ultrasound carts that hadn’t been patched since 2021, a vitals monitor still using default vendor credentials, and a networked printer in the break room that anyone with a guest Wi-Fi password could reach.

The auditor had checked the EHR. The auditor had not checked anything else on the wire with it.

This is the gap. And it’s almost universal.

What’s actually happening

Connected medical devices — infusion pumps, imaging systems, patient monitors, lab analyzers, even networked thermometers — are now everywhere in clinical environments. The FDA estimates a typical hospital bed has 10 to 15 connected devices supporting it. Smaller practices have fewer, but the ratio of devices-to-staff is often higher, not lower.

Most of these devices were not designed with modern security in mind. According to the FDA’s October 2023 cybersecurity guidance for medical devices, a significant portion of the installed base runs legacy operating systems that cannot be patched, uses hard-coded credentials, or transmits patient data without encryption. The FDA now requires cybersecurity documentation for new device submissions — but that does nothing for the equipment already deployed.

Meanwhile, the HHS Office for Civil Rights’ 2024 breach reporting confirms that healthcare remains the most-targeted sector, with hacking and IT incidents accounting for the majority of large breaches. The HHS 405(d) program’s Health Industry Cybersecurity Practices specifically calls out medical device security and network segmentation as core practices that most small and mid-sized organizations have not implemented.

The pattern is consistent. The EHR gets attention because it’s the system everyone knows is regulated. The devices on the same network get ignored because no one’s asking about them — until something goes wrong.

Why this matters for healthcare leaders

Here’s the uncomfortable part. From an attacker’s standpoint, the infusion pump and the EHR are on the same network. If the pump is compromised — through an unpatched vulnerability, a default credential, or a phishing click on a workstation that can reach it — the attacker is now inside the same broadcast domain as the patient records.

Network segmentation isn’t a nice-to-have. It’s the difference between a contained incident and a reportable breach.

And the regulatory exposure is real. HIPAA’s Security Rule requires technical safeguards that include access controls and transmission security across all systems handling ePHI — not just the EHR. If a connected device touches patient data, or sits on a network with systems that do, it’s in scope. OCR has been increasingly explicit about this in recent enforcement actions.

Most practices we see fail in one of three ways. First, they have no inventory of connected medical devices — they can’t tell you what’s on their network. Second, even when they have inventory, they have no segmentation — devices, workstations, servers, and guest traffic share the same VLAN. Third, they have no monitoring — if a device starts behaving strangely, no one would know.

All three failures are addressable. None of them are addressable in the middle of a breach.

What to do now

The path forward isn’t complicated, but it does require someone owning it. Three steps, in order:

  1. Inventory every connected device on your network. Not just the EHR and the workstations. The pumps, the carts, the monitors, the printers, the thermostats, the badge readers. If it has an IP address, it’s on the list.

  2. Segment your network. Clinical devices on one VLAN. EHR and clinical systems on another. Administrative workstations on a third. Guest Wi-Fi completely isolated. Firewall rules between segments, not just at the perimeter.

  3. Monitor what’s actually talking to what. You need visibility into east-west traffic, not just internet-bound traffic. When the imaging cart starts trying to reach the file server at 2 AM, someone needs to see that.

If you’re a healthcare leader reading this and you’re not sure whether your last HIPAA assessment looked at anything beyond the EHR, the answer is almost certainly no. That’s not a criticism of your assessor — most assessments are scoped tightly. It’s a gap you need to close on your own.

centrexIT has been the IT team healthcare organizations across the West have trusted since 2002. If you’re not sure what’s actually on your network or how segmented it is, that uncertainty is the answer. Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

Sources

Found this helpful? Share it with your network.
Twitter LinkedIn
Written by
centrexIT Team

The centrexIT team brings decades of combined IT expertise, helping San Diego businesses thrive with secure, reliable technology solutions.

Meet Our Team