Network Segmentation for Senior Living: Why Clinical Systems, Resident Wi-Fi, and Building Controls Should Never Share One Flat Network

Many assisted living and memory care communities run every networked system on the same shared infrastructure. The electronic health record (EHR) workstation at the nurses' station, the staff smartphone connecting to scheduling software, the resident Wi-Fi in the common room, the Internet of Things (IoT) nurse call panels on every corridor, the Internet Protocol (IP) cameras at each entrance, the door access controllers, and the building HVAC system all share the same network path. That configuration is called a flat network. It is the default outcome when a community's network has grown device by device without a deliberate design. It is also one of the most consistent findings in senior living cybersecurity assessments. This article explains network segmentation, why the flat network model creates specific risks for clinical and building control environments, and how isolating these systems limits the damage of a breach. For the broader cybersecurity picture, start with What Cybersecurity Does a Senior Living Community Need?

What Is a Flat Network and Why Is It a Problem for Senior Living?

A flat network is a network where all connected devices share the same logical path with no enforced barriers between them. A device that is connected to the network can, by default, attempt to communicate with any other device on that same network. In a home or small office, that is usually acceptable. In a senior living community with clinical workstations, resident guests, unmanaged IoT systems, and building safety equipment on the same infrastructure, it is not.

The core risk is lateral movement. When an attacker, a piece of ransomware, or a compromised device gains a foothold on one point of a flat network, it can scan for and attempt to reach every other connected device without crossing any additional barrier. A resident's guest device that downloads malware can probe clinical workstations on the same segment. A poorly secured IP camera can attempt connections to the door access controller. There is no architectural boundary to stop that movement.

The HIPAA exposure is direct. The HIPAA Security Rule requires covered entities and business associates to implement technical safeguards that control access to electronic Protected Health Information (ePHI). A flat network that places clinical systems on the same segment as resident guest devices and unmanaged building controls makes it structurally difficult to enforce those controls at the network boundary.

What Are the Four Network Segments Every Senior Living Community Should Have?

A properly segmented network separates devices into isolated segments based on function and trust level. Firewall rules and access control lists govern what traffic can pass between segments. Four segments appear in every well-designed senior living network.

Clinical and administrative segment. This segment carries EHR workstations, clinical applications, staff computers that access resident records, and any device that regularly touches ePHI. Access to this segment is restricted to authenticated, managed staff devices. It does not accept inbound connections from the resident Wi-Fi, staff personal device, or building control segments.

Staff device segment. Staff smartphones, tablets used for scheduling or communication, and personal devices brought to work sit here. This segment receives Internet access and access to communication tools but does not have a direct path to clinical workstations or the building control network. Separating staff personal devices from clinical systems limits the exposure created by a phishing attack that lands on a personal phone.

Resident and guest Wi-Fi segment. Residents and their families need Internet access. Visitors need connectivity for personal devices. This segment provides that access in complete isolation from clinical systems, staff devices, and building controls. A resident guest device on this segment can reach the Internet and nothing else inside the facility's operational network.

Building controls and IoT segment. Nurse call systems, IP cameras, door access controllers, HVAC controls, and similar life safety systems live here. These devices frequently run embedded firmware that cannot be patched on a regular schedule. Isolating them limits what an attacker can reach if any one of these systems is compromised. For the specific risks associated with nurse call systems, see Are Nurse Call Systems the Next Cyberattack Target in Senior Living? For IP camera risk, see How Are IP Camera Botnets Targeting Senior Living Communities?

How Does a Flat Network Amplify the Damage of a Breach?

Cybersecurity professionals use the term blast radius to describe how far an attack can spread from its initial entry point. On a flat network, the blast radius is the entire network. On a segmented network, the blast radius is limited to the segment where the breach began, provided the firewall rules between segments are properly enforced.

Consider a ransomware scenario that enters through a phishing email opened on a staff smartphone. On a flat network, the ransomware can immediately begin scanning for clinical workstations, shared file servers, backup systems, and any other reachable device. On a segmented network where the staff device segment is logically separated from the clinical segment, the ransomware encounters a firewall boundary. Clinical systems and resident records have an architectural barrier between them and the compromised device.

The NIST Cybersecurity Framework 2.0 identifies limiting the blast radius of incidents as a core outcome of the Protect function. Network segmentation is one of the foundational controls that operationalizes that outcome in an on-premises facility environment.

Why Are Building Controls and IoT Devices a Unique Threat on a Shared Network?

Building and life safety systems introduce a risk category that many operators do not initially consider when thinking about cybersecurity. These devices share a common profile that makes them poorly suited for a shared network.

• Embedded firmware with limited update cycles. Nurse call panels, camera systems, and door controllers often run proprietary firmware with narrow or infrequent update mechanisms. Known vulnerabilities in these systems can persist for years.
• Weak or absent default authentication. Many IoT devices ship with shared default credentials or no network-layer authentication. They were designed to operate on an isolated, purpose-built network. Placing them on a shared network exposes those weaknesses to any other device on that segment.
• Physical safety implications beyond data. A compromised door access controller or nurse call system is not only a data compliance problem. It is a resident safety problem. Network segmentation limits the paths an attacker would need to traverse to reach these systems from an Internet-facing breach point.
• Insurer and regulator scrutiny. Cyber insurers increasingly ask whether clinical and IoT devices are on separate network segments. The answer affects both eligibility and premium. For the full HIPAA compliance picture these systems connect to, see What Does HIPAA Compliance Actually Require for a Senior Living Community?

What Does Network Segmentation Actually Look Like in a Senior Living Community?

Network segmentation is implemented using virtual local area networks (VLANs). A VLAN is a logical partition created and enforced in a managed network switch. Devices assigned to one VLAN cannot communicate with devices on another VLAN unless a firewall rule explicitly permits that specific type of traffic. The physical wiring stays the same. The logical separation is enforced through switch and firewall configuration.

A segmented network in a 50-bed assisted living community might look like this:

• VLAN 10 (Clinical): EHR workstations, clinical printers, medication carts. Firewall permits outbound connections to the EHR vendor's hosted environment and clinical application servers, and blocks everything else.
• VLAN 20 (Staff): Staff smartphones and personal tablets. Firewall permits Internet access and productivity tools. No path to VLAN 10 or VLAN 40.
• VLAN 30 (Resident/Guest): Resident and visitor devices. Firewall permits Internet access only. No inbound or outbound access to any internal VLAN.
• VLAN 40 (Building/IoT): Nurse call, IP cameras, access control, HVAC. Firewall permits outbound management traffic to the facility's monitoring platform. No inbound connections permitted from any other VLAN.

This configuration requires enterprise-grade managed switches and wireless access points capable of tagging traffic to the correct VLAN. Consumer-grade equipment, including most low-cost Wi-Fi routers and unmanaged switches commonly found in smaller communities, does not support this capability. That hardware distinction matters when assessing whether an existing network can be segmented through configuration or requires equipment replacement as part of the project.

How Does Network Segmentation Support HIPAA Compliance?

The HIPAA Security Rule at 45 CFR 164.312 identifies Technical Safeguards as a required category for covered entities and business associates. Access controls at 164.312(a)(1) require that ePHI be accessible only to authorized persons or software programs. Audit controls at 164.312(b) require hardware, software, and procedural mechanisms to record and examine activity in systems that contain ePHI. Transmission security at 164.312(e)(1) requires that ePHI transmitted over an electronic communications network be protected against unauthorized access.

A flat network makes all three of these requirements harder to satisfy. When clinical workstations share a segment with guest devices and unmanaged IoT systems, enforcing access controls requires compensating controls at every individual device rather than at the network boundary. Audit logs that cannot be isolated to the clinical segment are harder to interpret and harder to defend during an Office for Civil Rights (OCR) investigation.

Network segmentation is not the only control required to satisfy HIPAA Technical Safeguards. It is, however, one of the most foundational. It creates an architectural boundary that supports every access control, audit logging mechanism, and transmission security control built on top of it. Operators who want to understand the full scope of their HIPAA obligations can read What Does HIPAA Compliance Actually Require for a Senior Living Community? and What Cybersecurity Does a Senior Living Community Actually Need?

Frequently Asked Questions

What is the difference between a flat network and a segmented network?

A flat network places all devices on the same logical path with no barriers between them. A segmented network uses virtual local area networks (VLANs) and firewall rules to isolate groups of devices so that a compromised device on one segment cannot reach devices on another. In a senior living community, that means a breach on the resident guest Wi-Fi cannot pivot directly into clinical systems or building controls.

Is network segmentation required under HIPAA?

HIPAA does not mandate a specific network architecture by name, but the HIPAA Security Rule's Technical Safeguards at 45 CFR 164.312 require covered entities and business associates to implement technical controls that limit access to electronic Protected Health Information (ePHI) to authorized users and systems. Network segmentation is one of the most practical mechanisms for satisfying those access control requirements.

How much does network segmentation cost for a single assisted living community?

Cost depends on the existing hardware, the number of segments required, and whether any cabling changes are needed. Communities that already have enterprise-grade managed switches and wireless access points can often be segmented primarily through configuration. Communities running consumer-grade equipment typically require hardware replacement as part of the project. A network assessment establishes which path applies before any budget is committed.

Network segmentation is not a complex concept, but it does require hardware that supports it and configuration that is maintained over time. The starting point is understanding what is currently on your network and where those devices are placed. A straightforward assessment answers both questions and produces a clear picture of the gap between your current architecture and a properly segmented one.