Networking basics
IT & Securityarticle · 7 min · updated Jul 17, 2026

Networking basics

By Rajendra Sharma, RN, CPC, CPBReviewed by Rajendra Sharma, RN, CPC, CPB · Jul 17, 2026

Enough network to reason about a health system: what the layers are, why segmentation matters more here than anywhere, and the infusion pump on the same VLAN as the reception PC.

TCP/IPTLS

In one line

You don't need to be a network engineer. You need enough to reason about where data goes, who can reach what, and why the infusion pump should not be able to talk to the internet.

The stack, briefly

  • Link — the cable, the wifi. MAC addresses.
  • Network (IP) — addressing and routing. Getting a packet across the world.
  • Transport (TCP/UDP) — TCP guarantees order and delivery; UDP doesn't and is faster.
  • Application — HTTP, HL7 v2 over MLLP, DICOM.

Two useful facts. DNS turns a name into an address, and DNS failures look like everything being broken — it's the first thing to check. And TLS sits between transport and application, which is why it protects the payload without the application caring.

Health-specific: **HL7 v2 traditionally runs over MLLP**, raw TCP on a port, frequently unencrypted, because it was designed for a private hospital network in an era when "inside the network" meant safe. That assumption is dead and the protocol isn't.

Segmentation — the thing health gets wrong

Here is the practical heart of health networking.

A hospital network contains: clinical workstations, the EHR, an MRI scanner, infusion pumps, patient monitors, the guest wifi, building management, CCTV, and a 2009 Windows box running something nobody will let you turn off.

Put them on one flat network and the guest wifi can reach the infusion pump. That sentence should be alarming, and it describes a great many real hospitals.

Segmentation puts them in separate zones with controlled crossings — VLANs, firewall rules, gateways. The principle is simple: why would the reception PC ever need to talk to a ventilator? It doesn't. So don't let it.

This matters more in health than elsewhere for one reason: you cannot patch the devices.

Why medical devices can't be patched

The uncomfortable reality that shapes everything:

  • The device is regulatory-certified as a configuration. Patching the OS can invalidate the certification. The vendor must re-validate, and may not.
  • It runs an OS that reached end-of-life years ago, and it works, and it costs a crore to replace.
  • It has an uptime requirement — it's attached to a patient.
  • The vendor went out of business in 2016.

So you have permanently vulnerable devices you cannot fix and must not remove. Segmentation is the compensating control — you cannot make the pump secure, so you make it unreachable. That's the same reasoning NIST applies to operational technology generally, and hospitals are the hardest OT environment there is, because the OT is attached to people.

What to know practically

  • Firewalls filter by address and port; default deny, allow what's needed.
  • VPN / mTLS for crossing an untrusted network — including a vendor's remote support link, which is a hole in your perimeter someone else controls.
  • NAT is not a security control, though it's been mistaken for one for thirty years.
  • Zero trust is the modern correction: stop treating "inside the network" as trusted, because the flat hospital network proved that assumption fatal.
  • Wifi in a hospital is a clinical dependency. A dead spot in a bay means a nurse can't scan a wristband, and she will work around it. Coverage is a patient-safety issue that everyone treats as an IT one.

The one-line version

Assume the network is hostile, encrypt everything in transit, and segment ruthlessly — not because you're paranoid, but because you have devices you cannot patch, cannot replace, and cannot switch off.

References

  1. IETF — RFC 1122: Requirements for Internet Hosts
  2. NIST — Guide to Operational Technology (OT) Security (SP 800-82r3)
  3. US FDA — Cybersecurity in Medical Devices

Related entries