A hospital's network infrastructure is among the most complex and demanding in any sector. It must simultaneously support real-time clinical workflows that are safety-critical — medication dispensing, patient monitoring, diagnostic imaging — and administrative functions such as financial systems, email, and visitor internet access. It must connect a heterogeneous population of devices, from high-performance radiology workstations to battery-powered portable monitors and building management systems. And it must do all of this with the reliability and security that patient care demands.
Designing hospital network infrastructure that meets these requirements requires systematic attention to physical design, logical segmentation, redundancy, security, and operational management.
Hospital Network Requirements
Clinical networks have distinctly different requirements from commercial enterprise networks:
High availability. Network downtime in a clinical environment is not a business inconvenience — it can prevent clinicians from accessing medication records, diagnostic results, or patient identification information. Core clinical network components must be designed for continuous availability, with redundancy at every layer.
Low latency for imaging. PACS workstations require sub-second display times for large diagnostic studies. CT and MRI datasets can be hundreds of megabytes per study. The network path between PACS storage and reading workstations must provide sufficient bandwidth and low latency to support radiologist workflow. A study that takes 10 seconds to load is clinically unacceptable.
Device diversity. Hospital networks must support standard computers and servers alongside networked medical devices, building management systems, physical security systems, IP telephony, and increasingly, IoT sensors. Each device category has different security, connectivity, and QoS requirements.
Regulatory and security obligations. Network design must support HIPAA compliance — including network segmentation that limits access to ePHI — and provide the visibility and controls needed to detect and contain security incidents.
Network Segmentation
Segmentation is both a security control and a clinical operational requirement. Mixing all devices on a flat network creates security risk (a compromised device can reach any other) and operational risk (broadcast storms or device malfunctions can affect all connected systems).
Core Segments
Clinical segment. Contains EHR servers, clinical workstations, nurse call systems, and other systems involved in direct patient care. Access from other segments is strictly controlled. Clinician authentication is enforced at the application layer.
Medical device segment. A separate, isolated segment for networked medical devices — infusion pumps, patient monitors, ventilators, and similar IoMT devices. Traffic from this segment to clinical systems is permitted only on a whitelist basis (specific device types communicating with specific destination systems on specific ports). Outbound internet access from this segment is blocked.
Administrative segment. Contains financial systems, HR systems, email infrastructure, and general office computing. Isolated from clinical and medical device segments.
Imaging segment. Due to the large data volumes and low latency requirements of PACS workflows, imaging infrastructure — PACS servers, modality interfaces, and radiology workstations — often benefits from a dedicated high-bandwidth segment with QoS policies prioritising imaging traffic.
Guest/visitor segment. Completely isolated from clinical and administrative infrastructure. Provides internet access with content filtering, with no access to internal systems.
Management segment. A dedicated out-of-band management network for network devices, servers, and critical infrastructure. Access restricted to IT administrators. Using a separate management network ensures that a breach of the general network does not automatically provide access to network device management interfaces.
Implementation Approach
VLANs (Virtual Local Area Networks) are the standard mechanism for implementing logical segmentation on switched networks. Each segment is assigned one or more VLANs, and inter-VLAN routing is performed through firewalls rather than routers, enabling policy-based traffic control between segments.
Software-defined networking (SDN) and network access control (NAC) systems can dynamically assign devices to appropriate VLANs based on device type, authentication, and compliance status — important in environments where devices move between locations.
Wireless Network Design for Clinical Environments
Wireless networking is essential in modern hospitals — clinical staff carry mobile devices, portable equipment uses wireless connectivity, and fixed cabling is impractical in many clinical spaces. Clinical wireless has requirements beyond typical enterprise Wi-Fi.
Coverage and density. Clinical areas require seamless coverage without dead zones. Emergency departments, operating theatres, and critical care units have high device density requiring careful access point placement and channel planning.
Seamless roaming. Clinical staff moving through the hospital with wireless devices must experience seamless handoff between access points without dropped connections or re-authentication delays. IEEE 802.11r (Fast BSS Transition) and 802.11k/v (wireless network management) support smooth roaming.
Separate SSIDs per segment. Clinical devices, medical devices, staff personal devices, and guest devices should be on separate wireless SSIDs, with VLAN assignment ensuring each category of device lands in the appropriate network segment.
Interference management. Wireless medical devices, including telemetry monitors and wireless infusion pump networks, may operate on specific frequency bands. RF survey and interference management are necessary during network design to ensure clinical wireless devices operate reliably alongside enterprise Wi-Fi infrastructure.
Security. Clinical wireless should use WPA3 Enterprise with 802.1X authentication. Per-user, per-session encryption provides individual traffic isolation on the wireless medium.
Redundancy and High Availability
Dual Uplinks and Spanning Tree
Core network switches should have dual uplinks to distribution and core layers. Spanning Tree Protocol (STP) — specifically Rapid PVST+ or Multiple Spanning Tree Protocol (MSTP) — manages loop prevention while enabling fast convergence when an uplink fails. For critical paths, equal-cost multipath (ECMP) routing or link aggregation (LACP) can provide active-active dual uplinks rather than active-standby.
Network Device Redundancy
Core and distribution layer switches should be deployed in redundant pairs, using stacking, Virtual Switching Systems (VSS on Cisco), or similar technologies that present redundant hardware as a single logical device. This provides hardware fault tolerance without requiring spanning tree convergence on failure.
Firewall Redundancy
Firewalls in clinical environments should be deployed in high-availability pairs with stateful failover. A firewall failure should not interrupt established clinical sessions. Failover should be automatic and subsecond.
WAN and Internet Redundancy
Hospital WAN connectivity — connections to cloud services, remote sites, and the internet — should be provided through dual providers using different physical paths. BGP-based failover or SD-WAN can automatically route traffic through the available connection if one fails.
Power over Ethernet for Clinical Devices
Many clinical and network devices — IP phones, wireless access points, nurse call stations, IP cameras, and some medical devices — receive power through Power over Ethernet (PoE). PoE switches must provide sufficient total power budget for all connected devices, with margin for growth.
UPS (uninterruptible power supply) coverage of PoE switches serving clinical areas ensures that network-dependent clinical devices continue operating during brief power interruptions, with generator backup providing longer-duration coverage.
Firewall Placement
Firewalls should be positioned between each network segment to enforce the access control policies that segmentation requires. The core firewall architecture typically places a perimeter firewall at the internet boundary and internal firewalls between clinical, administrative, and medical device segments.
Firewall rules should follow a least-privilege approach — permitting only the specific flows required for clinical operation, and logging all traffic for security monitoring. Overly permissive firewall rules accumulated over years of change requests are one of the most common findings in hospital network security assessments.
Bandwidth Planning for PACS and Video
PACS imaging imposes the most demanding bandwidth requirements on the hospital network. Planning should account for peak concurrent reads — the number of radiologists simultaneously loading large studies during a morning reporting session. A single CT study may be 500 MB to 2 GB; loading times must meet clinical workflow requirements regardless of concurrent demand.
Video conferencing for telemedicine, multidisciplinary team meetings, and remote interpretation services adds significant bandwidth demand. QoS policies should prioritise real-time video traffic to ensure call quality.
Physical Cabling Standards
Structured cabling in hospital environments should be designed to TIA-568 standards. Category 6A cabling supports 10 Gbps to the desktop — appropriate for radiology workstations and clinical applications with high data demands. Fibre optic cabling between floors and buildings provides the bandwidth and distance capabilities needed for campus networks.
Cable management in clinical environments must account for infection control requirements — concealed or sealed conduit and cleanable cable paths in clinical areas. All cabling in clinical areas should be labelled and documented in a cable management system.
FZ Consulting LLP designs and reviews hospital network infrastructure to meet clinical, security, and operational requirements. Contact our team to discuss a network design or assessment engagement.