How a Regional Healthcare Group Eliminated Lateral Movement Across 4 Hospitals and 22 Clinics

Executive Summary

A regional healthcare group operating four hospitals and twenty-two outpatient clinics across the GCC faced a quietly growing risk: a flat internal network that gave any compromised device a direct path to electronic medical records, imaging systems, and connected medical equipment. By partnering with Mindware to deploy a Juniper-based Zero Trust architecture, anchored by a 3/5-stage Clos fabric, Mist-managed microsegmentation, and Access Assurance, the group moved decisively from a perimeter-centric model to a verified-everywhere posture in seven months. Lateral-movement risk was cut dramatically, and the IT team is now positioned to support clinical innovation rather than firefight network alerts.

The Challenge

Healthcare is the fastest-growing segment of the MEA AI and cybersecurity market, 23.62% CAGR through 2031, and the threat surface has expanded faster than most defences. For this group, the immediate trigger was a third-party assessment that surfaced an uncomfortable reality: once an attacker reached any device on the corporate network, virtually every clinical system was reachable. The legacy architecture had been built for performance, not for assumed-breach containment in a connected-clinical environment.

Three operational realities made the existing posture untenable: 

• Flat networks across hospitals and clinics. VLANs separated traffic at the site level, but east-west traffic between sites, the central data centre, imaging archives, and medical IoT devices moved largely unfiltered.

• An expanding medical IoT footprint. Infusion pumps, imaging modalities, patient-monitoring systems, and clinical workstations were sharing network segments with general-purpose endpoints, with no consistent way to identify, classify, or isolate them.

• Tightening regulatory expectations. National healthcare data-protection requirements explicitly called for segmentation, continuous access verification, and tamper-evident audit trails covering every system that touches patient data, controls the existing architecture could not demonstrate at scale.

“We were protecting twenty-first-century clinical operations on a network architecture designed for an earlier era. Compliance was the trigger, but patient safety was the real motivation.” 

The Solution

Mindware worked alongside the group’s clinical IT, security, and network engineering teams to design and deliver an integrated Zero Trust architecture, anchored by three components from the Mindware portfolio:

• A 3/5-stage Clos fabric across the estate. Each hospital data centre was rebuilt on a 3-stage Clos (leaf-spine) topology using Juniper EX series switches, a non-blocking architecture that delivers predictable east-west performance and the structural foundation for microsegmentation. The two largest sites and the central data centre were extended into a 5-stage Clos with a superspine layer, providing the scale, redundancy, and inter-site bandwidth the group will need for the next five years of growth.

• Microsegmentation managed through Mist. Segmentation policy was authored centrally in the Mist cloud console and enforced at the network layer across every fabric. Clinical systems, medical IoT, administrative endpoints, guest networks, and third-party access were each placed in their own microsegments, with east-west traffic governed by explicit allow-rules, not by default reachability. Mist Wired and Wireless Assurance gave the team a single pane of glass across all twenty-six sites, with Marvis AI surfacing anomalies in plain language.

• Access Assurance as the identity-aware NAC layer. Every device and user across the group is now classified, authenticated, and continuously evaluated against posture. Certificate-based authentication replaced shared credentials. Medical devices were fingerprinted and pinned to their permitted communication patterns. Guest, contractor, and BYOD traffic was isolated by default. One Identity Safeguard closed the privileged-access gap that segmentation alone cannot solve, vaulting administrative credentials for EMR, imaging, and laboratory systems under full session recording.

The rollout was sequenced to protect clinical operations, first the central data centre and its Clos fabric, then the flagship hospital, then the remaining hospitals and clinics in waves of three. Total programme duration: seven months, with zero impact to patient-facing services and full clinical-team enablement at every site.

Why this combination

Juniper’s Mist-managed network and Access Assurance bring switching, wireless, and identity-aware NAC under one cloud-delivered policy plane, a critical simplification for a lean IT team supporting clinical workflows around the clock. The 3/5-stage Clos fabric gave the architecture the structural integrity it needed. One Identity Safeguard closed the privileged-access loop. Together, they form an integrated solution that does exactly what Zero Trust requires: verify explicitly, enforce least privilege, assume breach.

The Results

Within twelve weeks of full deployment, the healthcare group could measure what a Zero Trust architecture actually delivers in a connected-clinical environment:

Beyond the metrics, the operational difference is qualitative. The IT team no longer triages thousands of low-signal alerts from disconnected tools. Network and security policy live in one place. Medical IoT devices are no longer invisible and no longer trusted by default, they are identified, isolated, and observed. And the group can demonstrate, to regulators, to its board, and to the patients it serves, a security posture built for the next decade of digital health, not retrofitted from the last.

Why Mindware

This programme succeeded because the technology was matched to the group’s clinical operating reality, a lean IT team, twenty-four-seven patient care obligations, and a regulator watching closely. Mindware’s role went beyond technology distribution. Working with our channel partners, we co-designed the Clos fabric, sequenced the rollout to protect clinical services, and ran enablement sessions so the group’s engineers could operate the Mist-managed estate independently from day one.

That is what catalysing digital transformation looks like in practice: long-term, human-centric partnerships that turn integrated solutions into measurable outcomes, and, in healthcare, into better protection for the patients and clinicians who depend on the network every minute of every day.