Firewall Gaps in Healthcare Networks

A recent red-team exercise at a healthcare group revealed that their firewalls were technically “in place” but not enforcing the right controls. Legacy rules, broad “allow” policies and missing monitoring created multiple paths into clinical networks without being noticed.

Key Findings from the Test

• Legacy firewall rules still allowed inbound traffic from deprecated IP ranges.

• Flat network zones meant a single exposed interface reached critical systems.

• Administrative ports (RDP/SSH/VPN) were reachable from the internet.

• Logging was enabled but alerts were not tuned, so suspicious activity went unnoticed.

Impact on Clinical Operations

• Increased risk of ransomware reaching EHR and imaging environments.

• Higher likelihood of ePHI exfiltration through unmonitored outbound traffic.

• Difficulty proving to auditors that network segmentation and least-privilege are enforced.

What to Fix First

• Clean up and re-baseline firewall rule sets; remove unused and “any/any” rules.

• Segment clinical, admin and guest traffic into clearly separated zones.

• Restrict remote management ports to hardened jump-hosts or VPN with MFA.

• Enable real-time monitoring and playbooks for firewall changes and denied traffic spikes.

Closing these gaps turns the firewall back into a control you can rely on, not just a checkbox in the architecture diagram.