IronWiFi Solutions for Healthcare

Overview

Healthcare facilities have unique WiFi requirements driven by patient safety, regulatory compliance, and the growing number of connected medical devices. IronWiFi provides RADIUS-based authentication and captive portal solutions that help healthcare organizations maintain HIPAA compliance, segment clinical and guest networks, and support diverse device types across campuses.

This guide covers architecture recommendations, compliance considerations, and practical configuration for healthcare WiFi deployments.

Healthcare WiFi Challenges

Challenge	Impact	IronWiFi Solution
HIPAA compliance	Unauthorized access to ePHI	Network segmentation with VLAN assignment
Medical device diversity	Legacy devices with limited auth capabilities	MAC authentication with device groups
Patient/visitor WiFi	User-friendly access without compromising security	Captive portal with terms of service
Staff mobility	Clinicians need seamless roaming across campus	WPA2/WPA3-Enterprise with session continuity
Audit requirements	Must track all network access	RADIUS accounting and authentication logs
IoT/biomedical devices	Growing number of connected devices	Device registration and dedicated VLANs

Network Architecture for Healthcare

Recommended Network Segmentation

Healthcare WiFi Architecture with IronWiFi:

┌─────────────────────────────────────────────────┐
│              IronWiFi Cloud RADIUS               │
│  ┌───────────┐  ┌───────────┐  ┌─────────────┐ │
│  │  Auth      │  │ Accounting│  │  Captive    │ │
│  │  Engine    │  │  Engine   │  │  Portal     │ │
│  └───────────┘  └───────────┘  └─────────────┘ │
└──────────────────────┬──────────────────────────┘
                       │
          ┌────────────┼────────────┐
          ▼            ▼            ▼
    ┌──────────┐ ┌──────────┐ ┌──────────┐
    │ Clinical │ │  Medical │ │ Patient/ │
    │ Staff    │ │  Device  │ │ Visitor  │
    │ VLAN 100 │ │ VLAN 200 │ │ VLAN 300 │
    └──────────┘ └──────────┘ └──────────┘

VLAN Strategy

VLAN	Name	Purpose	Authentication Method
100	Clinical	Staff accessing EHR/clinical systems	WPA2/WPA3-Enterprise (EAP-TLS or PEAP)
200	MedDevice	Biomedical and IoT devices	MAC authentication or certificate-based
300	Patient	Patient entertainment, internet	Captive portal with terms acceptance
400	Guest	Visitor internet access	Captive portal with terms acceptance
500	Admin	IT administration	WPA2/WPA3-Enterprise with MFA

Configure VLAN assignment in IronWiFi using RADIUS reply attributes. See Attributes for details.

Clinical Staff Group - Reply Attributes:
  Tunnel-Type := VLAN
  Tunnel-Medium-Type := IEEE-802
  Tunnel-Private-Group-Id := 100
  WISPr-Bandwidth-Max-Down := 50000000
  WISPr-Bandwidth-Max-Up := 20000000
  Session-Timeout := 28800

Medical Device Group - Reply Attributes:
  Tunnel-Type := VLAN
  Tunnel-Medium-Type := IEEE-802
  Tunnel-Private-Group-Id := 200

Patient WiFi Group - Reply Attributes:
  Tunnel-Type := VLAN
  Tunnel-Medium-Type := IEEE-802
  Tunnel-Private-Group-Id := 300
  WISPr-Bandwidth-Max-Down := 10000000
  WISPr-Bandwidth-Max-Up := 5000000
  Session-Timeout := 86400

HIPAA Compliance Considerations

HIPAA Security Rule Requirements

The HIPAA Security Rule requires technical safeguards for protecting electronic Protected Health Information (ePHI). IronWiFi helps meet these requirements:

HIPAA Requirement	Section	IronWiFi Implementation
Access Control	§164.312(a)(1)	Unique user authentication via RADIUS; role-based VLAN assignment
Audit Controls	§164.312(b)	RADIUS authentication and accounting logs with configurable retention
Integrity	§164.312(c)(1)	Message authenticator on RADIUS packets; certificate-based auth
Person Authentication	§164.312(d)	Individual credentials (username/password, certificates, or IdP)
Transmission Security	§164.312(e)(1)	EAP-TLS encrypted tunnels; RadSec for transport encryption

Network Segmentation for ePHI

Isolate networks that carry ePHI from general-purpose networks:

Clinical VLAN -- Only authorized clinical staff on this VLAN
Firewall rules -- Clinical VLAN can reach EHR systems; Patient VLAN cannot
Access logging -- All authentication to the clinical VLAN is logged with user identity
Session limits -- Clinical sessions time out after shift duration (e.g., 8 hours)

warning

Network segmentation alone does not satisfy HIPAA. It is one layer of a defense-in-depth strategy that must include endpoint security, data encryption, access controls, and administrative safeguards.

Audit Trail Configuration

Configure RADIUS accounting to maintain a complete audit trail:

Navigate to Networks > select the clinical network
Ensure RADIUS accounting is enabled on your access points
Set the accounting interim interval:

Reply Attribute: Acct-Interim-Interval := 300

Configure data retention for at least 6 years (HIPAA record retention requirement)
Export logs regularly to your organization's SIEM or archival system

See Data Governance and Compliance for retention configuration.

Business Associate Agreement

If IronWiFi processes or stores data adjacent to ePHI in your deployment, a Business Associate Agreement (BAA) may be required. Contact IronWiFi to discuss your specific deployment and execute a BAA if applicable.

Clinical Staff WiFi

Authentication Options

Method	Security Level	User Experience	Best For
EAP-TLS (Certificates)	Highest	Seamless (no password prompts)	Managed devices
PEAP-MSCHAPv2	High	Username/password on first connect	Mixed environments
SAML via Captive Portal	High	Single sign-on with existing IdP	Organizations with Azure AD/Okta

Certificate-Based Authentication for Staff

For the highest security, deploy EAP-TLS with client certificates to clinical staff devices:

Configure SCEP in IronWiFi for automated certificate issuance
Push WiFi profiles to managed devices via your MDM (Intune, Jamf, etc.)
Certificates authenticate the device without password prompts
Revoke certificates instantly when a device is lost or an employee departs

See Certificate Lifecycle Management for implementation details.

Integration with Healthcare Identity Providers

Connect IronWiFi to your existing identity infrastructure:

Azure AD / Entra ID -- SAML authentication for staff using Microsoft credentials
Okta -- SAML authentication for organizations using Okta
Active Directory -- LDAP connector for on-premises AD authentication
Google Workspace -- Google authentication for organizations using Google

Configure connectors in the IronWiFi Console under Users > Connectors. See Connectors for setup guides.

Staff Roaming Across Campus

Healthcare facilities often span multiple buildings. Ensure seamless roaming:

Use the same IronWiFi Network across all access points on campus
Enable 802.11r (Fast BSS Transition) on your APs for sub-50ms roaming
Enable 802.11k (Neighbor Reports) to help devices make better roaming decisions
Set appropriate session timeouts (shift length) to avoid mid-shift re-authentication
Configure both primary and secondary RADIUS servers for redundancy

Medical Device Networks

Challenges with Medical Devices

Medical and biomedical devices present unique authentication challenges:

Many devices only support basic authentication or no 802.1X at all
Firmware updates may be infrequent or unavailable
Devices may not support WPA2-Enterprise
Device lifecycles are long (10--20 years for some equipment)

MAC Authentication for Medical Devices

For devices that cannot perform 802.1X authentication, use MAC address authentication:

Register the device's MAC address in IronWiFi:
- Navigate to Users > Create User
- Set the Username to the MAC address (format:
```
aa-bb-cc-dd-ee-ff
```
  )
- Set the Password to the same MAC address
- Add the user to the Medical Device group
Configure your access points for MAC authentication bypass (MAB)
The device connects, the AP sends the MAC address as credentials, and IronWiFi authenticates it against the registered entry

note

MAC authentication is less secure than certificate-based authentication because MAC addresses can be spoofed. Mitigate this risk by placing MAC-authenticated devices on a dedicated VLAN with strict firewall rules.

Device Registration Workflow

Establish a process for registering new medical devices:

Request -- Biomedical engineering submits a device registration request with MAC address, device type, and clinical purpose
Approve -- Network security reviews and approves the request
Register -- IT registers the MAC address in IronWiFi and assigns it to the appropriate group
Test -- Verify the device connects and receives the correct VLAN
Document -- Record the device in the asset management system

Monitoring Medical Device Connectivity

Use IronWiFi's logging to monitor medical device network access:

Navigate to Logs > Authentication Logs
Filter by the Medical Device group
Look for unexpected authentication failures or unusual patterns
Set up alerts for critical devices (e.g., infusion pumps, patient monitors)

Patient and Visitor WiFi

Captive Portal Configuration

Provide a user-friendly WiFi experience for patients and visitors:

Navigate to Captive Portals > Create Portal
Configure the portal for the Patient/Visitor network:

Setting	Recommended Value
Authentication	Accept Terms of Service (no credentials required)
Terms of Service	Include acceptable use policy and HIPAA notice
Session Duration	24 hours (auto-reconnect for multi-day stays)
Bandwidth Limit	10 Mbps down / 5 Mbps up per user
Welcome Message	Hospital name, support contact info

Customize the branding with the healthcare facility's logo and colors
Test the portal experience on iOS, Android, and laptop devices

HIPAA Notice on Patient WiFi

Include a clear notice on the captive portal that:

The guest WiFi network is not encrypted end-to-end
Users should not transmit sensitive health information over this network
The facility is not responsible for data transmitted over the guest network
Usage is subject to the acceptable use policy

Limiting Patient WiFi Access

Ensure the patient network cannot reach clinical systems:

Assign patient connections to the Patient VLAN (300)
Configure firewall rules to allow only internet access from VLAN 300
Block access to clinical VLANs (100, 200), internal servers, and management interfaces
Apply bandwidth limits to prevent streaming from impacting clinical traffic

Patient WiFi Group - Reply Attributes:
  Tunnel-Type := VLAN
  Tunnel-Medium-Type := IEEE-802
  Tunnel-Private-Group-Id := 300
  WISPr-Bandwidth-Max-Down := 10000000
  WISPr-Bandwidth-Max-Up := 5000000
  Session-Timeout := 86400
  Idle-Timeout := 3600

IoT and Biomedical Device Management

Categorizing Healthcare IoT Devices

Category	Examples	Risk Level	Recommended VLAN
Clinical IoT	Infusion pumps, patient monitors, smart beds	Critical	MedDevice (200)
Facility IoT	HVAC sensors, lighting controls, badge readers	Medium	Facility (separate VLAN)
Patient IoT	Personal health devices, wearables	Low	Patient (300)

Network Policies for IoT

Apply restrictive policies to IoT devices:

Bandwidth limits -- IoT devices typically need minimal bandwidth
Session persistence -- Long session timeouts for devices that should stay connected
No internet access -- Many clinical IoT devices only need to reach internal servers
Monitoring -- Alert on unusual traffic patterns from IoT devices

Clinical IoT Group - Reply Attributes:
  Tunnel-Type := VLAN
  Tunnel-Medium-Type := IEEE-802
  Tunnel-Private-Group-Id := 200
  WISPr-Bandwidth-Max-Down := 1000000
  WISPr-Bandwidth-Max-Up := 1000000
  Session-Timeout := 604800

Deployment Best Practices

Pre-Deployment Checklist

Ongoing Operations

Task	Frequency	Purpose
Review authentication logs	Daily	Detect unauthorized access
Audit medical device registrations	Monthly	Ensure all devices are known and authorized
Test network segmentation	Quarterly	Verify VLANs cannot reach unauthorized resources
Review user access	Quarterly	Remove departed staff, update access levels
Export compliance logs	Monthly	Archive for HIPAA retention requirements
Test disaster recovery	Annually	Verify WiFi can recover from outages
Review captive portal terms	Annually	Keep legal language current

Emergency Access Procedures

Plan for network access during emergencies:

Backup RADIUS -- Always configure both primary and secondary RADIUS servers
Local authentication fallback -- Configure APs to allow local auth if cloud RADIUS is unreachable
Emergency accounts -- Pre-create break-glass accounts for emergency access
Contact escalation -- Document the escalation path for WiFi outages affecting patient care

Networks -- Creating and managing RADIUS network configurations
Attributes -- RADIUS attributes for VLAN assignment and bandwidth
Groups -- User group policies
Captive Portals -- Portal configuration for patient WiFi
Certificate Lifecycle Management -- Certificate deployment for staff devices
Data Governance and Compliance -- HIPAA audit and retention
Device Management -- Device registration and MAC authentication
Bandwidth Management -- QoS and bandwidth policies
Session Management -- Session timeouts and concurrent limits
Configuration Guides -- AP vendor-specific setup

Was this page helpful?

Overview​

Healthcare WiFi Challenges​

Network Architecture for Healthcare​

Recommended Network Segmentation​

VLAN Strategy​

HIPAA Compliance Considerations​

HIPAA Security Rule Requirements​

Network Segmentation for ePHI​

Audit Trail Configuration​

Business Associate Agreement​

Clinical Staff WiFi​

Authentication Options​

Certificate-Based Authentication for Staff​

Integration with Healthcare Identity Providers​

Staff Roaming Across Campus​

Medical Device Networks​

Challenges with Medical Devices​

MAC Authentication for Medical Devices​

Device Registration Workflow​

Monitoring Medical Device Connectivity​

Patient and Visitor WiFi​

Captive Portal Configuration​

HIPAA Notice on Patient WiFi​

Limiting Patient WiFi Access​

IoT and Biomedical Device Management​

Categorizing Healthcare IoT Devices​

Network Policies for IoT​

Deployment Best Practices​

Pre-Deployment Checklist​

Ongoing Operations​

Emergency Access Procedures​

Related Topics​