A clinical reference laboratory processing thousands of samples weekly got a significant deficiency finding during their CLIA inspection. The surveyor noted that the network was flat, any device could talk to any other device, including the LIS that stored all the patient data.

They had 45 days to submit a corrective action plan. Failure to fix it could affect their CLIA certification, which would mean losing Medicare/Medicaid billing. That was 70% of their revenue.

We did network discovery first, mapped every device on the network. Found 127 endpoints: analyzers, workstations, printers, the LIS servers, and a surprising number of devices no one could identify. (One turned out to be a Raspberry Pi someone had set up for a project two years ago and forgotten about.)

Designed four segments: lab instruments, LIS environment, corporate systems, and guest WiFi. The hard part was figuring out what needed to talk to what. The analyzers had to reach the LIS, but did they need to reach the internet? Some did, for software updates. We documented every flow.

Implementation happened over three weekends. The Friday night cutovers were tense, if the analyzers couldn't reach the LIS, patient testing would stop. We had rollback plans for each segment. Only needed one of them (the middleware server needed a route we'd missed).

Submitted the corrective action 10 days early. The follow-up inspection closed the finding.

Six months later, a workstation in the corporate segment got hit with malware. It couldn't spread to the lab systems because they were on a different segment. The segmentation we built for compliance ended up being the thing that contained the incident.