HIPAA Network Segmentation for Dental Offices: Why VLANs Matter

What Network Segmentation Actually Means

Network segmentation is the practice of dividing a single physical network into multiple logical networks — called VLANs (Virtual Local Area Networks) — that cannot communicate with each other without passing through a firewall. Think of it as putting locked doors between rooms in your office. Just because you're in the same building doesn't mean every room should be accessible from every other room.

On a flat network, every device can talk directly to every other device. Your waiting room tablet, the front desk PC, the server running your practice management software, and the CBCT workstation are all peers. If any one of them is compromised, an attacker has line-of-sight to everything else. That's the problem VLANs solve.

Why It Matters for HIPAA

HIPAA's Security Rule (45 CFR § 164.312) requires covered entities to implement technical security measures to guard against unauthorized access to electronic protected health information (ePHI). While HIPAA doesn't mandate VLANs by name, proper network segmentation directly supports multiple required implementation specifications:

• Access Controls — restricting which devices can reach systems that host or transmit ePHI
• Audit Controls — creating clean logging boundaries so traffic can be attributed to its source network
• Integrity Controls — limiting the blast radius of a compromise or ransomware event
• Transmission Security — controlling how ePHI moves between network segments

The practical impact: if ransomware hits the waiting room tablet (or a patient's phone on your Wi-Fi), a properly segmented network stops it from reaching your practice management server. On a flat network, it can reach everything.

The VLAN Architecture We Deploy in Dental Offices

For most dental practices, we implement a four-VLAN architecture. The specifics vary by office size, equipment count, and software stack, but the logic is consistent:

VLAN 10 — Clinical (Restricted)

CBCT workstations, intraoral sensor computers, clinical terminals, and digital X-ray equipment live here. These devices have access to the imaging server and practice management server — and nothing else. No direct internet browsing. No access to admin or guest segments. Firewall rules are explicit: allow what's needed, deny everything else.

VLAN 20 — Administrative

Front desk computers, billing terminals, and office management workstations. Access to the PMS, scheduling, and Microsoft 365. Restricted from clinical imaging systems. Staff on this VLAN can do their jobs without having unrestricted access to clinical data paths.

VLAN 30 — Infrastructure

Servers, NAS devices, backup appliances, and network equipment management interfaces. Heavily firewalled — only reachable from authorized management IPs. This is the segment that holds your most valuable data, and it should be the hardest to reach.

VLAN 40 — Guest / Patient Wi-Fi

Completely isolated from all other VLANs. Internet access only, with optional bandwidth limits. A patient's phone or a vendor's laptop connecting to guest Wi-Fi has zero access to any internal resources. This is the easiest win in dental network security and one of the most commonly skipped.

UniFi Makes This Practical for Small Practices

We primarily deploy Ubiquiti UniFi networking equipment — specifically the UDM Pro or UDM SE as the security gateway — because it makes VLAN-based firewall rules accessible and maintainable for practices that aren't running enterprise IT departments. The UniFi controller provides a single dashboard covering every device, every SSID, and every inter-VLAN firewall rule. It's auditable, which matters when you need to demonstrate your security posture to a compliance officer or during a HIPAA risk assessment.

The hardware is business-grade, the licensing model is straightforward, and the architecture scales from a single-location practice to a multi-site group without changing the management approach.

Is Your Network Currently Segmented?

If your network was set up by a cable company technician or a general IT provider who wasn't thinking specifically about HIPAA, the answer is almost certainly no. A few ways to check:

• Can you connect to patient Wi-Fi and ping a clinical workstation? If yes, you have a flat network.
• Does your router have a single subnet (e.g., 192.168.1.x for everything)? That's a flat network.
• Does your "HIPAA-compliant IT" setup consist primarily of antivirus and a backup solution with no discussion of network architecture? That's a gap.

How TechniWorX Implements Network Segmentation

TechniWorX designs and deploys VLAN segmentation tailored to your specific office layout, equipment inventory, and software stack. We handle everything from firewall configuration to any new switch drops required — and we document the full architecture so you have clear records for any compliance review or risk assessment.

If you're not sure whether your office network is properly segmented, contact us for an assessment. We'll map your current setup and give you an honest picture of where the gaps are — no upsell pressure, just a clear look at what you're working with.