Case Study 2: The Flat Hospital — How One Foothold Reached the Infusion Pumps
"We thought the network was secure because the firewall was. We never asked what the firewall couldn't see." — IT Director, Pinewood Regional Medical Center (constructed)
Executive Summary
If Case Study 1 was about building segmentation at a bank before a breach, this one is about reading a breach at a hospital that had none — an analytical post-mortem of how a single compromised laptop became an enterprise-wide incident because the network was flat and silent. Pinewood Regional Medical Center, a mid-size hospital, suffered an intrusion that began with one phished employee and, over eleven days, spread east-west across an undivided network until it reached not only patient records but the clinical systems and medical devices that keep people alive. No data was even the worst part: the most dangerous moment of the incident was when investigators realized the attacker's reconnaissance traffic had reached the subnet hosting networked infusion pumps and imaging equipment — devices whose worst case is measured in patient safety, not dollars.
This case study is detection- and analysis-heavy (Case Study 1 was design-heavy), and it exists to make three of the chapter's ideas concrete from the attacker's-trail side: that east-west lateral movement is how breaches actually spread, that a flat network is silent and therefore catastrophic, and that "low-value data" does not mean "low risk" when impact includes safety. You will trace the attacker's path through the layers, read the telemetry that should have existed and mostly didn't, and extract the segmentation that would have changed the outcome. It previews the operational-technology material of Chapter 33. All details are constructed for teaching (Tier 3), informed by the general pattern of reported healthcare intrusions.
Skills applied: reconstructing lateral movement from limited telemetry; reading ARP, scan, and connection artifacts; mapping an attack to OSI layers; recognizing the safety re-weighting of the CIA triad; deriving the segmentation that would have contained the breach; distinguishing what a perimeter firewall can and cannot see.
Background
Pinewood Regional Medical Center serves a community of about 200,000. Like many hospitals, it grew its network by accretion: each new clinical system, each new wing, each new vendor's equipment was plugged into whatever switch was nearest, on one large address space. The perimeter was genuinely well managed — a capable next-generation firewall, regularly patched, with a tight inbound policy. The hospital had passed its external assessments. What it had never done was look inside. There were no internal trust zones. A workstation at the reception desk, the electronic health record (EHR) servers, the radiology imaging systems, the building-management controllers, and a subnet full of networked infusion pumps all sat on the same flat Layer 2 and Layer 3 fabric. Everything could reach everything.
Pinewood also ran the kind of devices that make hospital networks uniquely dangerous: medical equipment that is, underneath, an old embedded computer. Infusion pumps that deliver medication on a schedule. Imaging machines running operating systems years past patching. Networked devices that cannot be taken offline for updates because they are in clinical use, and that no one had ever treated as part of the attack surface (Chapter 1) — because no one had drawn the attack surface at all.
When the incident began, Pinewood had exactly one network sensor: the perimeter firewall's logs. It could see what crossed the boundary. It could see nothing of what moved inside. That single fact determined how the breach unfolded and how nearly blind the response was.
The Analysis
Phase 1 — Initial access (north-south, through a person)
The attacker's entry was unremarkable and, by now, familiar. A billing clerk received a convincing phishing email, clicked, and ran an attachment that gave the attacker remote control of her workstation. This is the north-south event — the one crossing the boundary — and it is the only part of the early attack the perimeter firewall could, in principle, have helped with (it did not, because the traffic looked like ordinary outbound web traffic from an internal machine). At the moment of compromise, the attacker held one workstation on the billing subnet.
On a segmented network, this is where the story would have largely ended: one contained workstation, a few denied lateral attempts, an alert. On Pinewood's flat network, it was where the story began, because the attacker's next move — and every move after — was east-west, and nothing was watching east-west.
🔗 Connection: Compare this to Meridian's validated breach scenario (Case Study 1), where the same initial foothold hit default-deny walls in every direction but one. The difference between the two hospitals-versus-bank outcomes is not the quality of the phish or the skill of the attacker — both were ordinary. The difference is entirely the interior architecture. The same first move leads to a contained incident or an enterprise catastrophe depending on whether the inside is divided.
Phase 2 — Discovery and lateral movement (east-west, invisible)
From the billing workstation, the attacker did what attackers always do next: they mapped the neighborhood. Because the network was flat, the reconnaissance was trivial and the reach was total. Pieced together later from the few artifacts that survived, the attacker's east-west activity looked like this:
RECONSTRUCTED EAST-WEST ACTIVITY (from host artifacts + the one switch that logged)
Day 1 ARP sweep of the local /16: enumerate live hosts (Layer 2)
Day 1 port scans across discovered hosts: 445 (SMB), 3389 (RDP), 22, 23, 80, 443
Day 2-4 reach EHR application servers on the same flat segment; harvest credentials
Day 3 ARP-spoof the local gateway on the billing subnet -> brief MITM of cleartext traffic
Day 5-8 move to radiology subnet (imaging systems) — reachable, unpatched OS
Day 9 scan reaches the biomedical-device subnet: infusion pumps answer on management ports
Day 11 detected — only because a clinician reported imaging systems behaving strangely
Every line of that timeline is a Layer 2 or Layer 3 action that a perimeter firewall cannot see, because none of it crossed the perimeter. The ARP sweep and the ARP spoof are Layer 2, confined to the local segment — invisible to any Layer 3 device. The port scans and lateral connections are east-west traffic that never approached the boundary. The attacker spent eleven days moving freely through a building with no internal walls and no internal cameras, and the defenders' single sensor was pointed at the front door the attacker had already walked through on Day 1.
🛡️ Defender's Lens: The most chilling line in the timeline is "Day 11 — detected." For ten days the attacker operated with total internal freedom and zero detection, because a flat network is not just insecure — it is silent. There is nothing to alert on when all traffic is permitted; the absence of denied-traffic logs means the absence of the tripwires that a segmented network provides for free (Case Study 1's threshold concept). The lesson for the SOC analyst: if your only network sensor is at the perimeter, you are blind to the phase of the attack — lateral movement — where you actually have the best chance to catch a competent intruder. Internal visibility (Chapter 10) and internal segmentation are the same investment viewed from two angles.
Phase 3 — Mapping the attack to the layers
To brief leadership and design the fix, the response team mapped each stage of the intrusion to the OSI layer it lived at and the control that would have detected or prevented it — exactly the §6.3 discipline of "if this is bad, which layer is the badness at, and is anything watching?":
| Attack stage | OSI layer | What it did | Control that would have caught/stopped it |
|---|---|---|---|
| Phishing payload, C2 | 7 (App) | Initial access, remote control | Email security, EDR (Chapters 9, 11) |
| ARP sweep / ARP spoof | 2 (Data Link) | Enumerate hosts; brief MITM | Dynamic ARP inspection, port security; segmentation |
| Port scans | 4 (Transport) | Find open services east-west | Internal firewall default-deny; internal IDS (Chapter 7) |
| Lateral connections (SMB/RDP) | 3–4 | Reach EHR, radiology, devices | Segmentation between clinical/biomed/corporate zones |
| Cleartext credential capture | 5–7 | Harvest creds during MITM | TLS on internal traffic (Chapter 5) |
| Reaching biomedical-device subnet | 3 | Scan/reach infusion pumps | Isolated biomedical VLAN, default-deny (Chapter 33) |
The table makes the diagnosis unambiguous. The single control that appears most often in the right-hand column is segmentation. Almost every stage of the attack depended on the network being flat; almost every stage would have been blocked or surfaced by trust zones with default-deny boundaries. Pinewood had spent its security budget on the perimeter (Layer 7 and the boundary) and nothing on the interior (Layers 2–4 inside), and the attacker used the interior exclusively after Day 1.
Phase 4 — The safety stakes: why "no sensitive data" was the wrong comfort
Early in the response, a manager offered what felt like reassurance: "At least the infusion pumps don't store any data worth stealing." The incident commander corrected the framing immediately, and it is the most important point of this case. The risk on the biomedical subnet was never about confidentiality — who cares if an attacker learns a pump's firmware version? The risk was about integrity and availability with consequences in human safety. A compromised infusion pump is not a data-breach problem; it is a patient-safety problem. The CIA triad re-weights completely:
| Property | At a bank (Meridian) | On Pinewood's biomedical subnet | Why |
|---|---|---|---|
| Confidentiality | High (PII, cards) | Low | Device data has little resale value; settings aren't secrets |
| Integrity | High (the ledger) | Critical | An altered dose or setpoint is a direct safety threat |
| Availability | High (uptime) | Critical | A device taken offline mid-treatment endangers a patient |
Investigators found no evidence the attacker had altered a device — the intrusion was caught at the reconnaissance stage on that subnet. But "we got lucky on timing" is not a control. The fact that an external attacker's scan reached a subnet of life-sustaining medical devices, eleven days into an undetected intrusion, was the finding that reorganized Pinewood's entire security program. A defender who had optimized only for "protect the patient data" — hardening the EHR while leaving the biomedical subnet one flat hop from a billing clerk's laptop — would have defended the wrong crown jewel.
💡 Intuition: "Low-value data" is not "low risk." Risk lives in impact, and impact is whatever the organization actually stands to lose — money for a bank, safe care for a hospital. The infusion-pump subnet held almost nothing worth stealing and carried the highest risk in the building, because its impact axis includes lives. Always ask what does this organization most fear losing? and segment most aggressively around that — not around a generic instinct about "sensitive data." This is the same lesson the water utility taught in Chapter 1, now with the network architecture to fix it.
Phase 5 — The segmentation that would have changed the outcome
The remediation was the architecture Pinewood should have had — the hospital analog of Meridian's Figure 6.4. The response team designed trust zones around function and safety, with default-deny between them and the biomedical devices isolated most strictly of all:
┌──────────────────────┐
│ INTERNET │ (untrusted)
└──────────┬───────────┘
┌──────────┴───────────┐
│ PERIMETER FIREWALL │ default-deny inbound
└──────────┬───────────┘
┌──────────┴───────────┐
│ INTERNAL FIREWALL │ default-deny between zones
└──────────┬───────────┘
┌──────────┬─────────────────┼─────────────────┬──────────────┐
│ │ │ │ │
┌─────┴────┐ ┌───┴─────┐ ┌──────┴──────┐ ┌──────┴──────┐ ┌─────┴──────┐
│CORPORATE │ │ CLINICAL │ │ BIOMEDICAL │ │ IMAGING/ │ │ BUILDING │
│ billing, │ │ EHR app, │ │ infusion │ │ RADIOLOGY │ │ MGMT (OT) │
│ email │ │ clinician│ │ pumps, │ │ unpatched │ │ HVAC, etc. │
│ │ │ stations │ │ monitors │ │ imaging OS │ │ │
└──────────┘ └──────────┘ └─────────────┘ └─────────────┘ └────────────┘
▲ most isolated zone: default-deny in AND out;
reachable only from named clinical systems on
named ports; nothing from corporate/billing ever
Figure 6.5 — Pinewood's post-incident zone design. The biomedical-device subnet — the highest-impact, least-patchable zone — is isolated most strictly: default-deny inbound and outbound, reachable only from specific clinical systems on specific ports. A billing clerk's compromised laptop can no longer reach it under any flat-network accident.
Under this design, the eleven-day intrusion collapses into a contained Day 1: the billing workstation is in the corporate zone; its attempts to ARP-sweep are confined to its own small segment; its attempts to reach the clinical, biomedical, imaging, and building-management zones all hit default-deny boundaries that log the attempts and alert the (newly funded) monitoring. The same foothold that reached infusion pumps in eleven silent days now reaches one subnet and a wall, loudly. Note too that this design treats the building-management and biomedical systems as operational technology — a category whose safety-first defense is the subject of Chapter 33; segmenting them from the IT network is the foundational move.
⚠️ Common Pitfall: Pinewood's leadership had taken genuine comfort in passing external penetration tests. But an external test attacks the perimeter — the layers the attacker used only on Day 1. It says almost nothing about internal segmentation, the layers the attacker used for the other ten days. Passing an external assessment while running a flat internal network is one of the most dangerous false comforts in security: you have proven your front door is strong and learned nothing about whether your building has interior walls. Assess the inside, not just the boundary.
Discussion Questions
- Pinewood's single network sensor was the perimeter firewall. List, in priority order, the internal visibility you would add first (preview Chapter 10), and justify the order by where in the attack timeline each would have first caught the intruder.
- The biomedical devices could not be patched or taken offline. Given that constraint, why is segmentation the primary defense for them rather than patching, and what does this imply for any environment with unpatchable systems?
- The case argues that passing an external penetration test gave false comfort. Design a minimal internal assessment that would have revealed the flat-network risk. What would you test, and what result would have set off alarms?
- The CIA triad re-weighted so that confidentiality scored low and integrity/availability scored critical on the biomedical subnet — the reverse of the EHR servers next door. How should a hospital with both kinds of asset, on a shared budget, prioritize? Is one zone's protection ever in tension with another's?
- Eleven days passed before detection, entirely because the network was silent. Beyond segmentation, what organizational or process changes (not just technology) would shorten that detection time? (Consider the clinician who finally reported the anomaly.)
Your Turn
Choose an organization whose worst case is not primarily about confidential data and that runs a flat or near-flat network — a hospital, a manufacturing plant, a school district, a municipal utility. (a) Sketch its current flat network and mark the one subnet whose compromise you would most fear, and why its impact axis is safety or operations rather than data. (b) Reconstruct, in five to eight steps, how a single phished workstation could reach that subnet east-west today. (c) Redesign the network into trust zones with default-deny boundaries, isolating the highest-impact zone most strictly, and re-trace the same foothold to show it is now contained. (d) Name the one internal sensor you would add first and what attack stage it would catch. Keep it to two pages, and end with the sentence: "For this organization, the worst case is not a data breach; it is ______."
Key Takeaways
- East-west lateral movement is how breaches spread. Initial access (north-south, via a person) is often only Day 1; a flat interior turns one foothold into total reach over days the defender never sees.
- A flat network is silent. With all traffic permitted there is nothing to alert on; segmentation's default-deny boundaries are tripwires that a flat network lacks entirely.
- A perimeter sensor is blind to the attack's most catchable phase. The perimeter firewall sees the boundary the attacker crossed on Day 1, not the internal movement of Days 2–11.
- Map each attack stage to its OSI layer to find your blind layers; at Pinewood, the control that appeared most often as the missing defense was segmentation.
- "Low-value data" ≠ "low risk." A subnet of unpatchable medical devices held nothing worth stealing and carried the highest risk in the hospital, because its impact axis is patient safety — integrity and availability, not confidentiality.
- Passing an external test is not internal security. Assess the interior; isolate the highest-impact, least-patchable systems (operational technology, Chapter 33) most strictly of all.