"Securing Connected Medical Devices: IoT Segmentation with Aruba ClearPass and CX"

A single infusion pump, imaging cart, or patient monitor running an unpatched embedded OS can become the entry point for a ransomware event that takes a hospital offline. The hard part of medical device segmentation isn't deciding that you need it; it's isolating thousands of fragile, agentless devices without breaking clinical workflows or the people who depend on them. This guide walks through how dynamic segmentation with HPE Aruba Networking ClearPass and AOS-CX switches delivers IoMT security as a policy layer on your existing fabric, not a forklift rebuild.
The IoMT security problem in hospitals
The Internet of Medical Things (IoMT) is uniquely difficult to defend. Devices often run legacy operating systems that can't be patched on a clinical schedule, can't host an endpoint agent, and may stay in service for a decade or more. They share VLANs with workstations, badge readers, and guest Wi-Fi because that's how the network grew organically. The result is a flat or semi-flat environment where a compromised vending machine can reach a CT scanner.
Traditional fixes make things worse. Building a separate physical network for medical devices is expensive and slow. Hand-managed VLANs and ACLs sprawl into thousands of rules nobody fully understands, and they break the moment a device moves to a different floor or gets a new IP. What healthcare IT actually needs is connected device isolation that follows the device, enforces least privilege automatically, and never requires touching the device itself.
The dynamic segmentation approach with ClearPass and CX
Dynamic segmentation in healthcare reframes the problem: instead of building segments around switch ports and subnets, you build them around device identity and role. HPE Aruba Networking ClearPass and AOS-CX switches work together to make that happen.
Discover and profile every device. ClearPass Device Insight and the built-in Device Profiler fingerprint each endpoint the moment it connects -- no agent, no manual inventory. A profiler can distinguish a Baxter infusion pump from a GE monitor from a nurse's laptop using DHCP, MAC OUI, traffic behavior, and other passive signals, then keep watching for drift.
Authenticate and assign a role. ClearPass acts as the policy controller. Devices that support certificates authenticate with EAP-TLS; the large population that can't authenticate is profiled and mapped to a role via MAC authentication. Either way, the device lands in a role -- "imaging," "infusion-pump," "biomed-workstation" -- rather than a static VLAN tied to a port.
Enforce in the fabric. AOS-CX switches apply that role using dynamic segmentation. With Group Based Policy (GBP), traffic carries a group policy ID end to end, so micro-segmentation can separate two devices on the same VLAN based on role. The role travels with the device: if that imaging cart moves to another floor or gets a new IP, the policy follows it. This is the same VXLAN-GBP and Virtual Network Based Tunneling model HPE Aruba Networking uses across wired and wireless, so a device gets identical isolation whether it's plugged in or on Wi-Fi.
Respond automatically. Because ClearPass continuously monitors behavior, deviation triggers enforcement without a human in the loop -- VLAN reassignment, ACL restriction, or session termination. A pump that suddenly tries to scan the network or reach the internet gets quarantined while clinicians keep working.
What you can isolate (and how policy maps to it)
The point of segmentation is least privilege per device class. A practical policy model looks like this:
| Device role | Should talk to | Should never talk to | Typical onboarding |
|---|---|---|---|
| Infusion pumps / monitors | Vendor server, EHR gateway | Internet, other IoMT, workstations | MAC auth + profiling |
| Imaging (CT, MRI, PACS) | PACS/VNA servers | Guest, IoT, internet | Cert or MAC auth |
| Biomed engineering laptops | Device mgmt servers | Patient data systems | EAP-TLS (cert) |
| Guest / patient Wi-Fi | Internet only | Any internal VLAN | Captive portal |
| Building IoT (HVAC, cameras) | Their controllers | Clinical VLANs, internet | MAC auth + profiling |
The same logic extends to facilities IoT and guest access, which is why hospitals often consolidate NAC for the whole environment rather than buying a point tool just for medical devices.
How to choose your segmentation design
A few decisions shape the deployment more than any single product spec:
- Overlay vs. port-based. If you're refreshing access switches anyway, a VXLAN-GBP overlay (NetConductor-style) gives you the cleanest role-follows-device behavior. If you're keeping existing infrastructure, role-to-VLAN and tunneled enforcement still deliver strong isolation with less change.
- CX switch tier. Match the switch to the closet. The CX 6200 and 6300 series are common access-layer choices in clinical buildings; aggregation and core sizing depend on your throughput and uplink needs. We size this per site -- browse current models on the products page or the full catalog.
- Authentication mix. Plan for reality: a minority of devices will do certificates; most will be profiled and MAC-authenticated. ClearPass handles both in one policy model.
- Phased rollout. Start in monitor mode to learn what's on the network before you enforce. Profiling first, enforcement second, prevents day-one clinical disruption.
If you're weighing platforms, our compare page lines up the relevant CX series and NAC options side by side.
Outcomes healthcare teams see
Done right, this approach produces measurable results: thousands of clinical and IoMT devices onboarded without installing software on any of them; a smaller blast radius because a compromised device can't move laterally; demonstrable progress toward zero-trust and HIPAA security-rule expectations; and far less manual VLAN/ACL maintenance because policy is centralized in ClearPass instead of scattered across switch configs. Most importantly, none of it asks clinicians to change how they work.
How Uniqcli helps
Uniqcli is an authorized HPE and HPE Aruba Networking reseller, and we scope IoMT segmentation projects end to end. That starts with a discovery and design phase -- profiling what's actually on your network, mapping device classes to roles, and sizing the right ClearPass and AOS-CX footprint for your closets and core.
On procurement, we're built for healthcare and public-sector buyers. We supply TAA-compliant hardware and quote through the contract vehicles you already use, including GSA, NASA SEWP for federal agencies, and E-Rate for eligible health-and-education networks. For health systems and SLED buyers, we align to the cooperative and state contracts that keep purchases compliant and fast. You get a clean bill of materials, not a guess.
We don't stop at the PO. Uniqcli supports deployment -- staging, ClearPass policy buildout, switch provisioning, and a phased monitor-then-enforce rollout -- plus ongoing support and lifecycle/renewal management. Start with a quote and we'll turn your device inventory into a segmentation plan with pricing on a single contract vehicle.
FAQ
Will segmentation disrupt patient care during rollout? It doesn't have to. The recommended path is to deploy ClearPass in profiling/monitor mode first so you understand every device and its normal behavior before any policy is enforced. Enforcement is then phased role by role, so clinical workflows keep running while isolation tightens.
Do medical devices need software installed for this to work? No. ClearPass profiles and authenticates agentlessly. Devices that support certificates use EAP-TLS; everything else is fingerprinted and MAC-authenticated. Enforcement happens in the AOS-CX fabric, never on the device.
How is this different from just using VLANs and ACLs? Static VLANs and ACLs are tied to ports and IPs, so they break when a device moves and sprawl into thousands of unmanageable rules. Dynamic segmentation assigns a role to the device that follows it anywhere on wired or wireless, and Group Based Policy can even separate two devices on the same VLAN.
Can the same system cover guest Wi-Fi and building IoT too? Yes. ClearPass and CX dynamic segmentation apply one policy model across IT, IoT, IoMT, and guest traffic, which is why hospitals often consolidate onto it rather than buying a separate tool per use case. Ask us for a quote that scopes the full environment.