How We Deployed Zero-Trust Security Across Three Clinic Sites
Client: Allied Health Network — a multi-site physiotherapy and allied health practice operating across three Melbourne locations.
Service Vertical: Strategic Managed Services
Outcome: Zero security breaches across 3 sites in 12 months. 99.97% uptime. Full Microsoft 365 governance deployed in 6 weeks.
The Challenge
Allied Health Network had grown from a single Ivanhoe clinic to three locations across Melbourne's inner north. Their technology had not kept pace. Each site operated as a silo — different routers, different antivirus products, no centralised identity management. Patient data was being accessed over consumer-grade Wi-Fi networks.
The practice manager described the situation plainly: "We had three separate IT setups that nobody really understood. When something broke, we called whoever was cheapest that week."
The specific problems we inherited:
- No centralised identity management. Staff shared passwords across sites. There was no single sign-on, no MFA, and no offboarding process when contractors left.
- Consumer-grade network equipment. Two of the three sites were running residential-class routers with default admin credentials.
- No endpoint protection. The existing antivirus was a free consumer product installed manually on some machines. No EDR. No threat detection.
- Cliniko integration fragility. The practice management system (Cliniko) was being accessed directly over the public internet with no VPN or access controls.
- Zero backup strategy. Patient records existed only on local machines and in Cliniko's cloud. No local or offsite backup of business-critical documents.
This was not an IT problem. It was a governance vacuum.
Our Approach
We designed the engagement as a 6-week sprint with three phases, treating the three sites as a single sovereign infrastructure rather than three independent problems.
Phase 1: Discovery & Audit (Week 1-2)
We deployed our standard Sanctum Infrastructure Audit across all three locations:
- Full network topology mapping using passive scanning
- Microsoft 365 tenant security review (Secure Score baseline: 31/100)
- Endpoint inventory — every device, every OS version, every piece of software
- Cliniko API access pattern analysis
- Staff interview sessions to understand workflow and pain points
The audit revealed 47 critical findings. The most alarming: an ex-contractor's Microsoft 365 account was still active 8 months after their engagement ended, with full access to patient scheduling data.
Phase 2: Architecture & Deployment (Week 3-5)
We implemented a zero-trust architecture across all three sites:
Identity & Access:
- Azure AD (Entra ID) as the single identity provider across all sites
- Conditional Access policies enforcing MFA for all users, blocking legacy authentication
- Automated onboarding/offboarding via Microsoft 365 lifecycle workflows
- Role-based access groups aligned to clinical, administrative, and management functions
Network:
- SD-WAN deployment connecting all three sites over encrypted tunnels
- VLAN segmentation separating clinical devices, staff devices, and guest Wi-Fi
- Enterprise-grade access points with WPA3 and certificate-based authentication
- Site-to-site VPN failover via 4G backup at each location
Endpoint Security:
- SentinelOne EDR deployed to every endpoint (workstations, laptops, shared kiosks)
- Device compliance policies — non-compliant devices blocked from accessing clinical systems
- BitLocker encryption enforced on all Windows devices
- Automated patching schedule for OS and third-party applications
Cliniko Integration:
- API access restricted to managed network IPs via Cliniko's IP allowlisting
- Service account credentials rotated to application-managed tokens
- Audit logging enabled for all patient record access
Phase 3: Governance & Handover (Week 6)
- Comprehensive documentation package delivered to practice management
- Staff training sessions at each site (security awareness, new login procedures)
- 24/7 monitoring and alerting configured via our SOC dashboard
- Monthly governance report cadence established
The Outcome
12 months post-deployment:
- Zero security incidents. No breaches, no ransomware attempts that bypassed EDR, no unauthorised access events.
- 99.97% uptime across all three sites. The only downtime was a planned maintenance window for a firmware upgrade.
- Microsoft 365 Secure Score: 84/100 — up from 31/100 at audit baseline.
- Staff satisfaction: The practice manager reported that "the new system just works. Nobody complains about IT anymore, which is the highest compliment."
- Compliance posture: The practice is now audit-ready for the Australian Privacy Act requirements regarding health records.
The monthly governance cadence means we catch configuration drift before it becomes a vulnerability. Every quarter, we re-run the security baseline and compare against the previous period.
Tech Stack
| Component | Solution |
|---|---|
| Identity | Microsoft Entra ID (Azure AD) with Conditional Access |
| Endpoint Protection | SentinelOne EDR |
| Network | SD-WAN with VLAN segmentation |
| Practice Management | Cliniko (API-secured) |
| Backup | Microsoft 365 backup + local NAS replication |
| Monitoring | Digital Sanctum SOC dashboard |
| Email Security | Microsoft Defender for Office 365 |
This project is part of our portfolio. Allied Health Network engaged Digital Sanctum under our Strategic Managed Services vertical.