Apparatus Bay Wi-Fi Is Not Station Wi-Fi: A Network Segmentation Story

I was on a station tour a few months ago and the chief pointed at the apparatus bay and said "the trucks pick up Wi-Fi when they pull in, so the crews can sync their ePCRs." I asked which network they joined. He said the same one the admin office uses. I asked if he had ever thought about separating them. He said he had not, and that is not a criticism of that chief. It is a common gap.

Most fire stations were wired for data long before mobile data terminals and ePCR tablets were standard equipment. The network grew around the building. The apparatus bay got a drop or an access point because the rigs needed connectivity. Nobody stopped to ask whether the rig's network should be the same as the chief's network.

It should not be.

Fire Station Network Segmentation Best Practices

The problem is a flat network. One broadcast domain where every device in the station can see every other device. The MDT on the rescue squad, the ePCR tablet in the medic unit, the chief's desktop, the HR workstation, and the crew's personal phones on the guest SSID are all on the same logical network.

That matters because apparatus bay devices have a different threat profile than office devices. An MDT spends its day connected to public hotspots, hospital Wi-Fi, and whatever network the truck parks near. It is exposed to environments you do not control. When it comes back to the station and reconnects, it brings that exposure with it. A flat network means a compromised MDT can talk to the admin server, scan the HR workstation, and attempt lateral movement into the CAD terminal. The attack surface is not the device itself but the network that trusts the device.

The fix is network segmentation. Separate VLANs for separate functions. The apparatus bay gets its own VLAN, the admin office gets its own VLAN, and guest devices get their own VLAN. Traffic between VLANs is controlled by access control lists. Nothing talks to anything unless a rule says it can.

VLAN Architecture for EMS Agencies

Three VLANs cover most station deployments.

Admin VLAN. This is the trusted zone for office workstations, the chief's computer, HR and finance systems and the CAD terminal. Access is restricted to agency-owned hardware with authenticated users. No guest devices and no rig devices.

Apparatus VLAN. This is the rig network for MDTs, ePCR tablets, onboard telemetry, and SCBA telemetry gateways. Devices on this VLAN can reach the ePCR cloud endpoint and the CAD server. They cannot reach the admin VLAN, the guest VLAN, or each other unless the application requires it.

Guest VLAN. This is for personal phones, crew laptops, and visitor devices. Internet access only with no access to any internal resource. Client isolation at the access point level prevents devices from seeing each other on the same VLAN.

The SSID strategy follows the same pattern. Three SSIDs mapped to three VLANs. Station_Admin for agency hardware with WPA3-Enterprise and certificate-based authentication. Station_Rigs for apparatus devices with the same authentication model. Station_Guest with a PSK that rotates quarterly.

Securing ePCR Tablets on Station Wi-Fi

The ePCR tablet is the device that keeps me up at night. It is a clinical tool that carries PHI, often a consumer-grade tablet running a locked-down kiosk mode that may not get security patches on the same schedule as the rest of the agency's fleet. It is handled by crews who are focused on patient care, not on whether the device has joined the right network.

When that tablet comes back from a 12-hour shift and connects to the station Wi-Fi, it should not be on the same network as the server that stores the ePCR data. That sounds backwards. But the server is a controlled environment and the tablet is not. The tablet has been in and out of hospitals, connected to unknown access points, and handled by multiple people. It is the higher-risk endpoint.

The correct architecture puts the tablet on the apparatus VLAN and the ePCR server on the admin VLAN. The ACL between them allows HTTPS traffic from the tablet to the server's IP address on port 443. Nothing else. If the tablet is compromised, the attacker cannot reach the server from the tablet's IP range and cannot reach the admin network at all.

> "The Security Rule at 45 CFR 164.312(a)(1) requires implementing policies and procedures that protect electronic protected health information from improper alteration or destruction."

HIPAA Compliance for Fire Department Networks

HIPAA requires technical safeguards for ePHI. Network segmentation is a standard implementation of that requirement. An auditor will ask how you prevent unauthorized access to ePHI. If your answer is "we have a firewall at the internet edge," that is not enough. The firewall does not stop lateral movement inside the building, and the auditor wants to know what happens when a device on the apparatus bay is compromised. Can it reach the ePCR server or the admin workstation that has access to the ePCR database? The answer should be no. And you should be able to show the network diagram that proves it.

I wrote about this in a broader context in ImageTrend, ESO, and Zoll Online: A Security-Posture Evaluation Framework. The same principles apply at the station level. Segmentation is not a feature you add later. It is a design decision you make before the access points go in.

How to Isolate Apparatus Bay Wi-Fi from Office Network

The implementation is straightforward if you have managed switches and a firewall that supports VLANs.

1. Create the VLANs on the core switch and assign each one a unique subnet. Admin gets 10.0.10.0/24, apparatus gets 10.0.20.0/24, and guest gets 10.0.30.0/24.

2. Configure the access points to broadcast three SSIDs and map each SSID to its VLAN. Use 802.1X for the admin and apparatus SSIDs and a PSK for the guest SSID.

3. Configure the firewall rules. Allow apparatus VLAN to reach the ePCR server on port 443 and the CAD server on the required ports. Deny everything else between VLANs. Allow guest VLAN to reach the internet only and admin VLAN to reach everything it needs.

4. Test with a device on each VLAN. Confirm that the apparatus tablet can reach the ePCR endpoint and nothing else and that a guest phone cannot ping anything on the admin or apparatus subnets.

5. Document the architecture. The network diagram, the VLAN assignments and the ACL rules are what the auditor sees.

The Diagnostic Value

There is a specific moment in a security audit when the conversation shifts. The auditor asks about network segmentation. You pull out the diagram, show the three VLANs and the ACL rules, and explain that the apparatus bay is isolated from the admin network with ePCR traffic restricted to a single port on a single destination. The auditor writes it down and moves to the next question. The goal is having nothing to explain, not impressing anyone.

-- Steven

Frequently Asked Questions

Why is a guest password not enough to secure the station network?

A guest password controls who can join the network but not what devices can do once they are on it. On a flat network, any device can see any other device. Segmentation using VLANs means that even if a guest device is compromised, it physically cannot communicate with the admin or apparatus subnets.

Will segmenting the apparatus bay network interfere with ePCR syncing?

No, as long as the ACLs are configured to allow traffic from the apparatus VLAN to the specific IP addresses or URLs used by the ePCR provider. The goal is to restrict unnecessary traffic, not to block clinical data flow. Test the rules before deployment and confirm the tablets can sync.

What is the benefit of this architecture during a security audit?

It provides concrete evidence of technical safeguards. A network diagram showing separate VLANs with documented ACL rules directly satisfies HIPAA requirements for access control and integrity controls. It also aligns with CJIS requirements for agencies that handle criminal justice data.

Do I need new hardware to set this up?

Not necessarily. Most managed switches and business-grade access points from the last five years support VLANs and multiple SSIDs. The firewall needs to support inter-VLAN routing with ACLs. If your current firewall is a basic home-grade unit, that will need to be replaced. But the switches and access points are probably already capable.

What happens when a truck connects to the wrong SSID?

The crew should not have to think about which network to join. Configure the MDT and ePCR tablet with the correct SSID and credentials during deployment. Use a configuration profile or MDM policy to enforce the connection. If a device joins the wrong network, the ACLs should prevent it from reaching anything sensitive. But the better approach is to make the wrong connection impossible through device configuration.