Chapter 9

Juliet Capulet Rolls Out BYOD at Verona Health

Juliet Capulet, Security Awareness Trainer at Verona Health (a 4,000-employee regional hospital network), is the operational lead on a long-delayed BYOD program. Clinicians want to use their personal phones for secure messaging, on-call notifications, and EHR access at bedside. The CFO wants to stop buying corporate phones for every nurse. The CISO wants to make sure the next breach report does not name Verona Health.

The pre-rollout state is unsettling. Several hundred clinicians have already self-enrolled their phones in the EHR vendor's mobile app using only their Active Directory passwords — no MFA, no posture check, no way to know which devices are jailbroken or running an unpatched OS. The corporate WLAN is one flat SSID with a single shared PSK that has not rotated in three years; guest, BYOD, and the building's IoT cameras all share the same Layer-2 segment. Email security is similarly behind: SPF is set to soft-fail and there are no DKIM signatures or DMARC policy at all. The corporate recursive resolver has no validation enabled, so a downstream poisoned response would be accepted without question. The CMDB has not been reconciled with reality in over a year, and a recent ransomware tabletop exercise revealed that nobody could produce an accurate list of EHR-adjacent endpoints.

Juliet's six-month program must address all of this — endpoint posture for BYOD, wireless segmentation, email authentication, DNS integrity, change/asset discipline, and an honest plan for the legacy MRI workstation that runs Windows 7 and cannot be replaced for two years.

Complete Juliet's BYOD and network-hardening plan by selecting the correct option for each blank.

Juliet starts with policy. Legal drafts a BYOD acceptable-use agreement that grants Verona the right to remove only corporate data on demand — through a that leaves personal photos, contacts, and apps untouched. Every enrolling user e-signs the agreement before enrollment proceeds.

For the technology layer, the chosen platform is Microsoft Intune integrated with Entra ID. Each personal device is enrolled into a sandboxed work environment that keeps corporate data separated from personal apps — an approach generally called management. Sign-in to the EHR is gated by policies that require the device to be MDM-managed, encrypted, running a current OS, free of jailbreak/root, and reporting from the mobile EDR agent. A non-compliant device is blocked before authentication completes.

Juliet replaces the EHR app's password-only login with hardware-backed authentication, using the user's device-bound private key to sign a server challenge so that a stolen credential database yields nothing replayable.

On the wireless side, Juliet decommissions the single flat SSID. The new design maps four SSIDs — Corp, BYOD, Guest, and IoT-Cameras — to segments with distinct ACLs enforced at the wireless controller. Corp and BYOD use WPA3-Enterprise with EAP-TLS; Guest uses a captive portal with client isolation; the IoT-Cameras SSID is locked to egress-only firewall rules toward the vendor cloud. A wireless sensor continuously watches for rogue access points and evil-twin SSIDs in the clinical spaces.

For outbound email, Juliet publishes proper SPF, signs every message with keys whose public halves are published in DNS, and brings the domain's DMARC policy from p=none to so that mailers receiving spoofed Verona Health messages will refuse delivery rather than just reporting the failure.

On DNS, the corporate resolver is reconfigured to validate signatures so that forged answers from a poisoned upstream are rejected, and the recursive resolver begins for known malicious domains — redirecting blocked queries to a controlled address that also alerts the SIEM when an internal host attempts the lookup.

The ransomware tabletop's painful lesson — that nobody could enumerate EHR-adjacent endpoints — is addressed by reconciling the weekly against the cloud provider's inventory APIs, Active Directory, and the EDR console. Every change to production passes through a formal process with documented approval, scheduled window, and rollback plan, rather than the ad-hoc 'just push it' culture that had grown up over the years.

Finally, the Windows 7 MRI workstation cannot be upgraded without breaking the medical-device vendor's FDA support certification and cannot be replaced for two years. Juliet treats it as a legacy enclave: isolated VLAN with default-deny ACLs, application allowlisting, no internet egress, jump-host-only administrative access, and continuous logging into the SIEM. The MITRE ATT&CK technique most likely to be attempted against its credential store from any compromised neighbor — extracting NTLM hashes and Kerberos tickets from LSASS memory — is , and the host firewall plus tamper-protected EDR posture is sized specifically to detect and block it.