An attacker tries to reach patient data through layers โ WAF, gateway auth, service authorization, network isolation, DB permissions, encryption. Toggle layers on and off and watch how far the attack gets when one fails.
Turn off WAF and gateway auth and attack โ service authz still stops it. Keep turning layers off one by one; only when the last one falls does the attacker reach the data.