What are the key network security controls you would implement to isolate a subnet containing highly sensitive clinical data?