For months, all of my tools lived inside the building.

They ran on a small server in the hospital, on our own internal network. You could only reach them if you were physically connected to that network — sitting at a hospital desk, on hospital Wi-Fi. To anyone on the outside, they didn’t exist. No address, no door, no way in.

I told myself that was the safest possible setup. Nothing ever left. Nothing could get in. And I meant it. Early on, a senior colleague had told me about a place that got hit by an attacker from the outside who locked their entire server and held it for ransom. That story stuck with me. So I’d promised, out loud, that my tools would stay inside. The door to the outside would stay shut.

Then I had to open it.

A demo I couldn’t show

I’d arranged to meet someone in person to show them what I’d built. I wanted to bring something real, not just talk. So I picked the tool I was proudest of — an inventory and supplies tool I’d called EasyFS. It had the most data and the most hours of my life in it.

We met in a hospital meeting room. I opened my laptop. And I hit a wall.

The meeting room had no wired connection, so I had to use Wi-Fi. But that Wi-Fi wasn’t connected to our internal network. So there I was, sitting inside the hospital, unable to reach a tool that only ran inside the hospital. The data was sitting right there, in the same building, a few walls away. I couldn’t touch it.

The only way to reach something inside the building was to go all the way out and come back around. To show my tool, I had to make it reachable from the outside.

And that meant opening the exact door I’d promised to keep shut.

The promise I had to break

I was scared. Honestly scared.

The ransomware story replayed in my head. If I opened the wrong door and something like that happened to us, it would be my fault. Not a vendor’s, not some smart engineer’s at a faraway company. Mine.

So the question narrowed down to one thing: how do I get to the outside as safely as possible?

I did what I always do. I started asking. Is this method safe? What about that one? I asked and compared and asked again. The answer I kept landing on was Cloudflare.

It builds a protected tunnel so traffic can move between the outside world and your own server without exposing it directly. The more I read, the less I believed it. It was supposed to be seriously secure — and it was free. Free? I checked that a few times.

Following instructions that didn’t match the screen

The hard part wasn’t deciding. It was the setup.

I worked through it with Gemini, asking it what to click next. But the screen it described kept not matching the screen in front of me. The menu it told me to find wasn’t there. The button had a different name. For a while I thought I was the one doing something wrong.

Then it clicked. The AI had learned from an older version. Cloudflare had changed its interface since then, and the AI didn’t know. It was confidently describing a screen that no longer existed.

That’s a thing worth knowing early: an AI can be completely sure and completely out of date at the same time — so when its instructions don’t match reality, trust the screen in front of you, not the AI.

So I felt my way through. Build the tunnel. Attach an address. I’d think I was done, and the connection would fail. I’d hunt for the mistake, fix it, get blocked again, fix it again. After a long stretch of fumbling, it finally happened: EasyFS opened from outside the hospital.

For the first time, one of my tools had gone over the wall.

One door opens, and the work changes

Once it worked, I realized this wasn’t a one-time demo trick.

If staff could reach the tool from outside, they could check supplies from their own phones, anywhere. I’d been imagining QR codes stuck on each item — scan one with your phone and that item’s information pops up. That whole idea only worked if the tool was reachable from the outside. So while I was in there, I built the QR lookup too.

By then it was clear I needed a real address. Not a tangle of network settings, but a proper name people could type and find. I went to one of our directors, explained why it mattered, and we bought a domain on the spot. For the first time, we had our own address on the open internet.

My tools, which had lived so safely inside, had taken one step toward the outside world. And that was the moment I started taking security seriously for the first time. When nothing ever leaves the building, you don’t have to think about who might be knocking. The moment you open one door, you do.

A few days later, I walked through that door and met someone on the other side. But that’s the next story.