Implementing Zero Trust in a flat network requires creating microsegments to isolate critical assets and enforce granular security policies. Using the existing campus core firewalls to create separate security zones for the mobile imaging trailers is the most cost-effective and logical first step. This approach leverages current infrastructure to achieve network segmentation, isolating the trailer traffic from the main hospital network. Security policies can then be applied to the traffic flowing between these new zones and the internal zones, inspecting all traffic and enforcing the principle of least privilege, which is fundamental to a Zero Trust architecture.

A. Deploying new edge firewalls at each campus is not cost-effective as it requires significant capital expenditure for new hardware, contradicting the prompt's requirement.

B. Manual inspection is not a scalable or effective security control, and allowing any traffic to pass freely is a direct violation of the "never trust, always verify" Zero Trust principle.

D. Standard access control lists (ACLs) on switches provide only Layer 3/4 filtering and lack the application-level visibility and advanced threat prevention capabilities of a firewall required for robust Zero Trust enforcement.

1. Palo Alto Networks, "Zero Trust Enterprise: An Implementation Guide": This guide outlines the methodology for implementing Zero Trust. Step 2, "Map the Transaction Flows," and Step 3, "Architect a Zero Trust Network," emphasize using a Segmentation Gateway (a Next-Generation Firewall) to create microsegments and enforce policy. Using an existing core firewall fulfills this role cost-effectively. (See "The Zero Trust Five-Step Methodology," pages 6-9).

2. Palo Alto Networks, PAN-OS® Administrator’s Guide 10.2, "Security Zones": "Zones are a logical way to group physical and virtual interfaces on the firewall to control and log the traffic that traverses your network... By default, traffic between interfaces in the same zone is allowed and traffic between interfaces in different zones is denied. To allow traffic to flow between different zones, you must configure a Security policy rule." This directly supports using zones on an existing firewall for segmentation and enforcement.

3. Palo Alto Networks, "What Is Network Segmentation?": "Network segmentation firewalls divide a network into zones with individual security controls for each zone... A segmentation firewall enforces security policies on all traffic that moves between zones." This document establishes the firewall as the primary tool for creating and enforcing policy between network segments, which is the core of the solution in option C.