TL;DR: Sixty percent of health systems cannot adequately protect unpatchable, agentless medical devices, while 40% say fear of clinical disruption blocks microsegmentation adoption and 78% rank breach or ransomware prevention as the top buying criterion, according to Elisity and HIMSS Market Insights. The data shows healthcare security teams are not short on intent, but on deployment models that preserve uptime while reducing lateral movement risk.
At a glance
What this is: This survey finds healthcare leaders want microsegmentation for medical device security, but fear of clinical disruption is slowing adoption and leaving unpatchable devices exposed.
Why it matters: It matters to IAM, NHI, and security teams because the same governance problem appears whenever control design must follow identity and policy without breaking operational continuity.
By the numbers:
- 60% of health systems cannot adequately protect unpatchable, agentless medical devices.
- 40% cite fear of clinical disruption as the top barrier to microsegmentation adoption.
- 78% rate proven breach or ransomware prevention as the most important decision criterion.
- 46% report cyber insurance carriers now request segmentation controls at renewal.
👉 Read Elisity's HIMSS 2026 microsegmentation survey findings
Context
Microsegmentation is the practice of limiting east-west traffic so compromise in one part of a network does not spread unchecked. In healthcare, that problem is harder because many devices are unpatchable, agentless, and operationally critical, which makes the traditional trade-off between security and uptime feel unavoidable. The primary keyword here is microsegmentation, but the real governance issue is whether policy can follow device identity without forcing clinical disruption.
That makes this report relevant beyond network design. Healthcare is a useful stress test for identity-based control, because device visibility, policy scope, and continuous enforcement all matter when the environment includes medical devices, IoMT assets, and third-party operational dependencies. The same tension shows up in NHI and workload governance: controls fail when they require a change model the business cannot absorb.
Key questions
Q: What breaks when microsegmentation is not designed for clinical environments?
A: Microsegmentation breaks when it assumes the network can be reworked faster than patient care can tolerate. In hospitals, that can mean blocked workflows, stalled rollouts, and exceptions that leave critical devices effectively unprotected. The failure mode is not the control itself, but the deployment model that demands too much operational change.
Q: Why does microsegmentation matter for unpatchable medical devices?
A: Unpatchable devices need compensating controls because the normal fix cycle does not exist. Microsegmentation reduces the blast radius of compromise by limiting lateral movement around those devices, which is especially important when the endpoint cannot run an agent or be safely reconfigured. In practice, it becomes the main containment layer.
Q: How do security teams know whether segmentation is actually working?
A: Teams should look for three signals: reduced lateral movement, fewer unintended device communications, and policies that can be enforced without workflow disruption. If visibility is incomplete or too many exceptions accumulate, the segmentation programme is probably cosmetic rather than operational. Real effectiveness shows up in containment, not policy count.
Q: Who is accountable when segmentation is delayed by operational risk?
A: Accountability usually sits across security, infrastructure, and operations because each owns part of the trade-off. In regulated environments, leadership must decide whether the risk of disruption is greater than the risk of lateral movement and ransomware spread. That decision should be documented as part of resilience and insurance governance.
Technical breakdown
Why legacy segmentation struggles with medical device security
Legacy segmentation relies on infrastructure changes such as VLAN restructuring, ACLs, firewall rule management, NAC tuning, and sometimes re-IPing devices. In hospital environments, each change introduces risk because clinical systems often run continuously and many devices were never designed for frequent network reconfiguration. That is why segmentation projects become slow, expensive, and politically difficult. The technical problem is not that segmentation is ineffective, but that conventional deployment models assume downtime windows and device flexibility that healthcare does not have.
Practical implication: design segmentation around policy and identity, not network re-architecture.
How identity-based microsegmentation changes enforcement
Identity-based microsegmentation separates the security policy layer from the underlying network. Instead of tying access to IP address or subnet location, policy follows device identity and communication intent. That lets teams enforce least-privilege network paths across IT, IoT, OT, and IoMT without installing agents on every device or rebuilding switching fabric. For healthcare, the architectural value is that protection can be applied to unpatchable devices while preserving clinical workflows and operational continuity.
Practical implication: map policies to device identity and traffic patterns before enforcing east-west restrictions.
Why simulation and visibility matter before enforcement
Microsegmentation fails operationally when teams cannot predict the effect of a policy change. Simulation, discovery, and traffic analysis reduce that risk by showing which communications are legitimate before blocking them. In environments with thousands of devices, visibility is not a nice-to-have, it is the precondition for safe enforcement. Continuous monitoring also exposes lateral movement attempts and policy drift, which are critical in ransomware scenarios where a single endpoint becomes a launch point for broader spread.
Practical implication: validate policies against real traffic before rollout and keep monitoring continuous after enforcement.
Threat narrative
Attacker objective: The attacker wants to turn one foothold into widespread operational disruption by spreading across clinical environments before defenders can contain it.
- Entry begins with a compromised endpoint or exposed device on a flat hospital network.
- Escalation occurs as the attacker moves laterally through permissive east-west communication paths and reaches clinical or administrative systems.
- Impact follows when ransomware or destructive activity disrupts patient care, encrypts shared services, or forces downtime across facilities.
NHI Mgmt Group analysis
Implementation Paradox: healthcare security teams are not rejecting microsegmentation because they doubt the control. They are rejecting deployment models that threaten uptime, staffing, and clinical workflow. That creates a governance gap where the right control exists in theory but remains unused in practice. Practitioners should treat this as a deployment-design failure, not a security-awareness problem.
Clinical disruption is a control-selection criterion, not just an operational concern: when 40% of leaders cite disruption as the blocker, the question becomes whether the control can be enforced without re-plumbing the environment. That makes simulation, identity-aware policy, and phased rollout part of the control itself. Teams should evaluate segmentation tools by whether they reduce change risk, not just by whether they promise isolation.
Microsegmentation is becoming part of resilience governance: cyber insurance, breach prevention, and patient safety are converging on the same requirement, which is demonstrable containment. In healthcare, the security conversation is no longer limited to perimeter defence or patching cycles. Practitioners should align segmentation planning with resilience, auditability, and recovery objectives.
Identity-based network policy is the most durable model for unmanaged devices: when devices cannot host agents and cannot be reconfigured often, access policy has to move closer to identity and traffic intent. This is the same design logic that underpins NHI governance in other domains. The practitioner takeaway is straightforward: controls that depend on constant device change will fail in environments built for continuity.
Policy automation is now a scale requirement: the survey shows health systems are balancing thousands of devices, limited staff, and growing insurer scrutiny. That combination makes manual policy writing a bottleneck, not a safeguard. Security teams should treat automation, simulation, and enforcement telemetry as core operating capabilities, not optional conveniences.
What this signals
Implementation paradox is a useful concept for healthcare security teams: the blocker is not conceptual disagreement about segmentation, it is the operational cost of applying it safely. That pattern is familiar across identity programmes too, where controls fail when they are designed without regard for workflow, system criticality, and change tolerance. The practical response is to treat deployment friction as a control-design issue, not an excuse to defer governance.
For identity-led programmes, the lesson is that policy precision only matters if enforcement can be absorbed by the environment. That is why controls around non-human identity security and other access-heavy domains increasingly need simulation, evidence, and phased rollout. The governance bar is shifting from intent to provable containment.
Health systems that cannot demonstrate segmentation outcomes will find it harder to satisfy both auditors and insurers. The same logic applies in identity programmes: if you cannot show who or what is allowed to connect, and how that boundary is enforced, the control remains aspirational. For practitioners, this is a sign to invest in evidence generation as part of the operating model.
For practitioners
- Prioritise identity-based segmentation for unpatchable devices Start with the medical devices and operational systems that cannot tolerate agents, re-IPing, or frequent maintenance windows. Build policy around device identity and approved communications, then phase enforcement only after validation against live traffic.
- Use simulation before blocking clinical traffic Run segmentation policies in a non-enforcing mode first, compare the results with real traffic, and review exceptions with biomedical and clinical teams before turning on enforcement. This reduces the risk of patient-care disruption.
- Treat east-west visibility as a standing requirement Continuously monitor lateral movement, policy violations, and unmanaged device communications so you can detect drift before an incident forces a manual exception. Pair that with inventory accuracy across IT, IoT, and IoMT assets.
- Build insurer-ready evidence into the rollout plan Document the controls, policy simulations, and enforcement outcomes in a form that supports renewal conversations. Use the same evidence to show progress to risk, compliance, and operational stakeholders.
- Align segmentation with resilience objectives Frame segmentation as a containment and continuity capability, not only a security project. Tie rollout milestones to downtime reduction, recovery confidence, and breach containment objectives so the programme survives operational scrutiny.
Key takeaways
- Healthcare microsegmentation fails when the deployment model creates more operational risk than the lateral movement risk it is meant to reduce.
- The survey shows a clear gap between intent and execution, with unpatchable devices, disruption fears, and insurer pressure all shaping buying decisions.
- Identity-based policy, simulation, and continuous visibility are the controls most likely to make containment practical in clinical environments.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Microsegmentation is an access control and segmentation problem in the healthcare network. |
| NIST SP 800-53 Rev 5 | AC-4 | The article is fundamentally about enforcing information flow restrictions across clinical networks. |
| CIS Controls v8 | CIS-12 , Network Infrastructure Management | The survey centres on segmentation, visibility, and network control in operational environments. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0040 , Impact | The article repeatedly cites lateral movement and ransomware impact as the main threat pattern. |
| ISO/IEC 27001:2022 | A.8.20 | Secure network services and traffic control are directly implicated by healthcare microsegmentation. |
Map device communications to PR.AC-4 and restrict east-west paths to approved identity-bound flows.
Key terms
- Microsegmentation: Microsegmentation is a way of limiting network traffic between small sets of systems so compromise cannot spread widely. In practice, it enforces granular communication rules across devices, applications, or workloads, often using identity and policy rather than broad network zones.
- Lateral Movement: Lateral movement is the stage of an attack where an intruder moves from the initial foothold to other systems inside the environment. In hospitals and other distributed networks, it is often the step that turns a single compromise into a wider operational incident.
- IoMT: IoMT means Internet of Medical Things, the connected medical devices and systems used in clinical care. These devices often have long lifecycles, limited patchability, and strict uptime requirements, which makes compensating controls such as segmentation especially important.
- Identity-Based Policy: Identity-based policy is a control model that grants or blocks communication based on a device or workload identity instead of its IP address or network location. It is useful when assets move, scale, or cannot be managed through conventional network reconfiguration.
What's in the full report
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- Survey cross-tabs by role, organisation size, and decision authority across the 50 healthcare leaders surveyed
- Deployment examples showing how identity-based microsegmentation was rolled out without changing clinical network architecture
- ROI breakdowns that separate breach prevention, downtime avoidance, audit effort, and insurance outcomes
- Practical discussion of how policy simulation and enforcement were used to reduce change risk
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners building durable identity controls across complex environments.
Published by the NHIMG editorial team on 2026-03-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org