By NHI Mgmt Group Editorial TeamPublished 2026-02-25Domain: Cyber SecuritySource: Elisity

TL;DR: Southern Illinois Healthcare moved from zero to full wired-network microsegmentation across four hospitals and roughly 400 beds using three resources, after building device visibility, simulation-based enforcement, and staged rollout patterns, according to Elisity. The lesson is that healthcare segmentation succeeds when network identity, not agent coverage, becomes the control point.


At a glance

What this is: This case study shows how Southern Illinois Healthcare achieved full wired-network microsegmentation across a 400-bed regional system with limited staff by combining visibility, simulation, and staged enforcement.

Why it matters: It matters because healthcare teams need controls that protect IoMT and legacy devices without endpoint agents, while also improving identity-aware segmentation, containment, and operational resilience across broader IAM and NHI programmes.

By the numbers:

  • SIH operates four hospitals, roughly 400 beds, and a Level II trauma center serving 17 to 19 counties across southern Illinois.

👉 Read Elisity's case study on healthcare microsegmentation at Southern Illinois Healthcare


Context

Healthcare microsegmentation is the practice of limiting how devices and systems communicate so a compromise in one area cannot spread laterally. In this case study, the primary problem is not a lack of awareness but a lack of workable controls for hospitals that rely on legacy and IoMT devices that cannot run agents or tolerate disruptive redesigns.

That creates a governance problem that intersects with identity security because the network, not the endpoint, becomes the enforcement layer for device identity and access boundaries. For IAM, PAM, and NHI programmes, the lesson is that identity-aware segmentation is increasingly part of containment strategy, not just a network design choice.


Key questions

Q: What breaks when healthcare segmentation depends on endpoint agents?

A: Endpoint-dependent segmentation fails when critical devices cannot run agents, cannot be modified safely, or are too legacy to support modern security tooling. In healthcare, that creates blind spots around IoMT and embedded systems, leaving the devices most exposed to lateral movement outside effective control. Network-layer enforcement is usually the practical alternative.

Q: Why do IoMT devices complicate microsegmentation planning?

A: IoMT devices complicate segmentation because they combine legacy operating systems, long lifecycles, and strict uptime requirements. Teams cannot assume the same controls used for laptops or servers will work safely. The result is a governance problem: policies must protect the device while preserving clinical workflows and regulated device behaviour.

Q: How do security teams know if segmentation is actually working?

A: Teams should look for three signals: communication paths match approved policy, blocked traffic is observed in simulation before enforcement, and exceptions remain narrow and auditable. If policies only exist on paper, or if the team cannot explain why a device talks to a given system, segmentation is not yet operating as a control.

Q: How should hospitals handle temporary access for vendors and support teams?

A: Hospitals should grant the smallest possible access for the shortest workable duration, tied to a specific device or system and reviewed after use. The goal is to enable support without reopening broad network paths. That keeps clinical operations moving while preserving containment and auditability.


Technical breakdown

Why agent-based segmentation fails for IoMT and legacy devices

Healthcare environments contain devices that cannot accept endpoint agents, cannot be patched quickly, or cannot tolerate software changes without clinical or regulatory risk. That makes traditional endpoint-centric segmentation incomplete. Microsegmentation at the switch or network layer shifts enforcement away from the device and toward traffic policy, which is critical when the protected asset is an infusion pump, imaging system, or other embedded system. The technical challenge is not only blocking traffic, but doing so without breaking legitimate device-to-server communication paths.

Practical implication: design segmentation controls that do not depend on installing software on every device.

Why source-of-truth inventory is the control plane for healthcare segmentation

You cannot enforce precise policies without knowing what exists, where it connects, and what it talks to. SIH's approach combined IoMT identification, EDR, IPAM, and switch flow data to build a verified inventory that was richer than any single tool could provide. This is an architecture pattern, not a product feature. The important point is data enrichment across multiple telemetry sources so policies are written against observed communication patterns rather than spreadsheet assumptions.

Practical implication: consolidate device identity and flow telemetry before writing enforcement rules.

Why simulation mode reduces clinical risk before enforcement

Simulation mode lets teams observe which communications would be blocked before any policy is enforced. In healthcare, that matters because an incorrect policy can interrupt patient monitoring, medication workflows, or data exchange between clinical systems. Simulation turns segmentation into a testable control instead of a blind cutover. It is especially useful in environments where uptime, safety, and operational continuity are all non-negotiable. The architectural value is that teams can validate behaviour under real traffic without introducing a patient safety event.

Practical implication: require simulation and validation gates before any policy goes into enforcement.


Threat narrative

Attacker objective: The attacker wants to move from one compromised device to higher-value clinical systems and data with minimal friction.

  1. Entry occurs when an attacker gains a foothold on a vulnerable or unmanaged device inside a flat healthcare network.
  2. Escalation follows through lateral movement to patient systems, clinical applications, or archives because internal communication paths are broadly allowed.
  3. Impact is achieved by disrupting care operations, stealing sensitive records, or accelerating ransomware spread across connected systems.

NHI Mgmt Group analysis

Identity-based segmentation is becoming a control for device trust, not just network hygiene. Healthcare microsegmentation works when the policy boundary tracks what a device is allowed to talk to, not whether the device itself is trustworthy. That is a direct governance issue for identity programmes because devices, workloads, and service accounts all behave like identities once access is enforced through policy. Practitioners should treat segmentation as part of access governance, not a separate infrastructure project.

Simulation-first enforcement is the only credible rollout model for clinical environments. The article shows that policy validation before blocking traffic is not a nice-to-have, but the difference between containment and operational disruption. In hospitals, the control failure is not lack of intent, but lack of safe observability before enforcement. Practitioners should see simulation as the minimum change-control gate for any high-risk segmentation deployment.

Healthcare segmentation exposes a named governance gap: the unmanaged device identity layer. The problem is not simply asset sprawl. It is that many hospitals still lack a trustworthy way to bind device identity, network location, and allowed communication paths into a single control model. That gap leaves legacy and IoMT devices governed by tribal knowledge and partial inventories. Practitioners should close the unmanaged device identity layer before assuming policy can scale.

Microsegmentation changes the operating model from exclusion to controlled enablement. The SIH example shows that precise network identity policies let security teams approve temporary or narrow access without opening broad exceptions. That matters for healthcare because rigid denial rules often drive shadow workarounds. Practitioners should use segmentation to replace blanket exclusions with auditable, time-bounded access decisions.

The market signal is clear: resource-constrained security teams need controls that reduce dependence on endpoint agents and manual administration. If three people can operate segmentation across four hospitals, the category is moving toward lower-friction enforcement models that fit operational reality. For identity governance, that means the winning pattern is not more complexity, but tighter control with less administrative overhead. Practitioners should evaluate whether their current access model can be sustained by the teams that must run it.

What this signals

Unmanaged device identity is now a practical control problem, not an abstract architecture concern. Healthcare teams that still rely on partial inventories or spreadsheet-based exceptions will struggle to scale containment across IoMT, legacy systems, and vendor support paths. The most useful next step is to align network access policy with identity-aware telemetry and established guidance such as NIST Cybersecurity Framework 2.0.

Simulation-led rollout should become the default for high-risk segmentation programmes. Once policy enforcement touches patient monitoring and clinical workflows, the tolerance for trial-and-error disappears. Teams should formalise pre-enforcement validation, exception review, and floor-by-floor rollout sequencing, then anchor operating procedures to NIST SP 800-207 Zero Trust Architecture.


For practitioners

  • Map device communication paths before enforcing policy Build a combined inventory from IoMT discovery, EDR, IPAM, and switch telemetry so segmentation rules reflect observed traffic rather than spreadsheet records. Prioritise the devices that cannot tolerate endpoint agents or frequent change.
  • Use simulation mode as a change-control gate Run policies in simulation long enough to validate patient monitoring, imaging, and device-to-server workflows before blocking any traffic. Require sign-off from clinical owners on any path that would affect care delivery.
  • Sequence rollout by operational complexity Start in a lower-risk area with predictable maintenance windows, then expand to larger sites and higher-acuity wards only after policy behaviour is proven. Use each deployment stage to refine exemptions and reduce false positives.
  • Replace blanket exclusions with scoped access rules Turn ad hoc exceptions into narrow, auditable policies tied to specific devices, ports, and time windows. This keeps vendors and support teams productive without reintroducing broad lateral-movement paths.

Key takeaways

  • Healthcare microsegmentation succeeds when policy follows device identity and observed communication, not when teams rely on endpoint agents that many clinical systems cannot run.
  • SIH's deployment shows that a small team can secure a complex hospital environment when visibility, simulation, and phased rollout are treated as mandatory controls.
  • The most important governance shift is from broad exclusion to auditable enablement, which is the model other constrained healthcare programmes will have to adopt.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Network segmentation and access restriction are central to this healthcare case study.
NIST SP 800-53 Rev 5AC-4Access enforcement at the network layer fits control of information flow.
CIS Controls v8CIS-4 , Secure Configuration of Enterprise Assets and SoftwareSegmented healthcare networks depend on controlled asset configuration and inventory.
MITRE ATT&CKTA0008 , Lateral Movement; TA0040 , ImpactThe case study is about containing attacker movement and limiting operational impact.
NIST Zero Trust (SP 800-207)Zero Trust principles apply because the model assumes no implicit trust for internal network paths.

Map segmentation gaps to lateral movement and impact tactics, then test containment against those paths.


Key terms

  • Microsegmentation: Microsegmentation is the practice of dividing a network into small policy zones so only approved traffic can move between devices and systems. In healthcare, it is often used to contain lateral movement around IoMT, legacy systems, and critical clinical applications without depending on endpoint agents.
  • IoMT: IoMT, or Internet of Medical Things, refers to network-connected medical devices and clinical systems that exchange patient or operational data. These devices often run embedded or legacy software, which makes them difficult to patch, instrument, or protect with standard endpoint security controls.
  • Simulation mode: Simulation mode is a pre-enforcement testing state that shows which network communications would be allowed or blocked without actually disrupting traffic. It helps security teams validate policy behaviour in live environments before they risk operational or safety impact.
  • Identity-based access policy: An identity-based access policy allows or denies communication based on the identity of a device, workload, or system rather than on simple network location alone. In practice, it gives security teams a more precise way to control who or what can reach clinical or business systems.

What's in the full article

Elisity's full post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step rollout sequencing across the Cancer Institute, main hospital, and remote clinics.
  • The specific switch-layer and telemetry integration pattern used to build the source of truth.
  • How simulation mode was tuned to reduce risk before enforcement on clinical devices.
  • The practical changes that turned security from a blocker into a controlled enabler for vendors and clinicians.

👉 Elisity's full post covers the deployment pattern, visibility stack, and clinical workflow safeguards behind the rollout

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need a stronger control model across identity, access, and lifecycle governance.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org