By NHI Mgmt Group Editorial TeamPublished 2026-06-03Domain: Cyber SecuritySource: Elisity

TL;DR: St. Luke’s University Health Network said identity-based healthcare microsegmentation let it enable robotic surgery, onboard acquisitions faster, and contain ransomware blast radius across 15 hospitals, 85,000 production devices, and about 1,800 vendors, according to Elisity. The real lesson is that segmentation becomes a governance layer for operational continuity, not just a network control.


At a glance

What this is: St. Luke’s says identity-based microsegmentation enabled faster clinical innovation and narrower ransomware containment across a large, mixed hospital network.

Why it matters: It matters because healthcare teams with large device estates, third-party exposure, and clinical uptime constraints need controls that reduce blast radius without forcing redesigns.

By the numbers:

👉 Read Elisity's St. Luke's case study on healthcare microsegmentation


Context

Healthcare microsegmentation is the practice of limiting device-to-device and device-to-service communication to reduce lateral movement and contain outbreaks. In this case, the governance gap was not detection but operational trust: a large hospital network could not safely enable new clinical systems because flat or loosely segmented access created too much shared risk.

That matters to identity and access teams because the article frames devices by identity, not by IP address alone. In hospital environments, machine identity, third-party access, and operational uptime collide, so segmentation decisions become part of access governance rather than a purely network-centric exercise.


Key questions

Q: How should hospitals implement microsegmentation without disrupting clinical systems?

A: Hospitals should segment by device identity and communication intent, then simulate policies before enforcement. That approach lets teams protect imaging systems, surgical robotics, and vendor-managed devices without re-IP, agents, or wholesale network redesign. The goal is to prove that care workflows still function while lateral movement paths are narrowed.

Q: Why do flat hospital networks increase ransomware blast radius?

A: Flat networks let one compromised device reach many others, so a single foothold can spread across clinical, administrative, and vendor-connected systems. In healthcare, that turns one infection into an operational event. Microsegmentation limits what the compromised device can communicate with, which makes containment the primary resilience gain.

Q: What do security teams get wrong about segmentation in healthcare?

A: They often treat segmentation as a pure network design issue and focus on VLANs, re-IP projects, or device replacement. In practice, the harder problem is governance over mixed device identities and unmanaged trust paths. If the policy model does not reflect how the hospital actually operates, the control will either break workflows or fail to contain risk.

Q: Who should be accountable when microsegmentation affects patient-care workflows?

A: Accountability should sit with a joint governance group that includes security, network operations, clinical leadership, and the CIO. If segmentation can delay a surgical robot, block an acquisition, or alter vendor connectivity, it is no longer a security-only decision. The control needs shared ownership and explicit risk acceptance.


Technical breakdown

Identity-based microsegmentation vs VLAN-based segmentation

Traditional VLAN segmentation groups devices by network location, which works poorly when hospitals have biomedical devices, imaging systems, printers, IoT, and vendor-managed equipment on the same estate. Identity-based microsegmentation changes the control point from address space to device identity and communication intent. That lets security teams define policy around what a device is and what it should reach, rather than forcing re-IP, hardware replacement, or broad network redesign. In mixed clinical environments, that shift is what makes segmentation operationally deployable at scale.

Practical implication: map device classes and communication needs before policy design, so segmentation follows identity rather than network topology.

Discover, classify, simulate, enforce in live clinical networks

The four-step model described here is operationally important because it reduces the risk of turning on a policy that breaks care delivery. Discovery builds an inventory of users, workloads, and devices. Classification assigns identity and policy groupings. Simulation tests what a rule would block before enforcement. Enforcement then applies control on existing infrastructure without agents or re-IP. The key architectural value is pre-change visibility, which hospitals need when downtime is not an option and device behavior is often poorly documented.

Practical implication: require simulation before enforcement anywhere clinical systems or unmanaged devices could be disrupted.

How segmentation changes ransomware blast radius

Microsegmentation does not stop ransomware entry by itself. It changes the economics of spread after initial compromise by limiting which systems a compromised device can reach. In a flat environment, one infected endpoint can move laterally across a hospital. In a segmented environment, the attacker faces narrower communication paths and fewer reachable assets, which converts a whole-site event into a localized incident. That is especially relevant where third-party devices and legacy medical equipment cannot be hardened at the same pace as the network around them.

Practical implication: design containment targets for the first compromised device, not just perimeter prevention.


Threat narrative

Attacker objective: The attacker wants to expand a single foothold into a broad operational disruption or ransomware event across the hospital network.

  1. Entry begins on a device or account already present in the hospital estate, where a flat trust model gives it broad reach beyond its legitimate purpose.
  2. Escalation occurs when that foothold can laterally move across shared network paths because segmentation does not constrain device identity or communication scope.
  3. Impact is a hospital-wide ransomware event or operational outage, unless the blast radius is restricted to the small set of devices the compromised identity can legitimately reach.

NHI Mgmt Group analysis

Microsegmentation has become a clinical governance control, not just a network control. The St. Luke’s story shows that hospital segmentation decisions now shape whether innovation can be safely deployed. When robotic surgery, acquisitions, and vendor equipment all depend on bounded trust, the control is doing operational governance work as much as security work. Practitioners should treat segmentation as a business-enablement control with direct patient-care impact.

Healthcare environments expose a machine identity problem that classic network tooling does not solve. The article repeatedly shows that devices, not users, are the dominant trust unit in many hospital workflows. That puts machine identity, third-party access, and unmanaged device classes at the center of the governance model. For identity leaders, the lesson is to align machine identity, access scope, and network containment as one programme rather than separate initiatives.

Identity-based segmentation creates a more realistic control boundary for mixed estates. Hospitals cannot assume uniform manageability across endpoints, biomedical devices, and vendor-managed systems. A policy model built on identity and communication intent is more durable than one built on IP schemes or manually maintained VLANs. The practitioner conclusion is simple: if the asset mix is heterogeneous, the boundary model must be identity-aware.

Blast-radius control is now the deciding security variable in healthcare resilience. The post makes clear that a successful defense is not necessarily the absence of compromise, but the ability to localise it. That shift matters because resilience, clinical uptime, and cybersecurity are converging in the same architecture decisions. Teams should judge segmentation by containment outcomes, not by the elegance of the network diagram.

Healthcare microsegmentation exposes a governance gap around third-party and legacy device trust. The article shows how many vendor and clinical systems are effectively operating on inherited trust with limited direct manageability. That is the failure mode: overly broad connectivity persists because organisations cannot easily see or constrain what these systems can reach. The practitioner conclusion is to inventory trust relationships before they become incident pathways.

What this signals

Third-party and device trust will keep colliding in healthcare programmes. The same operational environments that need rapid onboarding also inherit unmanaged connectivity from vendors and acquisitions. That means identity-aware segmentation, third-party access visibility, and lifecycle controls will increasingly need to be planned together rather than as separate projects.

From our research: 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities. In hospital settings, that exposure becomes harder to absorb because the systems in question often support clinical operations, not just back-office workflows.

Blast-radius management is becoming the practical bridge between resilience and identity governance. As programmes mature, teams will need to prove that they can localise compromise without destabilising care delivery. That makes policy simulation, identity classification, and containment modelling part of the identity architecture conversation, not just the network programme.


For practitioners

  • Define device identity groups before writing policy Classify biomedical devices, clinical workstations, servers, printers, and vendor-managed systems into explicit identity groups so rules reflect actual communication needs. Use that structure to avoid broad allowlists that preserve flat-network behaviour.
  • Require simulation before enforcement Test every segmentation policy in simulation against clinical workflows, acquisition onboarding, and vendor access paths before enabling it. That is the only practical way to avoid blocking surgical systems or inherited hospital services.
  • Set containment targets for ransomware scenarios Model the first compromised device and define the smallest reachable set it should be allowed to touch. Use that target to evaluate whether segmentation is reducing blast radius or merely reshaping the same risk.
  • Include CIO, network, and clinical owners in policy design Build governance around joint approval because the control affects patient care, device uptime, and integration timelines. Security cannot design this in isolation if the objective is to enable robotics and acquisitions safely.
  • Measure success by safe enablement, not just blocked traffic Track whether the programme allowed robotic surgery, acquisition onboarding, and constrained incident spread without forcing re-IP or new hardware. Those are the outcomes that show segmentation is functioning as a resilience control.

Key takeaways

  • St. Luke’s story shows that microsegmentation can function as a patient-care enabler when it is tied to operational outcomes, not just security policy.
  • The scale of the environment, 15 hospitals, 85,000 production devices, and about 1,800 vendors, explains why flat trust and VLAN-only approaches ran out of road.
  • The control lesson is clear: identity-based containment, tested in simulation before enforcement, is the difference between hospital-wide spread and localised incident impact.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Identity-based segmentation maps to controlled access enforcement in mixed hospital environments.
NIST SP 800-53 Rev 5AC-4Information flow enforcement is central to limiting device-to-device movement in hospitals.
CIS Controls v8CIS-12 , Network Infrastructure ManagementSegmentation and network control are core to managing hospital attack surface and containment.
MITRE ATT&CKTA0008 , Lateral Movement; TA0040 , ImpactThe article focuses on how segmentation blocks spread and limits ransomware impact.
ISO/IEC 27001:2022A.8.20Network security controls support segmentation enforcement across clinical and vendor-connected systems.

Map containment requirements to lateral movement and impact tactics when designing segmentation policy.


Key terms

  • Identity-based microsegmentation: A segmentation model that controls communication based on the identity and purpose of a device, workload, or user rather than only its network location. It is used to reduce lateral movement by constraining what each identity can reach in practice.
  • Blast radius: The amount of damage or spread that can occur after one system is compromised. In healthcare networks, blast radius is often the more useful metric than prevention alone because it shows whether an incident stays local or becomes operationally disruptive.
  • Device identity: The set of attributes used to recognise what a device is and what it should be allowed to access. In mixed estates, device identity becomes a governance primitive because policy can follow the asset even when IP addresses, VLANs, or ownership change.

What's in the full article

Elisity's full post covers the operational detail this analysis intentionally leaves for the source:

  • The exact discover, classify, simulate, enforce workflow used across the hospital network.
  • The operational examples behind robotic surgery enablement, acquisition onboarding, and ransomware containment.
  • The customer's implementation lessons for moving from flat trust to identity-based control.
  • The on-stage narrative and supporting customer quotes that explain how the team justified the change.

👉 Elisity's full post covers the hospital-scale deployment detail and customer examples behind the outcomes.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps security practitioners connect identity controls to the operational systems their programmes depend on.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org