TL;DR: MDS2 documentation can be converted into identity-based microsegmentation policies that protect connected medical devices in 4 to 16 weeks, helping healthcare teams reduce lateral movement and preserve clinical workflows, according to Elisity. The governance challenge is not data availability, but operationalising device security intelligence into enforceable policy without creating patient-care disruption.
At a glance
What this is: This is an analysis of how MDS2 data can be operationalised into network segmentation policies for medical device security, with the key finding that documentation becomes more useful when translated into identity-based controls.
Why it matters: It matters because healthcare security teams need to control device communication paths, contain ransomware movement, and reduce risk without breaking clinical access, and those same policy patterns intersect with IAM-style governance for device identities and privileged connectivity.
By the numbers:
- 22% of healthcare organizations experienced medical device cyberattacks in the past year, and 75% of those incidents directly affected patient care delivery.
- MDS2 provides standardized cybersecurity documentation covering 23 control categories for medical devices.
- Healthcare organizations are achieving comprehensive medical device security in 4-16 weeks without clinical disruption.
👉 Read Elisity's analysis of how MDS2 data drives medical device segmentation
Context
MDS2 is a standardised disclosure format for medical device security, but documentation alone does not secure connected devices. The core problem is governance: healthcare teams still have to translate manufacturer data into segmented access rules that reflect how devices actually communicate in clinical environments.
This is primarily a cyber_broad topic, but it has a genuine identity and access control angle because segmentation decisions are effectively policy decisions about which device identities, protocols, and connections are allowed to communicate. For IAM practitioners, the lesson is that identity-based control patterns can extend beyond human users and into machine and device communications when the governance model is precise.
The article's starting position is typical of healthcare security programmes: rich device data exists, but the operational model to enforce it at scale has usually lagged behind.
Key questions
Q: What fails when MDS2 data never reaches enforcement policy?
A: MDS2 becomes a paperwork exercise instead of a security control. The failure mode is policy translation debt, where teams know a device's limits but never convert that knowledge into segmentation, access restrictions, or monitoring rules. In practice, that leaves legacy devices and weak protocols exposed inside flat hospital networks.
Q: When should healthcare teams prioritise microsegmentation over broad network redesign?
A: Teams should prioritise microsegmentation when devices cannot be easily patched, replaced, or moved into separate physical networks without clinical disruption. In those cases, identity-based segmentation gives faster risk reduction and narrower access boundaries while preserving care workflows.
Q: What do security teams get wrong about medical device security documentation?
A: They often treat documentation as proof of security rather than input to control design. MDS2 tells you what a device supports, but it does not enforce anything by itself. The right approach is to use it to drive policy, compensating controls, and exception handling.
Q: Who is accountable when a segmented medical device still exposes patient care risk?
A: Accountability usually sits with both security and clinical engineering because the control spans network policy and operational safety. Governance should define who approves segmentation changes, who validates device behaviour, and who owns exceptions when a device cannot meet the intended control standard.
Technical breakdown
How MDS2 data becomes segmentation policy
MDS2 documents describe what a device can and cannot do, including authentication support, encryption, logging, patching, and network communication requirements. On their own, those answers are static procurement evidence. When a security platform correlates MDS2 data with live device discovery, the result is a policy model that can restrict communication based on real device capability, clinical role, and observed traffic. That shifts segmentation from manual firewall engineering to identity-aware policy orchestration.
Practical implication: security teams should map MDS2 fields to enforceable network rules before attempting broad segmentation changes.
Why microsegmentation fits medical device risk
Microsegmentation reduces the blast radius of compromised devices by narrowing who or what can talk to them. In healthcare, that matters because flat networks let old firmware, weak credentials, and unencrypted protocols become pathways for lateral movement. Identity-based microsegmentation is useful here because the policy can be tied to device identity, protocol intent, and workflow context rather than only IP address ranges, which are too brittle in complex hospital environments.
Practical implication: teams should base segmentation on device identity and communication intent, not static network subnets alone.
Operationalising MDS2 without clinical disruption
The difficult part is not discovering vulnerabilities, but converting them into controls that do not interrupt care delivery. Simulation, traffic baselining, and phased enforcement are essential because medical devices often have narrow communication dependencies and limited upgrade paths. The technical pattern is similar to zero standing privilege thinking in IAM: access should be narrower than default, temporary where possible, and continuously validated against actual need.
Practical implication: simulate policy changes against observed traffic before enforcing them in production clinical networks.
Threat narrative
Attacker objective: The attacker objective is to move through medical device infrastructure, disrupt clinical operations, and maximize pressure through patient care impact or data exposure.
- Entry begins when exposed or underprotected medical devices, especially those with weak credentials or unpatched firmware, are reachable on a flat clinical network.
- Escalation occurs when attackers or malware move laterally from one device segment to another because access boundaries are too broad or absent.
- Impact follows when ransomware, data theft, or device disruption reaches critical care systems and interrupts patient treatment or exposes PHI.
NHI Mgmt Group analysis
MDS2 is only useful when it becomes a control input, not a compliance artefact. Healthcare already has enough device disclosure data to make better decisions, but most programmes still leave that intelligence in procurement files and spreadsheets. The problem is not visibility alone, it is policy translation. When manufacturer disclosures do not flow into enforcement, risk remains static and attackers inherit the gap.
Identity-based microsegmentation is the right governance pattern for medical devices because devices also need bounded trust. In a hospital, the question is not whether a device is authenticated in the human sense, but whether its permitted communications are narrowly governed and continuously validated. That is an identity and access control problem applied to machines, and it is exactly where IAM thinking adds value beyond traditional network design.
Clinical safety and security are no longer competing objectives when segmentation is policy-driven. The article's strongest operational point is that segmentation can be tested before enforcement, which lowers the risk of blocking care-critical flows. Practitioners should treat clinical workflows as a constraint model inside the security control, not as an exception after the fact.
The named concept here is medical-device policy translation debt: the gap between device security documentation and enforceable segmentation policy. That debt accumulates when teams can describe device risk but cannot operationalise it fast enough to protect live environments. The practical conclusion is that healthcare security programmes need a repeatable path from disclosure data to policy enforcement.
Healthcare segmentation programmes will increasingly be judged by implementation speed, not documentation quality. A mature programme can absorb MDS2 data, correlate it with live telemetry, and enforce controls without months of manual work. The practitioners who win are the ones who can translate security requirements into clinical-safe enforcement quickly and consistently.
What this signals
Medical device security is converging with identity governance because access boundaries now matter as much for machines as they do for people. The practical signal for healthcare teams is that segmentation programmes will be expected to show policy intent, not just network isolation. That makes device discovery, entitlement scoping, and exception management core governance tasks rather than purely network tasks.
Policy translation debt will become the limiting factor in healthcare resilience. Teams that can discover devices but cannot convert manufacturer disclosures into enforceable rules will continue to absorb avoidable risk. The strongest programmes will treat MDS2 data as operational input and align it with broader identity and access governance, including the discipline described in the Ultimate Guide to NHIs , Key Challenges and Risks.
As healthcare environments add more connected devices, the control question shifts from whether you can see the asset to whether you can govern its trust boundary. That is where modern security architecture meets identity-style policy enforcement, and where teams will need repeatable controls rather than one-off projects.
For practitioners
- Map MDS2 fields to enforceable controls Build a mapping between MDS2 categories such as authentication, encryption, logging, patching, and network communication and the specific segmentation rules your tools can enforce. That turns disclosure data into a policy model instead of a reference document.
- Prioritise high-risk device classes first Start with devices that are clinically critical, unpatched, or known to rely on weak authentication and broad network reach. Use device location and workflow impact to decide which segments need the tightest boundaries first.
- Simulate before enforcement Test proposed policies against observed device traffic before turning them on in production. For medical devices, simulation is the control that prevents segmentation from becoming a patient-safety problem.
- Correlate discovery with manufacturer disclosures Use passive discovery platforms to match live device inventory to the correct MDS2 forms, then validate where the device's documented capabilities diverge from its actual behaviour on the network.
Key takeaways
- MDS2 data is valuable only when healthcare teams turn it into enforceable segmentation policy rather than static procurement evidence.
- The risk is operational, not theoretical: weak credentials, unpatched firmware, and flat networks create the conditions for lateral movement and patient-care disruption.
- Identity-based microsegmentation gives security teams a way to narrow device trust boundaries without breaking clinical workflows when it is simulated and phased properly.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access restriction and segmentation map directly to medical device communication control. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement is central to segmentation-based medical device protection. |
| CIS Controls v8 | CIS-12 , Network Infrastructure Management | Segmentation and boundary control align with network infrastructure management in complex hospitals. |
| ISO/IEC 27001:2022 | A.8.20 | Network security is directly relevant to controlling how medical devices communicate. |
| GDPR | Art.32 | Encrypted transmission and access controls matter where devices handle personal health data. |
Use PR.AC-4 to define and enforce least-privilege communication paths for connected devices.
Key terms
- Manufacturer Disclosure Statement for Medical Device Security (MDS2): A standardised security disclosure form used by medical device manufacturers to describe device capabilities, limitations, and operational requirements. It gives healthcare buyers and operators comparable information about authentication, encryption, logging, patching, and network behaviour so they can design controls around real device constraints.
- Identity-based microsegmentation: A segmentation approach that restricts network communications using device identity, policy intent, and observed behaviour rather than only IP address ranges. In healthcare, it helps teams limit lateral movement while keeping device workflows intact and makes enforcement more adaptable to changing clinical environments.
- Policy translation debt: The accumulated gap between knowing a control requirement and actually enforcing it in production. In medical device security, it describes the delay between receiving MDS2 information and turning it into segmentation, access restrictions, or monitoring rules that materially reduce risk.
- Clinical-safe enforcement: Security enforcement that protects the environment without interrupting patient care, device communications, or time-critical workflows. It usually depends on baselining, simulation, phased rollout, and close collaboration between security and clinical engineering teams.
What's in the full article
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step workflow for converting MDS2 disclosures into segmentation policies across device classes.
- Implementation detail on using discovery platforms to match live devices to manufacturer documentation.
- Policy simulation and validation methods for avoiding disruption to clinical traffic.
- Practical rollout guidance for healthcare environments trying to move from documentation to enforcement.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps security practitioners apply identity discipline to the wider control problems their programmes now face.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org