TL;DR: Healthcare leaders broadly recognise microsegmentation as necessary, yet Omdia’s survey of 176 healthcare security leaders found only 9% have protected more than 80% of critical systems, while nearly half experienced a lateral movement attack in the past year. The gap is not awareness, it is identity-based execution across clinical devices and users.
At a glance
What this is: This is an analysis of Omdia survey findings showing that healthcare microsegmentation intent is far ahead of implementation, with lateral movement still common and critical system coverage still thin.
Why it matters: It matters because healthcare security teams must protect users, devices, and clinical workflows without breaking operations, and partial segmentation leaves identity pathways open to lateral movement and patient-impacting disruption.
By the numbers:
- Only 9% have protected more than 80% of their critical systems with microsegmentation in healthcare environments.
👉 Read Elisity's analysis of microsegmentation survey findings in healthcare
Context
Microsegmentation in healthcare is the practice of enforcing granular, identity-based access boundaries between devices, users, and systems so that one compromised endpoint cannot move laterally across clinical environments. The problem in this article is not the concept itself, but the gap between stated intent and real coverage in hospitals and other care settings.
That gap matters because healthcare networks combine visiting clinicians, mobile workstations, IoMT devices, and patient-facing systems that do not behave like a static enterprise office network. In that environment, legacy segmentation tends to protect the easy parts first and leaves the highest-risk paths exposed, which is a poor fit for identity-driven control.
The article’s survey findings show a sector that understands the threat but still struggles to operationalise identity-based segmentation at scale. That is typical of healthcare programmes trying to modernise around Zero Trust while still supporting clinical uptime and regulated workflows.
Key questions
A: Start with the highest-risk patient-facing systems and the identities that legitimately need access to them. Define policy around device identity, clinical role, and communication need, then validate the design with clinical owners. The goal is to block lateral movement while preserving the access patterns that keep care delivery running.
Q: Why do traditional VLANs and ACLs fail in healthcare segmentation programs?
A: They depend on static network placement and manual rule maintenance, which does not fit mobile clinicians, roaming devices, or IoMT systems. Healthcare security needs policy that follows identity and function, not switch port or IP address. That is why legacy segmentation often leaves the most sensitive paths exposed.
Q: What breaks when microsegmentation covers only part of a hospital environment?
A: Partial coverage creates isolated zones while leaving adjacent trust paths open. Attackers do not need universal reach, only one weakly governed route to pivot into critical systems. If the segmentation boundary is incomplete, the environment still supports lateral movement and the organisation still carries residual exposure.
Q: Who is accountable when segmentation failures lead to patient-impacting disruption?
A: Accountability sits with the organisation that owns clinical risk, security architecture, and lifecycle governance together. In healthcare, segmentation is not only a network team responsibility because access decisions affect patient safety, compliance, and operational continuity. Governance has to join those functions instead of leaving them separated.
Technical breakdown
Why legacy network segmentation fails in clinical environments
Traditional segmentation tools such as VLANs, ACLs, and NAC were built for relatively stable networks, not for hospital environments where devices move, users rotate, and third-party clinicians need short-duration access. VLANs and ACLs are manually configured and tied to network position, while NAC depends on agent support or device authentication patterns that many IoMT systems cannot provide. That creates a structural mismatch: the policy model assumes static topology, but healthcare behaves like a dynamic identity problem. Identity-based microsegmentation shifts the control point from the port to the actor, which is why it fits clinical workflows better than location-based rules.
Practical implication: treat segmentation as an identity and workflow problem, not a network re-cabling exercise.
Identity-based microsegmentation and lateral movement prevention
Identity-based microsegmentation classifies devices and users by who or what they are, then enforces policy regardless of which network segment or physical port they use. That matters in healthcare because lateral movement often begins with a compromised medical device, contractor endpoint, or clinician workstation and then spreads to EHRs, imaging, or monitoring systems. The control value is not just isolation. It is the ability to make policy follow the device identity, which reduces the chance that a single foothold can traverse an entire clinical environment.
Practical implication: anchor policy to device identity and clinical role, then verify that east-west traffic is denied by default.
Why partial coverage creates false confidence
Partial microsegmentation can look like progress while still leaving critical systems connected through unprotected paths. In practice, a hospital may segment high-visibility assets and still leave infusion pumps, monitoring systems, or remote access terminals reachable through adjacent trust zones. That creates a false sense of containment because the attacker only needs one weakly governed path to regain movement. The survey data in this article shows that implementation is lagging behind planning, which means maturity should be measured by protected critical paths, not by project status or policy counts.
Practical implication: measure coverage by critical-system reachability, not by how many policies have been written.
Threat narrative
Attacker objective: The attacker aims to expand a single foothold into broader access that disrupts care, encrypts systems, or exposes sensitive patient data.
- Entry begins when an attacker gains a foothold through a vulnerable clinical device, compromised user endpoint, or weakly governed remote access path.
- Escalation follows as the attacker moves laterally across unsegmented or partially segmented hospital systems to reach higher-value clinical assets.
- Impact occurs when ransomware, data theft, or operational disruption affects electronic health records, patient monitoring, or treatment delivery.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Microsegmentation in healthcare fails when it is treated as a network project instead of an identity control. The survey shows broad support for microsegmentation, but support is not the same as control coverage. Healthcare environments are shaped by rotating clinicians, mobile devices, and patient-facing systems, so the real governance problem is identity-bound east-west access. Practitioners should stop measuring success by deployment intent and start measuring whether critical clinical pathways are actually isolated.
Partial segmentation is not a halfway control, it is a residual trust model. If a hospital protects some systems but leaves adjacent paths open, the attacker still has a route through the environment. That is why the article’s gap between 99% planning and 9% high coverage matters: it reveals a programme that may satisfy internal narrative but not containment goals. The implication is that security teams must treat incomplete segmentation as exposed trust, not as acceptable progress.
Clinical identity blast radius: the relevant governance unit is no longer the subnet, but the set of devices and users that can reach patient-impacting systems once one identity is compromised. This framing matters because healthcare risk is defined by how far one compromise can travel across care delivery systems. The practical conclusion is that containment must be designed around role, device type, and clinical function, not around flat trust zones.
Healthcare’s segmentation problem is also a lifecycle problem. Visiting clinicians, temporary workers, equipment vendors, and remote engineers all create time-bounded access requirements that traditional segmentation methods do not govern cleanly. A static policy model cannot safely represent short-lived clinical access, so access scope, duration, and revocation discipline become core governance issues. Practitioners should align segmentation with joiner-mover-leaver control and offboarding discipline rather than treating it as a one-time network design.
Identity-based microsegmentation is now a patient safety control, not just a cyber control. The article links lateral movement to disruptions in treatment, monitoring, and diagnostics, which means the business case is no longer only about breach prevention. Healthcare leaders should reframe segmentation as a resilience requirement that protects care continuity, compliance posture, and operational trust at the same time.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
- For a broader governance lens, see Top 10 NHI Issues for the control failures that typically appear before segmentation and access problems become visible.
What this signals
Clinical identity blast radius: healthcare teams should now think in terms of how far one compromised identity can travel across patient-facing systems, not just how many network zones exist. The practical signal is to prioritise controls that reduce reachable critical systems, because that is the unit of exposure that matters when care continuity is on the line.
This article suggests that microsegmentation programmes will increasingly be judged by operational coverage rather than policy intent. Teams that cannot prove isolation of monitoring, imaging, EHR, and remote access pathways will struggle to defend residual risk in audits, board reviews, and incident postmortems. For a broader NHI context, compare the governance patterns in Ultimate Guide to NHIs , Key Challenges and Risks.
The healthcare lesson is that access lifecycle discipline and segmentation discipline are converging. When visiting clinicians, vendors, and temporary workers have time-bounded access, the environment needs revocation, verification, and containment to move in step. That is why identity-based containment is becoming part of operational resilience rather than a standalone security initiative.
For practitioners
- Map segmentation to patient-critical pathways Identify which device-to-system paths would create the greatest patient safety impact if compromised, then prioritise those paths for isolation before broader network zones. Use clinical workflow owners to validate the map, not just network engineers.
- Replace static network boundaries with identity-aware policy Move away from VLAN-only thinking and define access based on device identity, clinical role, and trust level. For healthcare environments, policy must follow the device and user even when they move between rooms, floors, or facilities.
- Measure containment by reachable critical systems Track the percentage of EHR, monitoring, imaging, and medication systems that are unreachable from lower-trust segments after a compromise. That metric is more meaningful than total policy count or project completion status.
- Align segmentation with access lifecycle controls Tie short-duration access for visiting clinicians, vendors, and contractors to explicit expiration and revocation processes so segmentation does not outlive the access it is meant to constrain.
Key takeaways
- Healthcare microsegmentation is still an execution problem, not an awareness problem.
- Partial segmentation leaves enough residual trust for lateral movement to remain viable.
- Identity-based controls matter because clinical environments are governed by people, devices, and access lifecycles, not just network topology.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity-based segmentation supports access enforcement in clinical networks. |
| NIST Zero Trust (SP 800-207) | The article centers on continuous verification and least-privilege segmentation. | |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement is the core control behind segmentation boundaries. |
| CIS Controls v8 | CIS-3 , Data Protection | Healthcare segmentation protects sensitive patient data by limiting reachable systems. |
Map clinical access paths to PR.AC-4 and restrict east-west traffic by role and device identity.
Key terms
- Microsegmentation: Microsegmentation is the practice of creating small, enforceable trust zones around users, devices, or workloads so that one compromise cannot easily move across the environment. In healthcare, it is most effective when policy follows identity and clinical function rather than switch location or VLAN membership.
- Identity-Based Segmentation: Identity-based segmentation applies access policy according to who or what is connecting, not where the connection originates. For healthcare operations, that means policy can travel with a clinician, workstation, or medical device as it moves through the network, which is essential for dynamic clinical environments.
- Lateral Movement: Lateral movement is an attacker’s ability to pivot from the first compromised system into other internal systems. In healthcare, it often turns a single foothold into access to EHR, imaging, monitoring, or operational systems, which is why segmentation is a containment control rather than a perimeter control.
- Clinical Identity Blast Radius: Clinical identity blast radius is the practical set of systems a single compromised clinical identity or device can reach before controls stop it. It is a useful governance concept because it shifts focus from network architecture to patient-impacting exposure, containment scope, and operational resilience.
What's in the full report
Elisity's full blog post covers the operational detail this post intentionally leaves for the source:
- Survey breakdown by respondent type, including healthcare-specific segmentation priorities and device classes.
- Detailed comparisons between legacy segmentation methods and identity-based microsegmentation in clinical settings.
- Healthcare compliance context, including how segmentation maps to HIPAA security expectations and audit evidence.
- Deployment and integration considerations for SIEM, EDR, and SOAR workflows in hospital environments.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org