TL;DR: St. Luke’s University Health Network said identity-based healthcare microsegmentation let it enable robotic surgery, onboard acquisitions faster, and contain ransomware blast radius across 15 hospitals, 85,000 production devices, and about 1,800 vendors, according to Elisity. The real lesson is that segmentation becomes a governance layer for operational continuity, not just a network control.
NHIMG editorial — based on content published by Elisity: Healthcare microsegmentation at 15 hospitals, the St. Luke's story from the Gartner Security and Risk Management Summit
By the numbers:
- St. Luke’s runs 15 hospitals, 85,000 production devices, 23,000 active users, and roughly 1,800 vendors across about 75 square miles.
Questions worth separating out
Q: How should hospitals implement microsegmentation without disrupting clinical systems?
A: Hospitals should segment by device identity and communication intent, then simulate policies before enforcement.
Q: Why do flat hospital networks increase ransomware blast radius?
A: Flat networks let one compromised device reach many others, so a single foothold can spread across clinical, administrative, and vendor-connected systems.
Q: What do security teams get wrong about segmentation in healthcare?
A: They often treat segmentation as a pure network design issue and focus on VLANs, re-IP projects, or device replacement.
Practitioner guidance
- Define device identity groups before writing policy Classify biomedical devices, clinical workstations, servers, printers, and vendor-managed systems into explicit identity groups so rules reflect actual communication needs.
- Require simulation before enforcement Test every segmentation policy in simulation against clinical workflows, acquisition onboarding, and vendor access paths before enabling it.
- Set containment targets for ransomware scenarios Model the first compromised device and define the smallest reachable set it should be allowed to touch.
What's in the full article
Elisity's full post covers the operational detail this analysis intentionally leaves for the source:
- The exact discover, classify, simulate, enforce workflow used across the hospital network.
- The operational examples behind robotic surgery enablement, acquisition onboarding, and ransomware containment.
- The customer's implementation lessons for moving from flat trust to identity-based control.
- The on-stage narrative and supporting customer quotes that explain how the team justified the change.
👉 Read Elisity's St. Luke's case study on healthcare microsegmentation →
Healthcare microsegmentation at 15 hospitals: what it changes for security teams?
Explore further
Microsegmentation has become a clinical governance control, not just a network control. The St. Luke’s story shows that hospital segmentation decisions now shape whether innovation can be safely deployed. When robotic surgery, acquisitions, and vendor equipment all depend on bounded trust, the control is doing operational governance work as much as security work. Practitioners should treat segmentation as a business-enablement control with direct patient-care impact.
A question worth separating out:
Q: Who should be accountable when microsegmentation affects patient-care workflows?
A: Accountability should sit with a joint governance group that includes security, network operations, clinical leadership, and the CIO. If segmentation can delay a surgical robot, block an acquisition, or alter vendor connectivity, it is no longer a security-only decision. The control needs shared ownership and explicit risk acceptance.
👉 Read our full editorial: Healthcare microsegmentation turns hospital risk into containment