TL;DR: Sixty percent of health systems cannot adequately protect unpatchable, agentless medical devices, while 40% say fear of clinical disruption blocks microsegmentation adoption and 78% rank breach or ransomware prevention as the top buying criterion, according to Elisity and HIMSS Market Insights. The data shows healthcare security teams are not short on intent, but on deployment models that preserve uptime while reducing lateral movement risk.
NHIMG editorial — based on content published by Elisity: HIMSS 2026 Microsegmentation Survey on Healthcare
By the numbers:
- 60% of health systems cannot adequately protect unpatchable, agentless medical devices.
- 40% cite fear of clinical disruption as the top barrier to microsegmentation adoption.
- 78% rate proven breach or ransomware prevention as the most important decision criterion.
Questions worth separating out
Q: What breaks when microsegmentation is not designed for clinical environments?
A: Microsegmentation breaks when it assumes the network can be reworked faster than patient care can tolerate.
Q: Why does microsegmentation matter for unpatchable medical devices?
A: Unpatchable devices need compensating controls because the normal fix cycle does not exist.
Q: How do security teams know whether segmentation is actually working?
A: Teams should look for three signals: reduced lateral movement, fewer unintended device communications, and policies that can be enforced without workflow disruption.
Practitioner guidance
- Prioritise identity-based segmentation for unpatchable devices Start with the medical devices and operational systems that cannot tolerate agents, re-IPing, or frequent maintenance windows.
- Use simulation before blocking clinical traffic Run segmentation policies in a non-enforcing mode first, compare the results with real traffic, and review exceptions with biomedical and clinical teams before turning on enforcement.
- Treat east-west visibility as a standing requirement Continuously monitor lateral movement, policy violations, and unmanaged device communications so you can detect drift before an incident forces a manual exception.
What's in the full report
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- Survey cross-tabs by role, organisation size, and decision authority across the 50 healthcare leaders surveyed
- Deployment examples showing how identity-based microsegmentation was rolled out without changing clinical network architecture
- ROI breakdowns that separate breach prevention, downtime avoidance, audit effort, and insurance outcomes
- Practical discussion of how policy simulation and enforcement were used to reduce change risk
👉 Read Elisity's HIMSS 2026 microsegmentation survey findings →
Microsegmentation in healthcare: are downtime fears blocking security?
Explore further
Implementation Paradox: healthcare security teams are not rejecting microsegmentation because they doubt the control. They are rejecting deployment models that threaten uptime, staffing, and clinical workflow. That creates a governance gap where the right control exists in theory but remains unused in practice. Practitioners should treat this as a deployment-design failure, not a security-awareness problem.
A question worth separating out:
Q: Who is accountable when segmentation is delayed by operational risk?
A: Accountability usually sits across security, infrastructure, and operations because each owns part of the trade-off. In regulated environments, leadership must decide whether the risk of disruption is greater than the risk of lateral movement and ransomware spread. That decision should be documented as part of resilience and insurance governance.
👉 Read our full editorial: Healthcare microsegmentation faces an implementation paradox