TL;DR: Main Line Health validated hospital microsegmentation by deliberately forcing network outages across five hospitals and roughly 100,000 connected devices, showing that resilience depends on tested segmentation, clinical workflow fallback, and shared operational understanding, according to Elisity. The lesson is that resilience claims collapse unless policy, people, and analogue recovery are proven together.
NHIMG editorial — based on content published by Elisity: Hospital Cyber Resilience, Main Line Health's Chaos Engineering Approach
By the numbers:
- Main Line Health operates five hospitals, eight large ambulatory sites, and roughly 160 clinical practices across five counties.
Questions worth separating out
Q: What breaks when microsegmentation is not tested under real outage conditions?
A: Policies can look correct on paper while hiding workflow failures, reconnect problems, and unsupported clinical dependencies.
Q: Why do flat networks increase risk in hospitals and other operational environments?
A: Flat networks let devices and systems communicate broadly by default, which makes lateral movement easier after one compromise.
Q: How do security teams know if microsegmentation is actually working?
A: They should measure whether allowed traffic matches real operational needs, whether blocked communication stays blocked during failure, and whether recovery processes still function under stress.
Practitioner guidance
- Map device relationships before enforcement Build an explicit inventory of biomedical devices, printers, imaging systems, and support endpoints, then document which peers each class truly needs to reach.
- Test segmentation with controlled outage windows Schedule rolling disruption exercises that force reconnects, validate paper-based workflows, and prove that devices recover cleanly under failure.
- Treat analogue fallback systems as security controls Verify emergency phones, manual charting, and other non-digital recovery paths with the same discipline used for network policy.
What's in the full article
Elisity's full post covers the operational detail this post intentionally leaves for the source:
- A step-by-step walkthrough of the three-phase chaos engineering approach used to validate segmentation across clinical environments.
- The exact sequencing of tiered rollout decisions across physician practices, mental health facilities, and acute care hospitals.
- Examples of how the team modeled device behaviour before turning on enforcement, including what counted as a safe deny candidate.
- The board, compliance, and insurance reporting implications of proving segmentation with live outage tests.
👉 Read Elisity's case study on Main Line Health's chaos engineering segmentation tests →
Microsegmentation under chaos testing: what hospital teams learned?
Explore further
Chaos engineering is becoming a governance test for resilience, not a niche reliability exercise. Main Line Health’s approach shows that a segmentation design cannot be treated as proven until it survives intentional failure. That shifts the control conversation from documentation to behavioural evidence, which is exactly where modern security governance should be heading. Practitioners should treat outage testing as the moment policy becomes operational truth.
A question worth separating out:
Q: Who is accountable when segmentation disrupts clinical or business operations?
A: Accountability sits jointly with security, infrastructure, and the operational owners who define normal behaviour. In regulated environments, that also extends to leadership that approved the risk posture and the recovery model. Segmentation is only defensible when the business can show it validated both the control and the fallback path.
👉 Read our full editorial: Hospital microsegmentation is only real when tested under outage