TL;DR: HIMSS 2026 sessions in Las Vegas pointed to a consistent healthcare security lesson: misplaced trust, vendor access, and device sprawl drive breach risk more than tool count, while Cooper University Health Care reported a 75% reduction in unknown edge devices and a 45% increase in segmentation coverage. The practical answer is tighter identity governance, segmentation, and lifecycle control, not another layer of dashboards.
NHIMG editorial — based on content published by Elisity: HIMSS 2026: What We Learned About Zero Trust, Segmentation, and Privilege at the Cybersecurity Command Center
By the numbers:
- 75% and increased segmentation coverage by 45% by, vices by 75% and increased segmentation coverage by 45% by combining device hardening, network segmentation, and cross-departmental collaboration.
- Most organisations are using only about 60% of any given tool's effectiveness, according to the session summary.
Questions worth separating out
Q: What fails in healthcare security when organisations rely on implicit trust?
A: Implicit trust fails when vendors, users, devices, or integrations are allowed broad access simply because they are already inside the environment or hold a credential.
Q: Why do service accounts and vendor identities increase risk in clinical environments?
A: Service accounts and vendor identities increase risk because they often outlive the task they were created for and accumulate more access than human users would receive.
Q: How can hospitals tell whether segmentation is actually reducing risk?
A: Hospitals can measure whether segmentation is working by checking whether a compromised device or user can still reach systems outside its intended zone.
Practitioner guidance
- Audit all implicit trust paths Inventory vendor connections, internal integrations, shared admin access, and device-to-system relationships that currently rely on assumed legitimacy.
- Extend segmentation to clinical blast-radius control Group devices and systems by function, sensitivity, and operational dependency, then block unnecessary east-west communication between those zones.
- Bring non-human identities into access governance Include service accounts, device credentials, and vendor accounts in lifecycle review, access review, and revocation processes.
What's in the full article
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- The session-by-session HIMSS 2026 notes behind the tech rationalization, zero trust, segmentation, and privilege discussions.
- The Cooper University Health Care operating details behind the 75% reduction in unknown edge devices and the 45% segmentation increase.
- The legal trade-offs behind conducting a HIPAA risk analysis under attorney-client privilege, including what counsel should review first.
- The vendor booth context and conference observations that explain how healthcare buyers are prioritising trust, segmentation, and control rationalization.
👉 Read Elisity's HIMSS 2026 analysis of zero trust, segmentation, and privilege in healthcare →
Zero trust and segmentation at HIMSS 2026: what changed for healthcare teams?
Explore further
Implicit trust is the core healthcare security failure, not tool scarcity. The article shows that organisations keep adding controls without changing the trust model that determines how access is granted. When vendors, devices, and integrations inherit broad access by default, the programme is still operating on implicit trust even if the stack looks mature. The identity problem is not just authentication, but governance of who and what is allowed to move through the environment. Practitioners should treat trust boundaries as the real control plane.
A question worth separating out:
Q: Who should be accountable for zero trust decisions in healthcare?
A: Accountability should sit across security, clinical operations, IT, legal, and procurement because zero trust changes both access and operational workflow. Security owns policy design, clinical leaders approve operational exceptions, and legal should review vendor access terms before they become breach exposure. Zero trust fails when it is treated as a technical project instead of a shared governance model.
👉 Read our full editorial: HIMSS 2026 showed zero trust and segmentation as healthcare’s real controls