Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Microsegmentation in healthcare: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Healthcare leaders broadly recognise microsegmentation as necessary, yet Omdia’s survey of 176 healthcare security leaders found only 9% have protected more than 80% of critical systems, while nearly half experienced a lateral movement attack in the past year. The gap is not awareness, it is identity-based execution across clinical devices and users.

NHIMG editorial — based on content published by Elisity: Microsegmentation in Healthcare: Omdia Survey Findings

By the numbers:

Questions worth separating out

Q: How should healthcare security teams implement microsegmentation without disrupting clinical workflows?

A: Start with the highest-risk patient-facing systems and the identities that legitimately need access to them.

Q: Why do traditional VLANs and ACLs fail in healthcare segmentation programs?

A: They depend on static network placement and manual rule maintenance, which does not fit mobile clinicians, roaming devices, or IoMT systems.

Q: What breaks when microsegmentation covers only part of a hospital environment?

A: Partial coverage creates isolated zones while leaving adjacent trust paths open.

Practitioner guidance

  • Map segmentation to patient-critical pathways Identify which device-to-system paths would create the greatest patient safety impact if compromised, then prioritise those paths for isolation before broader network zones.
  • Replace static network boundaries with identity-aware policy Move away from VLAN-only thinking and define access based on device identity, clinical role, and trust level.
  • Measure containment by reachable critical systems Track the percentage of EHR, monitoring, imaging, and medication systems that are unreachable from lower-trust segments after a compromise.

What's in the full report

Elisity's full blog post covers the operational detail this post intentionally leaves for the source:

  • Survey breakdown by respondent type, including healthcare-specific segmentation priorities and device classes.
  • Detailed comparisons between legacy segmentation methods and identity-based microsegmentation in clinical settings.
  • Healthcare compliance context, including how segmentation maps to HIPAA security expectations and audit evidence.
  • Deployment and integration considerations for SIEM, EDR, and SOAR workflows in hospital environments.

👉 Read Elisity's analysis of microsegmentation survey findings in healthcare →

Microsegmentation in healthcare: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Microsegmentation in healthcare fails when it is treated as a network project instead of an identity control. The survey shows broad support for microsegmentation, but support is not the same as control coverage. Healthcare environments are shaped by rotating clinicians, mobile devices, and patient-facing systems, so the real governance problem is identity-bound east-west access. Practitioners should stop measuring success by deployment intent and start measuring whether critical clinical pathways are actually isolated.

A few things that frame the scale:

  • 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report.
  • Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.

A question worth separating out:

Q: Who is accountable when segmentation failures lead to patient-impacting disruption?

A: Accountability sits with the organisation that owns clinical risk, security architecture, and lifecycle governance together. In healthcare, segmentation is not only a network team responsibility because access decisions affect patient safety, compliance, and operational continuity. Governance has to join those functions instead of leaving them separated.

👉 Read our full editorial: Microsegmentation in healthcare is still an execution gap



   
ReplyQuote
Share: