Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why do traditional VLANs and ACLs fail in…
Governance, Ownership & Risk

Why do traditional VLANs and ACLs fail in healthcare segmentation programs?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

They depend on static network placement and manual rule maintenance, which does not fit mobile clinicians, roaming devices, or IoMT systems. Healthcare security needs policy that follows identity and function, not switch port or IP address. That is why legacy segmentation often leaves the most sensitive paths exposed.

Why This Matters for Security Teams

Traditional VLANs and ACLs were built for relatively stable network boundaries, not for care environments where endpoints move constantly and access needs change by shift, role, and clinical task. In healthcare, segmentation is often expected to protect EHR systems, PACS, lab platforms, and connected devices, yet the control plane still depends on IP ranges, switch ports, and manually maintained rules. That gap becomes dangerous when clinicians roam, IoMT assets are vendor-managed, and emergency workflows override normal network assumptions. NIST’s control guidance for network access and boundary protection reinforces that segmentation must be deliberate and enforceable, not merely documented on a diagram, as reflected in the NIST SP 800-53 Rev 5 Security and Privacy Controls.

NHIMG research on the State of Secrets in AppSec shows how often security programs overestimate their operational control, and the same pattern appears in segmentation programs that are strong on architecture slides but weak in live enforcement. In practice, many security teams encounter lateral movement and overbroad access only after a medical device or workstation has already reached a sensitive segment, rather than through intentional validation of who can talk to what and why.

How It Works in Practice

Effective healthcare segmentation starts by treating identity, workload, and function as the policy inputs, then using network controls only as an enforcement layer. VLANs can still separate broad zones, but they should not be the only control deciding who can reach which clinical application or device class. ACLs are useful for coarse filtering, yet they break down when a user changes location, a device swaps subnets, or a third-party support session needs narrowly scoped access. That is why many modern programs pair segmentation with policy based on authenticated identity, device posture, and approved clinical workflow.

Practitioners usually need three layers working together:

  • Identity-aware access policy that determines whether the requester is a clinician, biomedical device, vendor system, or automation.
  • Context-aware rules that evaluate location, device health, time, and destination service at request time.
  • Enforcement points that apply the decision consistently across campus, remote access, and cloud-connected clinical services.

This is where static network design fails: a device can remain in the “right” VLAN while still having the wrong privileges for the current task. Current best practice is to make policy follow the user or workload, not the socket. NIST control language around access enforcement, boundary protection, and least privilege supports that direction, and the same principle is visible in NHIMG’s DeepSeek breach analysis, where exposed trust assumptions become an attacker’s advantage. These controls tend to break down in mixed legacy environments because older clinical systems cannot reliably consume modern identity signals and still depend on fixed IP-based allowlists.

Common Variations and Edge Cases

Tighter segmentation often increases operational overhead, requiring organisations to balance reduction in blast radius against device compatibility, clinical uptime, and support complexity. That tradeoff is especially visible in hospitals with long-lived imaging systems, lab analyzers, and vendor-maintained platforms that cannot tolerate frequent rule changes or agent installation.

There is no universal standard for this yet, but current guidance suggests a tiered approach: keep VLANs for broad containment, use ACLs for constrained choke points, and add identity-centric controls for high-risk paths such as EHR access, privileged admin sessions, and remote biomedical support. Segmentation exceptions should be explicit, time-bound, and logged, especially for emergency departments and break-glass workflows. A common edge case is “flat by exception” design, where temporary access rules accumulate until the segment behaves like an open network. Another is IoMT that changes IP address after reboot, which can silently bypass ACL intent if policy is anchored to network location alone. Mature programs therefore test segmentation continuously, not only during design reviews.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Segmentation must enforce access based on least privilege and identity.
NIST SP 800-63Identity assurance underpins access decisions for roaming clinicians and devices.
NIST Zero Trust (SP 800-207)AC-4Zero Trust replaces implicit trust from VLAN placement with explicit policy.
OWASP Non-Human Identity Top 10NHI-01Healthcare segments often fail when machine identities are not governed separately.
NIST AI RMFPolicy must account for changing context and operational risk in dynamic environments.

Use AI RMF risk management patterns to keep access policy responsive to changing clinical conditions.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org