Healthcare Microsegmentation at 15 Hospitals: The St. Luke’s Story from the Gartner Security and Risk Management Summit

At the Gartner® Security & Risk Management Summit in National Harbor, a senior security architect from one of the largest health systems in the Northeast walked on stage and repeated the nickname his own team had carried for most of a decade: “the Army of No.” Their CISO, David Finkelstein, had even picked up a sharper version of it, “Colonel No,” a reflection of how often security had to be the team that slowed things down. It was a role they never wanted, and one the tools of the day left them little choice but to play.

That reputation was earned in an environment that punishes a single wrong move: 15 hospitals, 85,000 production devices, 23,000 active users, roughly 1,800 vendors, spread across about 75 square miles. The turn in the story is what makes it worth telling. After a decade without a safe way to say yes, the same team used healthcare microsegmentation to start enabling the business, and they went live in weeks, not the year and a half everyone expected.

“They called us the Army of No”

Daniel Dopsovic is a Senior Enterprise Information Security Architect at St. Luke’s University Health Network, and he has been there for 19 years. Before that he spent six years in the US Navy as a computer technician aboard the USS Ticonderoga, working on the systems that handle navigation, radar, and weapons firing. He is not someone who treats “secure” and “operational” as a trade-off he can afford to get wrong.

And yet, for most of a decade, the only answer his team could give was “no.” Dopsovic put it plainly to the room.

“We were never equipped with the ability to say yes. Unfortunately, the only thing we could do is say no.”

That gap, the distance between wanting to enable the business and lacking the means to do it safely, is the real subject of this story. As Dopsovic relayed it, the CISO told the CIO that security “needs to be a force multiplier” and had to “give the business the ability to move forward and stop being a hindrance.” The intent was there. The mechanism was not.

The environment, quantified

It helps to understand the scale, because scale is the whole problem. St. Luke’s runs:

• 15 hospitals across Eastern Pennsylvania and New Jersey
• 350 physician group practices
• 85,000 production devices on the network, well over 100,000 once you count BYOD and guest
• 23,000 active users
• roughly 1,800 vendors, many of which, in Dopsovic’s words, are “vendors nobody on our team has met”
• about 75 square miles of coverage

On a flat or loosely segmented network, that footprint shares one nervous system. Dopsovic summarized the exposure in a single sentence: “One bad day on one device could take the rest of us down with it.” When every device can reach every other device, the size of the network becomes the size of your worst-case incident.

Three things that kept them up at night, one root cause

The team did not frame their challenge as an abstract risk score. They framed it as three concrete things that kept them awake.

Surgical robotics. Robotic-assisted surgical systems let a surgeon 3,000 miles away help guide a procedure. The clinical upside is enormous, and for two years the security answer had been “no.”

Hospital acquisitions. Every hospital St. Luke’s acquired arrived with a network the team did not design, full of devices nobody had documented. Onboarding it safely took months. As Dopsovic noted, “most organizations do not have accurate network diagrams, and even if you did, it’s probably just of your IT assets, not your biomedical, not your IoT devices.”

Ransomware blast radius. On a flat network, one compromised device can talk to anything, so the blast radius is the whole hospital.

Different symptoms, Dopsovic explained, but one underlying condition: the network could not contain a problem to where it started. Three problems, one root cause.

What they tried for ten years, and why it failed

St. Luke’s did not arrive at medical device segmentation by skipping the hard road. They walked it for ten years.

They tried macro segmentation with VLANs and firewalls. They hit the ceiling fast: there are only so many VLANs, the administrative workload climbs, and worst of all, segmenting often required changing device IP addresses. They also ran into the reality that very different device types, door controls, ultrasound machines, EMR workstations, all ended up stuck together on the same VLAN. These VLAN limitations are exactly why traditional segmentation stalls in hospitals: the construct was never built for this much device sprawl.

The alternatives on the table were no better. Re-IP every device older than ten years. Stand up an entirely new overlay network. Sign up for an 18-month deployment staffed by an army of consultants. Dopsovic’s verdict was blunt: “We had been at this for ten years. We weren’t going to spend another ten.” Converting roughly 500 PACS workstations the old way, he noted, “took well over six months.” That math does not scale to 85,000 devices.

The shift to healthcare microsegmentation: discover, classify, simulate, enforce

What finally worked was a different model. Instead of redesigning the network, St. Luke’s adopted identity-based microsegmentation and ran it on the network infrastructure they already owned. The platform they chose was Elisity. Dopsovic described the approach in the customer’s own terms, and the words that mattered most were the ones about what they did not have to do.

“No agents that we had to install, there was no additional hardware that we had to purchase. We leveraged our existing technology.”

The method followed four steps. Discover every user, workload, and device automatically. Classify by identity rather than by IP or VLAN. Simulate what a policy would block before turning it on. Enforce on the network infrastructure already in place. No new hardware, no new VLANs, no re-IP.

The shift in mental model is the part Dopsovic kept returning to: “You’re not dealing with IPs and VLANs, you are dealing with the identity of the device.” That is what makes agentless microsegmentation viable in an environment full of equipment you cannot install software on, like infusion pumps, imaging systems, and surgical robots. And the simulation step removed the fear that had frozen the team for years. “We were able to simulate our policies, see them in action before they went live, and were able to enable those policies in seconds.”

Three outcomes

December 29: every surgical robot online

The date stuck with the team because it marked the turn. Dopsovic told the room what it meant.

“December 29 was the day we got the surgical robots working. That was the first day we actually became that business enabler. Our physician group, our surgical staff, they were waiting two years for these devices.”

The point he stressed is that nothing about their standards changed. Microsegmentation let them wrap a layer of control around a device they could not directly manage, so they could tolerate more clinical capability without taking on more residual risk.

Acquisitions: months become weeks

Onboarding an acquired hospital used to be a six-to-nine-month exercise in mapping inherited networks, hunting undocumented devices, and managing flat trust between everything. With hospital M&A onboarding built on discover-classify-simulate-enforce, the picture changed.

“On average we were doing acquisitions about six to nine months. The last hospital we brought on took us three months. I think we waited longer for a firewall to come in than it took to map the entire network.”

The reframe Dopsovic offered is the one worth borrowing: acquisition risk becomes an integration timeline, not a security veto. The team went, in his words, “from months down to weeks.”

Ransomware: same threat, smaller fire

This is the outcome people expect to be told in the language of fear. Dopsovic did not. He treated it as a containment problem that now has an answer. On a flat network, one device down meant everything was reachable. After microsegmentation, a compromised device can only talk to what its identity actually needs.

His Navy background gave him a ready analogy. A health system is like a fleet, he explained, and each hospital is a ship; a ship survives a hit because watertight compartments keep flooding from spreading. Microsegmentation took St. Luke’s from one fleet down to individual compartments.

Same threat, smaller fire. That is the whole goal of healthcare ransomware protection through segmentation: you are not promising an attack will never happen, you are deciding in advance how far it can travel. A breach held to the handful of devices a compromised identity legitimately needs is a manageable incident. The same breach loose on a flat network is a hospital-wide crisis.

Five things to take back to your team

Dopsovic closed the working part of his talk with a numbered list aimed squarely at the architects and CISOs in the room.

1. Stop trying to do this with VLANs alone. They were never built for this much device sprawl.
2. Treat segmentation as a force-multiplier project, not a friction project. Measure success by the clinical innovations you safely enabled, not the number of devices you blocked.
3. Get your CIO and network team in the room from day one. This is not a security project alone.
4. Demand simulation before enforcement. If a vendor cannot show you what a policy will block before you turn it on, walk away.
5. Pick a platform with peers live in your industry, then call them. If it takes 18 months to deploy, it is not solving today’s problem.

The reframe: a patient-care project

The line that landed hardest was the one Dopsovic used to reset the entire premise of the work.

“Microsegmentation is not a security project, it’s a patient care project, and it’s a project that enables the business.”

That sentence reorganizes the whole conversation. When segmentation is filed under “security,” it competes with clinical priorities and usually loses, which is how a team ends up nicknamed the Army of No. When it is understood as the thing that lets a hospital adopt robotic surgery, absorb an acquisition, and keep a ransomware incident from spreading, it stops being a tax on innovation and becomes the enabler of it. St. Luke’s did not become more permissive. They became more precise, and precision is what let them say yes.

So here is the question Dopsovic effectively handed the audience, and the one worth carrying back to your own team: count the number of times your team said “no” for a security reason this quarter. If that number is bigger than your organization’s actual appetite for risk, the constraint may not be your risk tolerance at all. It may be the architecture underneath it.

Frequently asked questions

What is identity-based microsegmentation?

Identity-based microsegmentation enforces network policy based on the identity of a user, workload, or device rather than its IP address or VLAN. Each device is classified by what it is and what it legitimately needs to communicate with, and policy follows that identity. As Dopsovic put it, “you’re not dealing with IPs and VLANs, you are dealing with the identity of the device.” This is what makes the approach practical across tens of thousands of mixed clinical and IT devices.

Are there segmentation approaches built specifically for healthcare?

Yes. Healthcare environments combine IT endpoints, biomedical devices, IoT, and connected medical equipment that often cannot run software agents and cannot tolerate downtime. St. Luke’s separated medical IoT, general IoT, PCs, printers, servers, and mobile devices into distinct policy groups. You can read more in the Microsegmentation Platform for Healthcare solution brief and the Microsegmentation Buyer’s Guide for Healthcare.

How do you segment connected medical devices without re-IP or new VLANs?

By classifying devices by identity and enforcing policy on existing network infrastructure rather than rebuilding the network. St. Luke’s installed no agents and bought no new hardware. As Dopsovic noted, “we leveraged our existing technology.” That is the core of agentless microsegmentation: you do not touch the device or its IP address to protect it.

How does microsegmentation reduce ransomware blast radius in a hospital?

On a flat network, a compromised device can communicate with anything, so a single infection can spread across an entire hospital. Microsegmentation limits each device to the connections its identity requires, so instead of a single infection reaching an entire hospital, the blast radius is held to the small set of devices a compromised identity legitimately needs. The threat is the same; the fire is smaller. For a deeper treatment, see the CISO’s Guide to Modern Microsegmentation.

How long does it take to deploy microsegmentation across a health system?

St. Luke’s spent about a month preparing their infrastructure, then completed their major segmentation buckets in roughly 46 days, without major outages. That contrasts with the 18-month, consultant-heavy deployments they had previously been quoted. Dopsovic’s guidance: if it takes 18 months to deploy, it is not solving today’s problem.

Why are VLANs not enough for hospital segmentation?

VLANs were not built for the device sprawl in a modern health system. There are a finite number of them, the administrative overhead grows quickly, and segmenting frequently requires changing device IP addresses. They also tend to strand very different device types, door controls, ultrasound machines, and EMR workstations, on the same VLAN, which defeats the purpose. These VLAN limitations are why St. Luke’s moved to identity-based policy.

How do you securely onboard an acquired hospital network?

Bring the acquired network in, discover and classify what is actually on it, simulate policy to confirm what would be blocked, then enforce on the network infrastructure that arrived with the site. St. Luke’s cut acquisition onboarding from six to nine months down to weeks, turning what used to be a security veto into an integration timeline. For another example of a health system at scale, see the Main Line Health case study.

Daniel Dopsovic shared this story on stage at the Gartner Security & Risk Management Summit.

GARTNER is a registered trademark and service mark, and COOL VENDORS is a trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.