HIMSS 2026: What We Learned About Zero Trust, Segmentation, and Privilege at the Cybersecurity Command Center

Key Takeaways at a Glance

• More security tools don't mean better security. Tech rationalization is how you build a program that actually works.
• Most healthcare breaches succeed because trust is misplaced, not because defenses are weak. Vendors, credentials, and integrations are the hidden attack paths.
• Cooper University Health Care cut unknown edge devices by 75% and increased segmentation coverage by 45% by combining device hardening, network segmentation, and cross-departmental collaboration.
• Performing a HIPAA risk analysis under attorney-client privilege is a strategic legal decision with real trade-offs. Every healthcare CISO should work through it with counsel before starting an assessment.
• Security maturity beats security spending. Across every session Tuesday, zero trust architecture built around identity was the consistent answer.

Setting the Scene: HIMSS 2026 Opens in Las Vegas

HIMSS 2026 opened at the Venetian Convention & Expo Center in Las Vegas on Tuesday, March 10, and cybersecurity owned the conversation from the first hour. Sessions on cybersecurity ran back-to-back all day, covering topics healthcare security leaders have been wrestling with for years.

Jon McNeill, former President of Tesla and Managing Partner at DVx Ventures, and John Halamka, MD, of the Mayo Clinic Platform, opened the day with a keynote on healthcare's technology transformation and the security responsibilities that come with it.

We spent time at the Carahsoft booth  #6424 talking with customers, partners, healthcare organizations, and peers across healthcare IT, cybersecurity, and AI. With more than 1000 technology partners on the floor, the conversations tracked closely with what showed up in the sessions: vendor consolidation, ransomware resilience, medical device security complexity, and the stubborn gap between accumulating tools and actually improving outcomes.

Elisity brought a full team to Las Vegas for the week. Mick Coady (Field CTO), Jarrod Washington (Director of Sales, West), George Kent (Senior Sales Engineer), Brittney Ames (Strategic Alliances), Olivia Oliver (Director of Event & Field Marketing), William Toll (VP, Product Marketing) and Marc LaValley (Business Development) were all on site at Booth #6424 in the Carahsoft Pavilion, running demos, meeting customers and partners, and covering sessions across the conference.

On Tuesday, Mick Coady sat down with media  for a recorded interview on mistakes we keep making in healthcare security and what we are not talking about enough in the community. We'll share that when it publishes.

Four sessions stood out from Tuesday's slate. Here's what we took away.

What Is Tech Rationalization in Healthcare Cybersecurity?

Tech rationalization in healthcare cybersecurity means systematically evaluating your security program across people, process, and technology to find the overlap, close the real gaps, and stop spending money on coverage you already have somewhere else. Done well, it doesn't just cut costs. It builds a program that actually works instead of one that looks good on paper.

Session: "Tech Rationalization for Healthcare Cyber Readiness"
Sponsor: Fortified
Speaker: Russell Teague, Chief Strategy & Security Officer, Fortified Health Security

Russell Teague opened with a line every security leader in the room recognized: more tools, more dashboards, same headaches. Healthcare organizations add roughly one net-new technology to their security stack every year, often without retiring anything. Most are using only about 60% of any given tool's effectiveness. A meaningful chunk of most security budgets is doing very little.

Security fails at the seams, Teague argued. Ownership gaps, handoff failures, vendor sprawl that nobody has a complete picture of. A bigger budget or another platform won't fix that. A deliberate assessment of where you actually are will.

Teague walked through a program rationalization model built around a five-level maturity scale derived from PRISMA and CMMI. Sixty items span governance, identification, and operational categories, and the output is a red/yellow/green map you can put in front of a CFO to explain exactly where dollars should go and why. Red is high-priority. Yellow is in progress. Green is optimized, though Teague was clear the goal isn't all-green across the board. Risk acceptance is part of every program, and pretending otherwise means you're not being honest about your risk tolerance.

CFOs are asking for 10 to 20% cost reductions right now. That creates an opening for security teams to reframe budget conversations: not "here's what I'm cutting," but "here's how I'm redeploying these dollars to get better coverage." Rationalization is the vehicle for that conversation, and for building a genuine multi-year roadmap instead of reacting year to year.

Programs that measure a maturity baseline and track improvement at one year, two years, five years can turn security from a cost center narrative into a demonstrable risk management story. That's a different conversation with leadership entirely.

Why Healthcare Breaches Are a Trust Problem, Not a Technology Problem

Zero trust in healthcare is a security architecture built on one principle: never assume anything inside your network is safe to trust. Every user, device, and connection must continuously verify its identity and authorization before accessing clinical systems or patient data. Most healthcare breaches don't succeed by punching through strong defenses. They succeed by abusing trust that was already there.

Session: "The Trojan Horse Was Already Inside: Rethinking Trust in Healthcare Cybersecurity"
Sponsor: Cox Business
Speakers: Katie Patton, Patton Tech & Risk Advisory, L.L.C.; Miles Tanner, RapidScale

Katie Patton opened with Troy. Not as a tired analogy but as a sharp one. For ten years, Troy held off the Greeks with walls that didn't break. Then the Greeks left a wooden horse at the gate. Troy brought it inside, celebrated, went to sleep, and lost everything that night. Walls weren't the problem. Trust was.

Healthcare today is in the same position. Firewalls, endpoint security, compliance programs, regulatory oversight: these are strong walls. What most organizations lack is a clear-eyed view of what they're actually trusting and why. Vendors get remote access. Integrations spin up. APIs multiply. Every one of those relationships is a potential attack path when it runs on implicit trust, the assumption that anyone with credentials is doing what they're supposed to do.



HIMSS2026 Katie Patton Patton Tech  Risk Advisory LLC Miles Tanner RapidScale

Patton drew a hard line between implicit and explicit trust. Implicit is how most healthcare IT works today: access gets granted because a C-suite executive called, because a vendor needs to get their application running, because someone just wants to get the job done. Explicit trust means asking the questions first. Who needs access, why, to what, for how long, and what happens when that need ends. Defining trust before it's assumed, rather than auditing it after something goes wrong.

Cybersecurity isn't a CISO problem, Patton argued. It's a clinical problem, a legal problem, and a cultural problem that starts at the board level. Legal needs to be in vendor contracts before they're signed, not summoned after a breach. Leadership needs to be invested enough to say: tell me why you need this access before we grant it. That cultural shift doesn't happen bottom-up. Executive sponsorship is what makes it real.

Miles Tanner reinforced the identity management piece. Most organizations treat identity as invisible infrastructure: something compliance requires but nobody actually governs. Patton's argument was that identity should be treated as a governed asset, the control plane for everything zero trust depends on. Who has access, what they can do with it, and whether that access is still appropriate today are no longer just IT hygiene questions. They're patient safety questions.

From where we sit, this session articulated the problem that microsegmentation and identity-based network segmentation are built to solve. When misplaced trust is the primary attack surface, better firewalls aren't enough. Controlling what devices and users can reach once they're inside, enforcing least-privilege access dynamically, and making sure a compromised vendor credential can't open a path to your entire network: that's the architecture zero trust is built around, and it's what network microsegmentation enforces at scale.

How One Hospital Secured 10,000+ Edge Devices Through Segmentation

Network segmentation in healthcare means dividing a hospital's network into isolated zones so devices, workloads, and clinical systems can only communicate with what they're explicitly authorized to reach. At Cooper University Health Care, a structured segmentation program cut unknown edge devices by 75% and increased segmentation coverage by 45%.

Session: "Securing the Edge: Protecting Our Hospital"
Speaker: Phil Curran, Chief Information Security Officer & Chief Privacy Officer, Cooper University Health Care

Phil Curran's session was the most concrete of the day, and the most directly applicable to anyone managing device sprawl in a large health system. Cooper's initial risk assessment turned up more than 10,000 edge devices operating across the network: mobile workstations, tablets, infusion pumps, diagnostic equipment. Many had limited oversight, outdated software, hardcoded credentials, and patching timelines controlled by vendors rather than by the health system's security team.

That last point deserves attention. Vendor-controlled patching is endemic to healthcare IT. Medical devices are FDA-regulated, meaning manufacturers control when updates are released. When a device reaches end-of-life but stays clinically essential, there's no realistic path to patching it out of vulnerability. Network isolation becomes the only credible control: making sure a compromised infusion pump can't reach an EHR, and that lateral movement from one clinical zone stays contained.

Curran walked through how Cooper addressed this systematically:

• Device hardening using CIS (Center for Internet Security) baselines wherever applicable
• Network segmentation to isolate device categories and limit lateral movement paths
• Identity and access management improvements to ensure device and user access was governed, not assumed
• Passive vulnerability monitoring to maintain visibility without disrupting clinical operations
• Cross-departmental collaboration bringing biomedical teams, clinical operations, IT, and security into alignment on policy decisions

Results: 75% reduction in unknown edge devices, 45% increase in segmentation coverage, and measurable improvement in how departments work together on security decisions. By Curran's account, the cross-departmental model was a key factor in making the program sustainable rather than a one-time audit exercise.

What this reinforced is something we've seen consistently in healthcare: organizations making real progress on device security aren't the ones with the biggest budgets. They're the ones who treat segmentation as an operational discipline rather than a project. Start with visibility, knowing what's on the network, what it's doing, and what it should have access to. Then enforce policies that reflect the actual clinical environment, not an idealized network diagram.

For health systems still running flat networks where a compromised bedside device could theoretically reach administrative systems, Curran's session was a practical blueprint. Cutting unknown devices by 75% alone is a significant risk reduction. You can't protect what you can't see, and unknown devices are exactly the entry points attackers look for.

Elisity customers in healthcare have taken a similar approach, using the Elisity IdentityGraph™ to continuously discover and classify every device across hospital networks, then applying dynamic least-privilege policies through existing network infrastructure. No new hardware, no agents, no network re-architecture required. Main Line Health deployed microsegmentation across 40 locations in under four months. What Curran described is achievable, and the path there is faster than most security teams expect.

Should Healthcare CISOs Perform Security Assessments Under Attorney-Client Privilege?

Performing a security assessment under attorney-client privilege means conducting it at the direction of legal counsel so the findings are protected from disclosure in litigation, regulatory investigations, and breach response proceedings. For healthcare organizations, where a HIPAA Security Rule risk analysis can map every vulnerability in the organization, deciding whether to invoke that protection is a significant strategic question with real costs on both sides.

Session: "The Pros and Cons of Performing Security Assessments Under Privilege"
Speaker: Adam Greene, Partner, Davis Wright Tremaine LLP (former HHS Office for Civil Rights)



Adam Greene at HIMSS 2026

Adam Greene is a Band 1 Chambers-ranked HIPAA and healthcare privacy attorney and a former regulator at HHS, first with the Office of General Counsel and then at the Office for Civil Rights. He opened by acknowledging he's a lawyer and can't claim to be fully unbiased on the privilege question, then committed to shooting as straight as possible. The candor landed well.

A comprehensive HIPAA Security Rule risk analysis is one of the most valuable documents a healthcare security team can produce. Left unprotected, it's also one of the most dangerous. A thorough assessment maps vulnerabilities with specificity. In litigation or an OCR enforcement action, that document can become a roadmap for the opposing party. Privilege is a mechanism to protect it while still doing the work, but it comes with real constraints.

Greene used a recent case to make the stakes concrete. Acting on behalf of the FTC, the Department of Justice brought an action against a telehealth provider that had publicly claimed to be "100% HIPAA compliant" while an outside assessment had found the organization was only 60% compliant. When public compliance claims outrun actual posture, those documents become evidence in enforcement. His advice: never claim you're 100% HIPAA compliant. HIPAA compliance is a journey, not a destination.

On privilege itself, Greene covered attorney-client privilege and attorney work product doctrine as the two primary protections, explained the risk of subject matter waiver (how invoking privilege in one context can inadvertently waive it more broadly), and walked through what happens when OCR requests to see an assessment you've conducted under privilege.

His conclusion was balanced: genuine benefits, genuine costs. Whether privilege makes sense depends on your organization's specific risk profile, litigation exposure, and regulatory environment. Work through it with experienced healthcare privacy counsel before you start an assessment, not after you've already conducted one without it.

For CISOs who haven't had this conversation with their legal team yet, Greene made the case for starting it now. OCR enforcement continues to evolve, and the documents your security team produces today can surface in contexts you won't anticipate for years.

What We Heard at the Carahsoft Booth

Conversations at the booth reinforced the session themes in concrete ways. Healthcare security leaders aren't struggling with awareness. They know what zero trust means, they understand why segmentation matters, they've read the playbooks. Execution is where things break down: turning the right strategy into an operational reality inside complex organizations with limited staff, constrained budgets, and clinical environments that can't tolerate disruption.

A few themes came up repeatedly:

• Vendor consolidation as a financial and operational priority, the same pressure Teague addressed directly in the tech rationalization session
• Edge device sprawl as a persistent blind spot, particularly around IoMT devices that fall outside traditional IT management workflows
• Ransomware resilience as the primary driver for segmentation investment, with lateral movement containment as the specific outcome most organizations are working toward
• Tool accumulation without operational maturity: organizations with deep security stacks that still can't answer basic questions about what's on their network
• AI-driven threats accelerating urgency around identity governance and access controls

Organizations making real progress shared a common trait: leadership alignment across security, IT, and clinical operations. Organizations still stuck were almost universally dealing with siloed accountability.

What's Next at HIMSS 2026

Wednesday brings another full slate at the Cybersecurity Command Center, with sessions covering AI in healthcare security, regulatory compliance, and incident response preparedness. We'll publish a Day 2 recap Wednesday evening.

At HIMSS 2026 and want to talk through how identity-based microsegmentation applies to your environment? Whether that's edge devices, IoMT, clinical network segmentation, or zero trust architecture, find us at Booth #6424. We'll have an honest conversation about what's actually achievable and how other health systems have gotten there.

Not at the conference? Request a demo to see how Elisity's microsegmentation platform works in a healthcare environment, or explore our healthcare security resources for more on the topics covered this week.

Frequently Asked Questions

Q: What cybersecurity sessions were featured at HIMSS 2026?

A: HIMSS 2026's Cybersecurity Command Center hosted back-to-back sessions on March 10 covering tech rationalization, zero trust and lateral movement in healthcare networks, edge device security, and the legal considerations of performing security assessments under attorney-client privilege. Sessions were held at the Venetian Convention & Expo Center in Las Vegas.

Q: What is tech rationalization in healthcare cybersecurity?

A: Tech rationalization in healthcare cybersecurity is the process of evaluating your security program across people, process, and technology to identify redundant tools, close genuine gaps, and redirect resources toward the highest-risk areas. According to Russell Teague of Fortified Health Security at HIMSS 2026, most organizations use only about 60% of any given security tool's effectiveness. A structured rationalization process can improve outcomes while reducing overall spend.

Q: Why is zero trust important for healthcare networks?

A: Most healthcare breaches don't succeed by punching through perimeter defenses. They succeed by exploiting trust that already exists inside the network. Zero trust architecture requires every user and device to continuously verify identity and authorization, removing the assumption that anything inside the network is automatically safe to trust.

Q: How do hospitals secure edge devices and medical IoT?

A: Hospitals secure edge devices and medical IoT through device hardening using CIS baselines, microsegmentation to isolate device categories and limit lateral movement, identity and access management improvements, passive vulnerability monitoring, and cross-departmental collaboration between security, IT, and clinical operations teams. Phil Curran, CISO at Cooper University Health Care, described this approach at HIMSS 2026, where it produced measurable results across more than 10,000 edge devices.

Q: What results can network segmentation achieve in healthcare?

A: Cooper University Health Care's segmentation program achieved a 75% reduction in unknown edge devices and a 45% increase in segmentation coverage, according to CISO Phil Curran at HIMSS 2026. Segmentation limits the blast radius of ransomware and other attacks by preventing lateral movement between clinical zones, administrative systems, and networked medical devices.

Q: Should HIPAA risk assessments be conducted under attorney-client privilege?

A: Whether to conduct a HIPAA Security Rule risk analysis under attorney-client privilege is a strategic legal decision that requires careful evaluation with healthcare privacy counsel. Privilege can protect assessment findings from disclosure in litigation and regulatory proceedings, but it carries risks including subject matter waiver and complications with OCR enforcement requests. Adam Greene, Partner at Davis Wright Tremaine and former HHS Office for Civil Rights regulator, walked through the trade-offs in detail at HIMSS 2026.

Q: What is the HIMSS 2026 Cybersecurity Command Center?

A: HIMSS 2026's Cybersecurity Command Center is a dedicated cybersecurity theater inside the exhibition floor, located at Booth 10001 in Hall G (Level 1, The Park) at the Venetian Convention & Expo Center in Las Vegas. Sponsored sessions from healthcare cybersecurity experts run throughout the conference, covering zero trust, medical device security, regulatory compliance, and security program maturity.