HIMSS 2026 Microsegmentation Survey on Healthcare

New research from HIMSS Market Insights and Elisity surfaces a stubborn contradiction in healthcare cybersecurity and medical device security.

When evaluating microsegmentation, 58% of healthcare leaders say their number-one priority is avoiding clinical downtime and patient safety incidents. Fair enough. Connected infusion pumps, ventilators, and imaging systems are keeping patients alive. Nobody wants to risk breaking one.

But 40% of those same leaders say fear of clinical disruption is why they haven't implemented microsegmentation at all.

Sit with that for a second. Protection without downtime is both what they want most and what stops them from acting. That's the Implementation Paradox, and it's leaving thousands of hospitals exposed to ransomware and lateral movement attacks that microsegmentation was built to stop.

Download the full HIMSS and Elisity Insights Report →

The Implementation Paradox survey covers priorities, barriers, and buying criteria shaping healthcare network security decisions right now. HIMSS Market Insights fielded the research in December 2025, surveying 50 senior leaders across U.S. health systems with 300+ hospital beds and $500M+ annual revenue. Respondents included C-suite executives, IT and technology leaders, cybersecurity directors, clinical technology managers, and operations leaders, all with direct decision-making authority or significant influence over network security investments.

Here's what the data reveals, why legacy segmentation keeps failing, and what a realistic path forward looks like.

HIMSS Microsegmentation Survey on Medical Device Security: Key Findings on IoMT Risk

If you're a CISO, CTO, or security architect at a large health system, you already live this challenge. Your network connects tens of thousands of devices, many never designed with cybersecurity in mind. CT scanners running end-of-life operating systems. Infusion pumps that can't accept a software agent. Building automation controllers that haven't seen a patch in years.

Survey data confirms what practitioners keep saying: protecting unpatchable, agentless devices remains the single biggest gap in healthcare IoMT security and medical device protection. Thirty-six percent of leaders rated this a major issue. Combine major and moderate responses and the number hits 62%. Nearly two-thirds of health systems acknowledge they can't adequately protect their most vulnerable devices.

Poor device visibility ranks second. Thirty percent flagged it as a major issue, with 56% calling it moderate or major. You can't protect what you can't see, and keeping an accurate inventory across thousands of IoMT devices at dozens of facilities is brutal with traditional tools.

Rounding out the top concerns: 52% cited a lack of continuous monitoring for lateral movement and segmentation failures, and 54% pointed to policy-management overhead, meaning the policies needed to segment these environments are too hard to write or scale with current tooling.

None of this is theoretical. Ransomware operators exploit exactly these gaps when they move laterally through flat hospital networks, escalating from a single compromised endpoint to full-scale encryption of clinical systems.

Why Legacy Network Segmentation Keeps Failing Healthcare

Understanding the Implementation Paradox starts with understanding why healthcare organizations are stuck. CISOs and security architects get the value of microsegmentation. Every previous generation of segmentation technology, however, demanded exactly the kind of operational disruption that healthcare can't absorb.

Legacy network segmentation means some combination of VLAN restructuring, firewall rule creation, ACL management, NAC configurations, and extensive re-IPing of devices. Each requires change control windows. Each risks blocking a clinical workflow. Each takes months or years to plan, test, and roll out across a multi-facility health system.

Aaron Weismann, CISO of Main Line Health, described the experience before his team found a modern alternative: they pursued traditional segmentation solutions and ran into internal resistance because the operational burden was too high. Network re-plumbing would've taken years. Change control windows numbered in the thousands.

That story repeats across the industry. HIMSS data shows the top barriers clearly:

For mid-sized organizations (300 to 999 beds), staffing is even more painful. Sixty-two percent of leaders at mid-sized systems rated insufficient internal resources as a major barrier, compared to just 14% at organizations with 1,000+ beds. Smaller health systems face identical security challenges with a fraction of the cybersecurity staff.

IT and technology leaders feel the timeline pressure most acutely. Forty-three percent cited long rollout timelines as a major barrier, versus 15% of leaders in other roles. These are the people who've coordinated traditional segmentation across switches, VLANs, and clinical engineering teams. They've watched multi-year projects stall firsthand.

HIPAA-Compliant Network Segmentation and Cyber Insurance Requirements

Internal barriers slow adoption. External pressure speeds it up. Cyber insurance carriers have significantly tightened requirements around segmentation in the last two years.

Nearly half (46%) of leaders surveyed said their carrier requested specific controls, including MFA, EDR, and segmentation, during renewal or underwriting in the last 24 months. More than one in four (28%) said their carrier required proof of segmentation controls to maintain coverage. Twenty-two percent reported premium increases unless additional controls went in place, and 18% saw reduced coverage limits or added exclusions.

Identity-based, HIPAA-compliant network segmentation helps demonstrate access control, audit control, and transmission security for protected health information. For organizations juggling insurance renewals and regulatory compliance, microsegmentation addresses both at once.

None of these signals are subtle. Cyber insurers now treat network segmentation controls as a baseline expectation, not an optional add-on. Health systems that can't show segmentation controls at their next renewal face higher premiums, reduced coverage, or both.

And that creates another bind. CISOs need to prove segmentation progress to satisfy carriers, but traditional approaches take years and carry serious operational risk. One more dimension of the Implementation Paradox.

What Healthcare Leaders Actually Want: Decision Criteria for Microsegmentation Solutions

Beyond identifying problems, the survey mapped the specific criteria leaders use when evaluating microsegmentation, and the answers are consistent.

Proven ability to prevent breaches, ransomware, or lateral movement tops the list, with 78% rating it highly important. Close behind: avoiding disruption to clinical or operational workflows (76%), solution scalability (74%), integration with existing network infrastructure (70%), and real-time detection of lateral movement, failures, or violations (70%).

Priorities shift with seniority. Among C-suite, EVP, SVP, and VP-level leaders, 88% rated avoiding disruptions as highly important, compared to 64% of directors and managers. Real-time lateral movement detection showed a similar gap: 88% of senior leaders versus 52% at the director/manager level. And 76% of senior leaders emphasized comprehensive device coverage across IT, IoT, and IoMT, compared to 48% of directors and managers.

Primary decision-makers for data infrastructure and network security were also far more likely to prioritize integration with current infrastructure and real-time threat detection. Eighty-four percent of primary decision-makers rated both highly important, versus 56% of influencers.

Bottom line: healthcare leaders want microsegmentation that works on their current switching infrastructure, covers every device type (including unmanaged and agentless medical devices), catches lateral movement in real time, and deploys without disrupting patient care.

Healthcare Microsegmentation Strategies for Unpatchable Medical Devices

How do you get microsegmentation-level security without the disruption healthcare leaders fear? You decouple security policy from the underlying network infrastructure.

Healthcare microsegmentation is the practice of enforcing least-privilege, identity-based network policies across IT, IoT, OT, and IoMT devices to prevent lateral movement inside hospitals. Unlike VLAN-based segmentation, identity-based microsegmentation doesn't require changing the network topology, installing agents, or scheduling downtime windows.

With legacy segmentation, you change the network: restructure VLANs, update ACLs, re-IP devices, install firewalls or agents. Identity-based zero trust microsegmentation flips that model. A software-defined policy layer sits on top of your switching infrastructure. Policies follow device identity, not IP address or network location, so a medical device gets the same protection on the third floor of Hospital A and in a mobile clinic across town.

Elisity built its microsegmentation platform around this principle. Elisity deploys in weeks, without downtime, rapidly discovering every user, workload, and device on an enterprise network and correlating usage insights into the Elisity IdentityGraph™. That gives teams what they need to automate classification and apply security policies to any device wherever and whenever it connects. Granular, identity-based microsegmentation policies are managed in the Elisity Cloud Control Center and enforced through your network switching infrastructure in real time, covering ephemeral IT, IoT, OT, and IoMT devices.

Key architectural advantages that map directly to the survey's top barriers:

• Agentless deployment, critical for medical devices that can't run software agents
• Integration with Cisco, Juniper, Arista, and Hirschmann switching infrastructure (no rip-and-replace)
• Policy simulation and testing before enforcement, so clinical workflows are validated before any rules go live
• Dynamic policies that follow devices across locations, essential for mobile medical equipment

For unpatchable medical devices specifically, security policies enforce at the network switch port level, not on the device. An MRI running Windows XP or an infusion pump with no agent capability still gets identity-based, least-privilege protection, same as a fully managed workstation. Elisity's Dynamic Policy Engine continuously evaluates device behavior and risk context, adjusting policies automatically without manual intervention.

You don't have to choose between security and uptime. Model policies in simulation. Validate against real traffic patterns. Enforce with confidence. All without touching the network architecture clinical systems depend on.

From Theory to Practice: How Health Systems Are Actually Doing It

Proof shows up in actual deployments. Two examples illustrate how the paradox gets resolved in practice.

Main Line Health is a not-for-profit health system with 5 hospitals, 6 health centers, 40+ physician offices, and more than 13,000 employees. CISO Aaron Weismann's team deployed Elisity across 130 practices and 24 locations. Discovery and classification hit 99% of devices within four hours of deployment, with zero network disruption. More than 31,000 IoT, OT, and IoMT devices now run under 11,000+ actively enforced policies (15,700+ total policies including simulated).

Main Line's experience maps directly to the survey's top concern: clinical disruption. Weismann described significant concern from clinical operators about unintended impacts to patient care as they shut down lateral communication between devices. By integrating Elisity with their Armis deployment and using Elisity's policy simulation capabilities, the team modeled rules, tested impact, and built confidence with clinical operations before enforcing anything. Biomedical device and security teams worked side by side to define blocking rules, validate them, and plan enforcement.

Weismann on the platform at scale: "The most surprising thing that came with Elisity was the ease with which we'd be able to manage our network security posture. It's one thing to be sitting in a live demo in one of our corporate locations, hearing how easy it is. It's another thing entirely to see that happen at scale. And it scaled beautifully."

MultiCare Health System, Washington State's largest not-for-profit, locally owned health system, operates 14 hospitals, hundreds of urgent care clinics, and employs 28,000+ people. CISO Jason Elrod approaches the work personally. With 16+ years in healthcare cybersecurity, a recent experience navigating the system as a family member sharpened his commitment: "When you go into healthcare, when you participate as a customer of healthcare, it's scary, and you don't feel empowered. It's chaotic. You're already not feeling good."

Elrod frames the core tension simply: hospitals run 24/7/365. When can you take systems down for upgrades or changes? Almost never. Legacy segmentation, with its extensive change control windows and months of network re-plumbing, doesn't fit that reality.

On why old methods fall short, Elrod echoes the survey's findings on timelines and staffing. Old ways don't work anymore. Healthcare organizations need tools that let them do more with the staff they already have. He called Elisity "the first solution that I've ever seen" that bridges legacy security postures to modern protection "in a rational fashion and just not smoke and mirrors."

Identity-based microsegmentation also opened new possibilities for Elrod beyond basic security. Workforce members can now get their own network segments based on identity, anywhere in the health system. "How would you like your own segment on the network, wherever you may roam?" he asked. "We can now enable that, much easier, because I can base it on your identity, wherever you're at." Legacy VLAN-based approaches would've made that prohibitively complex.

Elrod's broader goal: moving healthcare technology toward "a culture of yes," where security enables clinical innovation instead of blocking it. Microsegmentation, done right, is foundational to that shift.

The ROI Conversation: Microsegmentation ROI for Healthcare CISOs

Survey respondents are thinking about return on investment more broadly than just stopping attacks.

Avoiding clinical downtime and patient safety incidents tops the ROI list at 58%, consistent with the Implementation Paradox: leaders recognize that microsegmentation's biggest payoff is preventing the operational disruptions ransomware causes. Reducing incident response and breach remediation costs follows at 42%. Healthcare breaches still rank among the costliest in any industry.

Thirty percent cited improved operational efficiency through policy automation and fewer manual tasks, a compounding benefit for security teams already running lean. Twenty-four percent pointed to reduced compliance and audit effort, and 22% cited reduced cyber insurance premiums or improved underwriting terms.

Decision-making authority shapes these priorities. Primary decision-makers for data infrastructure and network security were three times more likely to cite reduced compliance and audit effort as a key ROI outcome (36% versus 12% of influencers). People closest to the compliance burden see microsegmentation as an audit simplification tool, not just a security control, one that generates push-button reports per user, workload, and device to streamline regulatory requirements.

Nathan Phoenix, Information Security Officer at Southern Illinois Healthcare, knows the challenge firsthand. After 27 years at SIH and "probably 10 years" searching for a viable segmentation solution, his team evaluated everything from firewalls to VLANs to NAC technologies. "Nothing really would work for us because it was just very costly. It took a lot of time to put in," he recalled. Competitors' reference customers "would be two years in and really have at least a couple more years to go with big teams trying to get it implemented." When his team brought in Elisity for a proof of concept, they "were just sold on it immediately because of the ease of getting it up and running, value almost immediately, and the ease of management without really having to add to the team." On why that matters, Phoenix was blunt: "Healthcare is in a very precarious position these days, so we don't have the money, we don't have the funding to be expanding to do new protective services. So we have to find ways that we can do the things that we want to do with the people that we have, and that's where Elisity comes in. And you don't have to have a person dedicated to that product."

HHS 405(d) and NIST CSF 2.0: Microsegmentation Best Practices for Healthcare

For healthcare CISOs navigating the proposed 2025 HIPAA Security Rule requirements, HHS 405(d), Health Industry Cybersecurity Practices (HICP), and NIST CSF 2.0, microsegmentation isn't optional. Each of these standards maps directly to what microsegmentation delivers.

Under HHS 405(d) HICP, network segmentation and microsegmentation are recognized as key safeguards to reduce risk from unmanaged clinical devices in hospitals of all sizes. Identity-based microsegmentation aligns with 405(d) recommendations and with NIST CSF 2.0's emphasis on continuous monitoring, risk-based access controls, zero trust architecture principles, and automated policy enforcement.

HIPAA Security Rule technical safeguards require access controls, audit controls, integrity controls, and transmission security. Identity-based microsegmentation provides least-privilege enforcement at the network level, continuous audit logging of device communications and policy actions, real-time visibility into traffic patterns and anomalies, and granular control of east-west traffic between devices.

Survey data reinforces the compliance link: 40% of leaders rated the ability to generate compliance evidence for regulators or insurers as highly important when evaluating solutions. Organizations that can demonstrate microsegmentation controls during audits or insurance reviews strengthen their compliance position across HIPAA, HHS 405(d), and NIST CSF 2.0 simultaneously.

Shift from compliance-as-checkbox to compliance-as-outcome. When microsegmentation includes built-in reporting and audit logging, compliance evidence becomes a byproduct of daily operations, not a fire drill before every audit cycle.

At Main Line Health, that outcome is tangible: two dedicated FTEs manage compliance with NIST, HIPAA, and HHS 405(d) requirements through the platform's reporting and policy enforcement across all 150+ locations.

What You'll Learn from the Full HIMSS and Elisity Report

This post covers the highlights. The Implementation Paradox: Healthcare Leaders Want Microsegmentation-Level Security Without Disruption goes deeper, with complete findings across all five research areas: security gaps and limitations, cyber insurance carrier actions, ROI priorities, decision-making criteria, and implementation barriers. Cross-tabulations by organization size, revenue, job function, and decision-making authority reveal important nuances in how different segments approach microsegmentation.

CISOs building the business case will find data that resonates with boards and CFOs. Security architects evaluating solutions will see the technical requirements healthcare cybersecurity vendors must meet. IT leaders managing network infrastructure will find validation for the operational realities that any successful deployment must account for.

Securing the Future of Patient Care

Here's where things stand. Healthcare leaders know their networks have critical visibility gaps. They know unpatchable devices are their biggest exposure. They know cyber insurers are tightening segmentation requirements. What's been missing is a path that doesn't trade clinical uptime for security progress.

Identity-based microsegmentation, deployed on existing infrastructure, without downtime, covering every device including agentless medical equipment, is that path to healthcare microsegmentation solutions. Main Line Health, MultiCare, and Southern Illinois Healthcare have proven it works in weeks, not years.

Frequently Asked Questions About Healthcare Microsegmentation

What is the Implementation Paradox in healthcare cybersecurity?

In the HIMSS and Elisity microsegmentation survey, 58% of healthcare leaders said avoiding clinical downtime is their top priority when evaluating microsegmentation, yet 40% said fear of disruption during deployment is why they haven't implemented it. Organizations want microsegmentation's protection but assume deploying it requires risky changes to clinical network infrastructure. Modern identity-based microsegmentation platforms resolve this by deploying on existing switching infrastructure without network downtime, VLAN restructuring, or agent installation on medical devices.

How does microsegmentation protect unpatchable medical devices?

Many IoMT and medical devices run legacy operating systems that can't be patched, and they can't accept software agents. Traditional security tools can't protect them. Healthcare microsegmentation enforces security policies at the network switch level, controlling what each device communicates with regardless of OS or patch status. An unpatchable CT scanner, for example, can be restricted to communicating only with the PACS system it needs, blocking lateral movement to and from that device. Elisity's agentless platform discovers and classifies every device on the network and applies identity-based policies without any software installation on the device.

What ROI should healthcare CISOs expect from microsegmentation?

According to the HIMSS survey, top expected ROI outcomes include: avoided clinical downtime and patient safety incidents (58%), reduced incident response and breach remediation costs (42%), improved operational efficiency through policy automation (30%), reduced compliance and audit effort (24%), and reduced cyber insurance premiums (22%). In practice, health systems using identity-based microsegmentation have achieved a 76% TCO reduction versus legacy segmentation (Main Line Health), implementations completing in weeks, and enterprise-wide management with as few as two dedicated FTEs.

How long does it take to deploy microsegmentation in a hospital environment?

With identity-based platforms like Elisity, typical deployment takes roughly two weeks for planning and training, two days to deploy and configure the Elisity Virtual Edge and create the first policy, and one week or more for policy strategy, simulation, and phased rollout. Main Line Health deployed across 150+ locations in under four months, with 99% of devices discovered and classified within four hours, all without network disruption. Compare that to traditional approaches, which often stretch into multi-year projects with thousands of change control windows.

Do cyber insurance carriers require microsegmentation for healthcare organizations?

Forty-six percent of healthcare leaders in the HIMSS survey said their carrier requested specific controls (including segmentation) during renewal or underwriting in the last two years. Twenty-eight percent said their carrier required proof of segmentation controls to maintain coverage, and 22% reported premium increases unless additional controls went in place. Requirements vary by carrier, but the direction is clear: network segmentation is becoming a baseline expectation. Organizations demonstrating microsegmentation controls may see more favorable premiums and broader coverage terms.

How does microsegmentation support HIPAA compliance and HHS 405(d)?

Microsegmentation applies zero trust principles to support multiple HIPAA Security Rule technical safeguards: access controls (least-privilege enforcement at the network level), audit controls (continuous logging of device communications and policy enforcement), and transmission security (granular control of east-west traffic). Under HHS 405(d) HICP, network segmentation and microsegmentation are recognized as key safeguards to reduce risk from unmanaged clinical devices in hospitals of all sizes. Elisity provides built-in reporting and audit logging that make compliance evidence a byproduct of operations, reducing preparation time before audits and regulatory reviews.

About the HIMSS & Elisity Medical Device Security Survey