Hospital Cyber Resilience: Main Line Health’s Chaos Engineering Approach

Most health systems define cyber resilience as having a plan. A disaster recovery runbook, a tabletop exercise, maybe an annual penetration test. And that’s not wrong, exactly. Those are necessary pieces. But here’s where it breaks down: a plan that hasn’t been tested under real conditions is a theory, not a capability.

Main Line Health, a five-hospital nonprofit system in the Philadelphia suburbs with 1,348 licensed beds and more than 160 clinical practices, took a different approach to hospital cyber resilience. They decided to prove their network segmentation works by intentionally breaking things. Rolling network outages. Forced digital darkness. Nurses charting on paper while the team watched what happened to 100,000 connected devices.

At HIMSS 2026, I sat down with Main Line Health CISO Aaron Weismann to walk through how they used chaos engineering (a discipline popularized by Netflix for testing software resilience) to validate their healthcare microsegmentation deployment across clinical networks. What follows are the key patterns from that conversation, told largely in Aaron’s own words.

Pattern 1: Flat Networks Are a Patient Safety Problem

Main Line Health operates five hospitals, eight large ambulatory sites, and roughly 160 clinical practices across five counties in the Philadelphia suburbs. The device count is staggering: approximately 40,000 connected biomedical devices, with total devices reaching up to 100,000 when you include servers, endpoints, printers, and everything else that supports hospital operations.

Like most health systems, the network was designed for frictionless patient care. That meant flat. Aaron joined Main Line Health in 2020 specifically to reinvent information security, and the network he inherited was not unusual for healthcare.

“We have a lot of devices sitting on the same production network with the capability of talking to each other and maybe they shouldn’t be. Especially in the MIoT, OT, and IoT spaces. All of those devices are computers. They can be used to leverage an attack, or they can be used to move laterally through the environment to get to crown jewels.”

Aaron Weismann, CISO, Main Line Health

Aaron uses the term MIoT (Medical Internet of Things, also referred to as IoMT) to describe these clinical devices. An MRI talking to an echocardiogram is nonsensical traffic. But on a flat network, nothing prevents it. And every one of those 40,000 biomedical devices is a computer that can be used as a pivot point for lateral movement.

Before exploring new solutions, Main Line Health tried the conventional approaches. They moved OT devices to dedicated VLANs, a process where the service hours alone outpaced other options. They started evaluating a traditional NAC solution years before engaging Elisity. As Aaron put it: they were still working on it when a new path opened up.

Pattern 2: Immediate Visibility Changes the Entire Conversation

I’ve watched segmentation projects stall for months in the discovery phase. Teams building device inventories manually, spreadsheet by spreadsheet, trying to catalog what’s actually on the network before they can even think about policy. That’s the traditional approach. It’s also why so many projects never get past discovery.

What shifted the trajectory at Main Line Health was how quickly the team could see real traffic patterns. Not an inventory exercise. Actual network behavior.

“You deploy it, you’re able to see the network cross talk between devices almost immediately. And then you’re also able to see the vacuum, where those devices aren’t talking to each other, where they shouldn’t be talking to each other. Once you identify the yes and the no populations, you can winnow down the universe of things you need to look at.”

Weismann

That visibility made it possible to separate legitimate clinical traffic (infusion pumps talking to Epic, MRIs connecting to the PACS system) from anomalous and potentially dangerous communication. Instead of trying to catalog every device upfront, the team could focus investigation on traffic that didn’t make sense.

For a health system with 100,000 devices spread across five hospitals and dozens of ambulatory sites, that ability to prioritize is the difference between a project that stalls and one that actually moves.

Pattern 3: Overcoming the Anxiety of Hitting Deny

Even with clear visibility, the hardest part of any segmentation deployment in healthcare is enforcement. Every CISO I talk with in this space understands the dynamic: blocking traffic between clinical devices carries real stakes. Get it wrong and you could compromise patient care. The anxiety is legitimate.

Aaron was direct about this.

“People were very anxious about potentially compromising patient care by taking down devices that are supposed to be communicating with each other. We’re a very conservative organization. We wanted to make sure that we weren’t potentially compromising patient care. That took a great deal of deliberation.”

Weismann

Main Line Health addressed this by phasing enforcement deliberately. Start where risk is lowest and confidence is highest:

• Tier 3: Physician practices, where device populations are smaller and traffic patterns simpler
• Tier 2: Mental health and substance abuse treatment facilities, corporate offices
• Tier 1: Acute care hospitals, where device density and clinical complexity are highest

At each tier, the team used modeling to validate policies before enforcement. They started with the easy wins: devices that weren’t communicating with anything, or communicating so infrequently that the traffic warranted investigation rather than protection. Only after building confidence through each tier did they move to the acute care environments.

The result: zero unplanned outages from the deployment. Aaron described the Elisity rollout as “transparent, quiet.”

Pattern 4: Chaos Engineering as Validation Strategy

This is where Main Line Health’s approach diverges from most healthcare segmentation stories. And honestly, from most segmentation stories in any industry.

Rather than deploying policies and hoping for the best, Aaron’s team borrowed from the tech industry’s chaos engineering playbook: intentionally forcing parts of the network down to test what actually happens.

“Chaos engineering is where you intentionally hinder your systems to test the resilience of the overall system. We wanted to intentionally force parts of our network down so we could test the resilience of our nurses, test the resilience of our patient care, test the resilience of our devices connecting or reconnecting to the network.”

Weismann

The team ran rolling outages across the network, scheduled during daytime hours when the full network and clinical teams were available. For imaging departments, they worked around radiology schedules so patients could still be processed at the modality even when remote reading was temporarily compromised. For med-surg units, they upstaffed nursing to handle the shift to analog processes.

Outage windows were kept to roughly two hours: clinically significant enough to test real workflows, but not so long that patient safety was compromised. During these windows, the team validated three things:

• Device behavior: How do devices disconnect and reconnect? Are connections clean, or are devices flapping on the network?
• Analog processes: Are nurses switching to paper charting correctly? What does that paper chart look like?
• Policy assumptions: Do the segmentation policies hold up under stress? Is the network behaving as the models predicted?

“We were able to predict with a high degree of accuracy, because of our tool set, what exactly would happen in the event of these rolling outages. Which is very effective for our disaster recovery planning and our business impact assessment planning.”

Weismann

Because the team could model traffic patterns before forcing an outage, they knew what should happen. Chaos engineering confirmed whether reality matched the model. That’s the distinction between a plan and a proven hospital cyber resilience capability.

Pattern 5: Clinical Collaboration Is Not Optional

Aaron kept coming back to one point throughout our conversation: microsegmentation in healthcare cannot be a security-only initiative. I’ve seen organizations treat it that way, and the projects either stall or produce policies that break clinical workflows. Aaron learned this early in his tenure and applied it directly to the segmentation program.

“Very early in that journey, I realized that if we don’t bring our clinical operators to the table day one, we’re not going to get it done. We’re going to have lots of questions, a lot of anxiety. We need to be able to work through that.”

Weismann

Here’s how the collaboration worked in practice. The security and network teams would map the devices on an inpatient unit, model expected traffic patterns, and then bring clinical operators into the room. They’d walk through the device inventory together and ask: “Here’s what we expect these devices to do. Is that your understanding?”

When clinicians confirmed the model matched their workflows, the team had confidence to enforce. When clinicians flagged discrepancies, the team adjusted before anything was blocked. This wasn’t a sign-off meeting at the end of a project. It was continuous collaboration built into every phase.

The organizational shift was notable. Before the initiative, Aaron described conversations where hospital leaders compared the network to “a desktop plugged into a wall.” After the collaborative process, clinical, IT, and security teams shared a common vocabulary for how technology supported patient care. That kind of organizational understanding doesn’t show up in a metrics dashboard, but it changes everything about how fast you can move on future security initiatives.

Pattern 6: The Discoveries You Don’t Expect

The part of the program that surprised even Aaron’s team was what they found along the way. The rolling outages weren’t just validating segmentation policies. They were stress-testing the entire organization’s preparedness for a real cyberattack.

“One really great lesson learned: our health system has red phones, the old copper line phones we use in the event of emergency outages. Half of ours didn’t work. You couldn’t hear people on them. We drove organization-wide repair of these phones so that now they actually work.”

Weismann

Think about that for a moment. Half of the emergency communication infrastructure didn’t function. And nobody knew until they actually tested it. Consider what that means during an actual ransomware event, when digital systems are down and the organization needs analog fallback. This is the kind of discovery that only surfaces when you test under real conditions, not on paper.

The outages also revealed network hardware that had been running without restarts or updates for seven years. By surfacing these issues in a controlled environment, the team could address them proactively rather than discovering them mid-crisis. Staff who had been spending their time keeping aging infrastructure alive were redirected to higher-value work: ongoing policy review, traffic monitoring, and security posture improvement.

Chaos engineering didn’t just validate the segmentation. It became a forcing function for infrastructure hygiene across the entire organization.

Pattern 7: Board Reporting, Compliance, and the Shrinking Blast Radius

Main Line Health’s board and CEO asked for network segmentation by name. That level of executive mandate is unusual and speaks to how deeply the risk conversation has penetrated healthcare leadership. Aaron was able to report back with evidence (not just assertions) that segmentation was in place, how it was implemented, and what it meant for organizational risk.

The compliance picture extends beyond the boardroom. Cyber insurers are asking increasingly detailed questions about segmentation, moving well past the checkbox stage into multi-page questionnaires about implementation specifics. According to Akamai’s 2025 Segmentation Impact Study of 1,200 security leaders, 60% of organizations reported premium reductions after improving their segmentation posture, and 75% of insurers now assess segmentation maturity during underwriting.

“The new HIPAA security rule amendments coming up have a requirement for network segmentation. How are you as an organization going to be able to do that if you haven’t already started down that path?“

Weismann

Looking ahead, Main Line Health is now pursuing real-time, risk-based device microsegmentation. The approach ties into their IoMT visibility platform: when a device is flagged as high-risk, it gets automatically sandboxed, restricted to communicating only with the internet and nothing else on the internal network. For lower-risk devices, the team is increasing policy resolution from broad categories to granular classifications.

“One of the things we did right out the gate is we don’t want printers to be a thing. We want label printers to be a thing. We want patient arm printers to be a thing. We want multifunction devices to be a thing. As we increase that granularity, we’re able to better attest to our ability to say: in the event there’s a device compromise, the potential blast radius is so small.”

Weismann

That last phrase is worth sitting with. The goal isn’t a segmented network as a checkbox. The goal is a blast radius so small that a compromised device has almost nowhere to go.

Building Hospital Cyber Resilience: What This Means for Your Organization

Main Line Health’s story challenges several assumptions that hold health systems back from pursuing microsegmentation.

You don’t need to choose between security and clinical operations. As Aaron put it in one of the session’s most important takeaways: “Clinical operations and security can coexist.” The key is bringing clinical operators to the table from day one, not as approvers at the end, but as collaborators throughout.

You don’t need a massive team. Main Line Health accomplished this with 25 security staff and 8 network staff. Neither team could dedicate full-time resources to the project. As Aaron confirmed, the ongoing management of microsegmentation is not a full-time job for any single person on either team.

Validation matters as much as deployment. What makes this approach distinctive is not just that they segmented the network, but that they proved it works under stress. Chaos engineering gave them evidence to present to their board, their insurers, and their clinical teams. That’s a fundamentally different conversation than “we deployed a tool.”

The regulatory window is closing. The proposed HIPAA Security Rule amendments include network segmentation requirements. Cyber insurers are asking for it by name. Boards are asking for it by name. The organizations that start now will be the ones that can demonstrate compliance when deadlines arrive.

For health systems considering a similar path, Main Line Health’s approach offers a practical template: start with visibility, build policies through modeling, phase enforcement from low-risk to high-risk environments, bring clinicians into every step, and validate everything through controlled testing. The result is not just a more secure network. It’s an organization that knows its defenses work because it tested them.

Plans are a start. Proof is what keeps patients safe.

Frequently Asked Questions About Hospital Cyber Resilience

How do hospitals test cyber resilience?

Most hospitals rely on tabletop exercises, penetration testing, and disaster recovery drills. Main Line Health went further by adopting chaos engineering: intentionally forcing controlled network outages to test how devices, clinical staff, and analog processes perform under real stress conditions. Their approach included scheduling two-hour outage windows, monitoring device reconnection behavior, testing nurses’ ability to switch to paper charting, and validating that segmentation policies held up as modeled. This provided direct evidence of resilience rather than theoretical assumptions.

What is chaos engineering in healthcare?

Chaos engineering is the practice of intentionally introducing controlled failures into a system to test its resilience. Popularized by Netflix for testing software infrastructure, Main Line Health adapted the approach to clinical networks. They ran rolling network outages to validate that microsegmentation policies performed correctly, that clinical workflows had functional analog fallbacks, and that devices reconnected cleanly after disruption. The process surfaced issues (like non-functional emergency red phones) that would only appear under real testing conditions.

How does microsegmentation improve hospital security?

Microsegmentation restricts lateral movement across the network by enforcing identity-based policies that control which devices can communicate with each other. In a hospital environment with tens of thousands of connected medical devices, this means a compromised infusion pump or imaging system cannot be used to reach other clinical systems, EHR databases, or administrative networks. Main Line Health uses granular device classification (distinguishing label printers from patient arm printers from multifunction devices) to shrink the potential blast radius of any single device compromise to the smallest possible footprint.

What does the proposed HIPAA security rule say about network segmentation?

The proposed HIPAA Security Rule amendments, still in the notice of proposed rulemaking (NPRM) stage as of early 2026, include network segmentation as a required security safeguard. This represents a shift from segmentation as a recommended practice to a regulatory expectation. Organizations that have not started implementing segmentation will need to begin planning now. Additionally, cyber insurance carriers are increasingly requiring documented evidence of network segmentation during underwriting, with 75% of insurers now assessing segmentation maturity according to Akamai’s 2025 Segmentation Impact Study.

How long does it take to deploy microsegmentation in a hospital?

The technical deployment itself can happen in weeks. What takes longer is building and validating the policies with clinical stakeholders. Main Line Health used a three-tier phased approach: starting with physician practices (simplest environments), moving to mental health and specialty facilities, and finally addressing acute care hospitals where device density and clinical complexity are highest. The visibility platform provided immediate value by surfacing traffic patterns, which accelerated policy development significantly compared to the VLAN and NAC approaches that had been underway for years at Main Line Health before they shifted strategies.

How do you get clinical buy-in for network segmentation?

Main Line Health’s approach was to involve clinical operators from day one as active collaborators, not as a final approval step. The security and network teams would map expected device behavior on a clinical unit, then walk through it with clinicians: “Here are the devices on your unit, and here is what we expect them to do. Is that your understanding?” When clinicians confirmed the model, the team had confidence to enforce. When they flagged discrepancies, the team adjusted before blocking any traffic. Aaron Weismann attributes much of the program’s success to this early and continuous clinical engagement, noting that it also built shared organizational understanding of how technology supports patient care.