HEALTHCARE MICROSEGMENTATION


How Do Hospitals Phase Identity-Based Segmentation Before the HIPAA Security Rule Is Final?

Hospitals keep hearing that a HIPAA compliance clock is already running on segmentation. It isn’t. This page, part of the healthcare microsegmentation guide, separates what the proposed Security Rule would require from what is voluntary today, then walks through a phased, identity-based roadmap hospitals can start now and defend to auditors later.

Quick Answer

HHS has proposed, not finalized, new segmentation expectations for hospitals. The HIPAA Security Rule NPRM, published in the Federal Register on January 6, 2025 (90 FR 898), would make network segmentation a required implementation specification instead of an addressable one. No final rule exists and no compliance clock is running, so hospitals gain the most by phasing identity-based segmentation now: discover, simulate, enforce, then document the evidence.[1]

TL;DR

  • The HIPAA Security Rule NPRM (90 FR 898, January 6, 2025) proposes network segmentation as a required implementation specification; the rule is not final and no compliance deadline exists.[1]
  • HHS 405(d) guidance already lists network segmentation as an enhanced voluntary practice, a separate track from the proposed rule that hospitals can act on today.[2]
  • St. Luke’s University Health Network deployed identity-based microsegmentation across 15 hospitals and roughly 85,000 production devices in about 46 days.[3]
  • One anonymized top 10 US health system cut projected segmentation TCO from $38 million to $9 million, a 76% reduction.[4]
  • A four-phase roadmap (discover, simulate, enforce, evidence) satisfies today’s voluntary goals and positions hospitals for whatever OCR finalizes.

How can I meet the new HIPAA Security Rule requirements for network segmentation?

Hospitals can’t be out of compliance with a rule that doesn’t exist yet. The new segmentation expectations live in the HIPAA Security Rule NPRM, published in the Federal Register on January 6, 2025, which proposes network segmentation as a required implementation specification rather than an addressable one. As of July 2026 no final rule has been published, so no compliance clock is running.[1]

The proposal itself is specific. Regulated entities would have to implement and maintain policies and procedures that segment their networks so that access to electronic protected health information is limited in a reasonable and appropriate manner.[1] Two words in that sentence carry the weight: “required” and “maintain.” Required means the familiar addressable-specification flexibility would be gone. Maintain means a one-time VLAN project wouldn’t satisfy it either.

Here is where the record needs correcting. The comment period closed on March 7, 2025, and OCR received approximately 4,745 comments on the proposed HIPAA Security Rule update.[11] OCR has announced no final rule and no effective date, and yet plenty of 2026 compliance roundups describe these expectations as if they were already enforceable. They aren’t. A hospital can’t miss a deadline that doesn’t exist. It can, however, be badly unprepared for the one that eventually will.

The proposed rule is also not the only signal HHS has sent. The 405(d) program’s Health Industry Cybersecurity Practices already list network segmentation as an enhanced practice for larger organizations.[2] That guidance is voluntary and exists on a separate track from the NPRM, but the two point the same direction: segment now, on your own schedule, or segment later on OCR’s.

For a provision-by-provision breakdown of the proposal, read what changed in the proposed HIPAA Security Rule. For planning milestones, see the HIPAA Security Rule timeline for hospital CISOs. For the reference design that pairs with this roadmap, see the HIPAA architecture framework for segmenting hospital networks.

Timeline of the proposed HIPAA Security Rule: published January 6, 2025, comments closed March 7, 2025, still not final
Status of the proposed HIPAA Security Rule as of July 2026: published in the Federal Register on January 6, 2025, comment period closed March 7, 2025, and no final rule or compliance deadline yet exists.

How do I meet HIPAA and HITRUST segmentation expectations for medical devices?

Meeting HIPAA and HITRUST expectations for medical devices starts from one shared premise: access to electronic protected health information must be limited to what each device and user actually needs. Identity-based microsegmentation satisfies both frameworks agentlessly, classifying every device by verified identity and enforcing least-privilege policy through existing network hardware, which matters because most medical devices cannot run security agents at all.

Start with what the two frameworks share. HIPAA’s Security Rule requires reasonable and appropriate technical safeguards for ePHI wherever it travels, and infusion pumps, imaging systems, and patient monitors all touch it. The HITRUST CSF translates that legal standard into prescriptive, certifiable controls, with network segmentation among them, which is why so many health systems treat HITRUST certification as the evidence engine for their HIPAA due diligence.[5]

The hard part is the devices themselves. Manufacturers lock their software stacks, endpoint agents are off the table, and federal guidance has never fully caught up: NIST’s only device-segmentation practice guide, SP 1800-8, covers wireless infusion pumps and dates to 2018.[6] An identity-based approach closes that gap from the network side, profiling each device without touching it and applying one least-privilege policy model across every modality.

Both frameworks are also converging on zero trust. NIST SP 800-207 defines the architecture auditors and boards increasingly expect, and microsegmentation is its enforcement layer inside the hospital.[7] For the device-by-device mechanics, MRI suites and infusion pumps included, see our guide to segmenting medical devices without agents.

What does a phased HIPAA segmentation roadmap look like?

A workable HIPAA segmentation roadmap runs in four phases: discover and classify every connected device, simulate least-privilege policy against real traffic, enforce in staged waves, and package the evidence auditors will ask for. The pace can surprise people. St. Luke’s University Health Network deployed identity-based microsegmentation across 15 hospitals and roughly 85,000 production devices in about 46 days.[3]

Four phase HIPAA segmentation roadmap: discover devices, simulate policy, enforce in waves, package audit evidence
The four-phase HIPAA segmentation roadmap moves hospitals from device discovery to enforced least-privilege policy and audit-ready evidence without re-architecting the clinical network.

Phase 1: Assess and discover

Inventory comes first. Agentless discovery builds a live map of every connected device, then classifies each one by identity: what it is, who uses it, and what it needs to talk to. The flow data collected here becomes the baseline for every ePHI access decision that follows, and it doubles as the risk assessment work both HIPAA and 405(d) already expect.

Phase 2: Simulate policy

Draft least-privilege policies and run them in simulation against live traffic before anything is enforced. Clinical engineering and network teams see exactly which flows each policy would allow or block, so no infusion pump goes dark in the name of compliance. The simulation record itself becomes audit evidence.

Phase 3: Enforce in waves

Turn on enforcement in staged waves: a pilot department, then a site, then the fleet. Policy is enforced by the switching infrastructure the hospital already owns, over any data plane, so there are no maintenance windows, no re-cabling, and no forklift upgrades.

Phase 4: Package evidence for auditors

Compile policy documentation, simulation history, change records, and flow logs into a running evidence file. The proposed rule asks hospitals to maintain policies and procedures, not just deploy technology, and the organizations that document as they go won’t scramble when a final rule sets a date.

MultiCare Health System secures tens of thousands of devices across its Washington State hospital and clinic network, and its security leadership is blunt about why waiting for regulatory certainty isn’t a strategy.[8]

“You can’t do modern healthcare with legacy technology.”

Jason Elrod, Chief Information Security Officer, MultiCare Health System[9]

How do segmentation approaches compare against the proposed HIPAA expectations?

Identity-based microsegmentation, VLAN re-architecture, and network access control can each limit access to electronic protected health information, but they differ sharply on the criteria the proposed rule emphasizes: coverage of unmanaged medical devices, disruption to clinical operations, time to enforcement, and the maintained policy documentation auditors will request. The comparison below maps each approach against those expectations.

Segmentation approaches measured against expectations in the proposed HIPAA Security Rule
Proposed expectation Identity-based microsegmentation VLAN re-architecture NAC (802.1X)
Segment networks to limit ePHI access Least-privilege policy per device identity, enforced over any data plane Coarse subnet boundaries; broad lateral movement inside each VLAN Admission control at connect time; limited east-west enforcement
Cover unmanaged and legacy medical devices Agentless; no endpoint software required Covers devices only as coarse address groups Weak without 802.1X supplicants; MAC exceptions accumulate
Avoid disruption to clinical operations Policy simulation first; no downtime or re-cabling Re-addressing and change windows across every site Misconfigured ports can knock care devices offline
Maintain documented policies and procedures Per-policy records, simulation history, and flow logs Static diagrams age quickly; drift tracking is manual Authentication logs, but little flow-level policy evidence
Time to enforced segmentation Weeks; St. Luke’s reached full deployment in about 46 days[3] Quarters to years at hospital scale Months; depends on the device exception backlog

What is the business case for segmenting before the rule is final?

The strongest argument for starting now is financial, not regulatory. One anonymized top 10 US health system cut the projected total cost of ownership of its segmentation program from $38 million to $9 million, a 76% reduction, by choosing identity-based microsegmentation over a hardware-led rebuild.[4] Compliance readiness arrives as a byproduct of a project that already pays for itself.

The same case reported 99% device discovery within the first four hours, with no downtime.[4] That speed changes the planning math: discovery and simulation can begin this quarter, on the current network, while the industry waits on OCR. And the industry is moving. Omdia’s 2025 survey of 352 cybersecurity decision makers across healthcare and manufacturing found 99% are implementing or planning microsegmentation, yet only 9% have protected more than 80% of critical systems.[10] The gap between intent and coverage is where both breach risk and regulatory exposure live.

Whatever the final text says, hospitals with enforced policies and a documented evidence trail will read it from a very different position than hospitals still drawing VLAN diagrams. See how health systems run this roadmap in production with the Elisity healthcare microsegmentation solution.

Frequently asked questions

Is the new HIPAA Security Rule final in 2026?

No. HHS published the proposed rule in the Federal Register on January 6, 2025, and the public comment period closed on March 7, 2025. As of July 2026, the Office for Civil Rights has not issued a final rule, so no compliance deadline is in force. Hospitals should treat the proposal as a preview of expectations, not as an enforceable mandate.

Does HIPAA require hospitals to segment their networks today?

Not as a named safeguard. The current Security Rule requires reasonable and appropriate technical safeguards for electronic protected health information, and segmentation is one recognized way to provide them. The proposed update would make segmentation an explicit required implementation specification, and HHS 405(d) guidance already lists it as an enhanced voluntary practice.

What is the difference between 405(d) guidance and the proposed Security Rule?

The 405(d) program publishes Health Industry Cybersecurity Practices, voluntary guidance that already recommends segmentation as an enhanced practice for larger organizations. The proposed Security Rule is regulation: once finalized, its implementation specifications become enforceable under HIPAA. A hospital can adopt 405(d) practices today and reuse the same architecture and evidence when the rule becomes final.

Should hospitals wait for the final rule before starting segmentation?

Waiting carries more risk than starting. Discovery, policy simulation, and staged enforcement take quarters, not weeks, and ransomware does not wait for rulemaking. Hospitals that phase identity-based segmentation now reduce lateral movement immediately, satisfy voluntary 405(d) goals, and avoid compressing a multi-quarter program into whatever compliance window a final rule eventually sets.

Can hospitals segment clinical networks without downtime or new hardware?

Yes. Identity-based microsegmentation enforces policy through the switching infrastructure a hospital already owns, so there are no endpoint agents, no re-cabling, and no maintenance windows for clinical systems. Policies run in simulation first, which lets network and biomedical teams verify that no clinical workflow breaks before enforcement is turned on.

Will HITRUST certification satisfy the proposed HIPAA segmentation expectations?

HITRUST certification is strong evidence of due diligence, and the HITRUST CSF maps its controls to HIPAA, but it is not a substitute for compliance. OCR enforces the Security Rule itself, so a certified hospital still needs segmentation controls, documented policies, and audit evidence that match whatever the final rule requires.

Sources and citations

  1. U.S. Department of Health and Human Services, Office for Civil Rights, “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information,” Federal Register, 90 FR 898, January 6, 2025. Source.
  2. HHS 405(d) Program, “Health Industry Cybersecurity Practices (HICP),” accessed July 2026. Source.
  3. Elisity, “Healthcare Microsegmentation at 15 Hospitals” (St. Luke’s University Health Network), 2025. Source.
  4. Elisity, “ROI Case Study Snapshots,” anonymized top 10 US health system case, accessed July 2026. Source.
  5. HITRUST, “The HITRUST Framework (HITRUST CSF),” accessed July 2026. Source.
  6. NIST National Cybersecurity Center of Excellence, SP 1800-8, “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations,” 2018. Source.
  7. NIST, SP 800-207, “Zero Trust Architecture,” 2020. Source.
  8. Elisity, “Healthcare CISO Eliminates Network Complexity with Identity-Based Microsegmentation” (MultiCare Health System case study), accessed July 2026. Source.
  9. Elisity, MultiCare Health System video on the HIPAA Security Rule (Jason Elrod, CISO), accessed July 2026. Source.
  10. Elisity, “Microsegmentation in Healthcare: Omdia Survey Findings,” 2025. Source.
  11. HIPAA Journal, “OCR Gives Update on Proposed HIPAA Security Rule,” March 27, 2025. Source.