HEALTHCARE MICROSEGMENTATION
Healthcare Microsegmentation: How Do Hospitals Stop Lateral Movement Across Clinical Networks?
MRI scanners, infusion pumps, patient monitors, clinician laptops, and guest phones all share hospital infrastructure, and a single compromised device can reach far too much of it. This guide explains how healthcare microsegmentation contains lateral movement across clinical networks, agentlessly and without downtime, and how it prepares health systems for the proposed HIPAA Security Rule. It builds on what is microsegmentation and applies it device by device, framework by framework, to hospitals and healthcare delivery organizations.
Quick Answer
Hospitals secure unmanaged IoMT devices and stop lateral movement by classifying every device by identity and enforcing least-privilege policy through the network hardware they already own, agentlessly and with no disruption to patient care. Omdia’s 2025 survey of 352 cybersecurity decision makers across healthcare and manufacturing found 99% are implementing or planning microsegmentation, yet only 9% have protected more than 80% of critical systems.[1]
TL;DR
- Identity-based microsegmentation stops lateral movement across clinical networks agentlessly, with no endpoint software, no downtime, and no re-cabling.
- St. Luke’s University Health Network deployed identity-based microsegmentation across 15 hospitals and roughly 85,000 production devices in about 46 days.[2]
- HHS has proposed making network segmentation a required implementation specification in the HIPAA Security Rule NPRM (90 FR 898, January 6, 2025); the rule is not final and no compliance deadline is in force.[3]
- 74% of healthcare respondents say visiting clinicians require the most granular segmentation consideration, followed by clinical staff at 72% (Omdia, N=164).[1]
- Zero trust for hospitals is an enforcement problem: NIST SP 800-207 defines the architecture, and microsegmentation applies it to medical devices that cannot defend themselves.[4]
How do hospitals secure unmanaged IoMT devices without disrupting patient care?
Hospitals secure unmanaged IoMT devices by discovering them agentlessly, classifying each one by identity, and enforcing least-privilege policy through the network hardware already in place, so no endpoint agents, downtime, or re-cabling touch clinical workflows. St. Luke’s University Health Network deployed identity-based microsegmentation across 15 hospitals and roughly 85,000 production devices in about 46 days.[2]
The core problem is that most connected medical devices cannot defend themselves. Infusion pumps, imaging systems, and patient monitors ship with fixed operating systems the hospital is not permitted to modify, and much of the installed base predates the FDA’s premarket cybersecurity guidance for medical devices.[8] Endpoint agents are off the table. So are the change windows and re-cabling projects that traditional segmentation demands, because a patient monitor that goes quiet during a maintenance window is a clinical incident, not an IT ticket.
Identity-based microsegmentation breaks the deadlock in four moves. Discover every device by observing the network, with nothing installed. Classify each one by identity: what it is, who uses it, how it behaves. Simulate least-privilege policy against live clinical traffic until nothing legitimate is blocked. Then enforce, group by group, on the network hardware the hospital already owns.
That sequence is why deployments measure in weeks, not years. The St. Luke’s 46-day microsegmentation deployment went from no microsegmentation to network-wide enforcement two weeks ahead of its own 60-day commitment.[2] MultiCare Health System secures tens of thousands of devices across its Washington State hospital and clinic network.[7] Its CISO, speaking in the MultiCare Health System case study, described what unsegmented complexity costs:
“The people, processes, and technology, each of those comes with their own attack surface. So the impact is non-trivial.”
Jason Elrod, Chief Information Security Officer, MultiCare Health System
For the device-by-device playbook, including per-modality policy patterns and the discovery-tool integrations, see the agentless IoMT and medical device segmentation guide.
How does identity-based microsegmentation compare with VLANs and NAC?
Identity-based microsegmentation, VLAN re-architecture, and network access control solve different problems at different costs. VLANs contain devices by subnet, which forces re-addressing and change windows clinical operations rarely tolerate. NAC decides admission with 802.1X supplicants most medical devices cannot run. Identity-based microsegmentation enforces least-privilege policy on existing network hardware, agentlessly, over any data plane.
| Criterion | Identity-based microsegmentation | VLANs | NAC |
|---|---|---|---|
| Deployment model | Agentless; policy enforced on existing switching infrastructure | Re-architecture, re-addressing, and scheduled change windows | 802.1X supplicants or MAC exception lists |
| Unmanaged medical device coverage | Full; identity derived from behavior, fingerprint, and context | Coarse; a device is only as safe as its subnet | Weak; unmanaged devices become permanent exceptions |
| Downtime and change windows | None required; monitor-first rollout | Maintenance windows for every move, add, or change | Enforcement cutover risks locking out clinical devices |
| Policy granularity | Per device, per identity, least privilege | Per subnet; broad zones persist inside each VLAN | Admission decision only, not ongoing traffic policy |
| Alignment with the proposed HIPAA rule | Maps directly to the proposed segmentation specification | Partial; segmentation exists but least privilege does not | Admission control alone does not segment ePHI paths |
| Operational overhead | Policy follows identity automatically | ACL and firewall rule sprawl grows with each zone | Certificate and supplicant maintenance across device fleets |
The table understates one operational difference. VLAN and NAC projects concentrate their risk at cutover, where a misconfigured rule can knock a clinical device offline. Identity-based policy is simulated against live traffic first, so enforcement day is quiet by design.
Zero trust architecture for healthcare systems
Zero trust architecture for healthcare systems applies NIST SP 800-207 to an environment where most endpoints are medical devices that cannot authenticate themselves. The workable sequence: build a device identity inventory, map real clinical traffic flows, simulate least-privilege policy against live traffic, then enforce microsegmentation through existing network hardware, starting with the highest-risk device groups.[4]
NIST SP 800-207 defines zero trust around policy decision points and policy enforcement points that evaluate every connection continuously. Hospitals meet that model with a constraint few other industries face: a large share of endpoints cannot run software, present credentials, or participate in their own defense. Zero trust for healthcare has to be delivered from the network, not from the endpoint.
In practice, health systems phase the work. Phase one builds the identity inventory, because a policy engine is only as good as its knowledge of what is connected. Phase two maps flows between clinical systems, the EHR, PACS, and vendor maintenance paths. Phase three simulates policy and reviews the exceptions with biomedical engineering. Phase four enforces, beginning with unmanaged IoMT devices, then clinical workstations, then users.
Zero trust in a hospital also covers people. Visiting clinicians and per-diem staff move between facilities and shared workstations every day, so policy anchored to a network location breaks the moment care delivery moves. Identity has to anchor policy for users exactly as it does for devices, and the same enforcement layer serves both.
Where do HIPAA and HITRUST fit in a hospital segmentation program?
The proposed HIPAA Security Rule, today’s voluntary HHS 405(d) practices, and HITRUST CSF assessments all converge on the same control: segment clinical networks around least privilege. The phased HIPAA segmentation roadmap sequences those controls so hospitals invest once, not twice.
Which segmentation approach fits MRI scanners, infusion pumps, and patient monitors?
MRI scanners, infusion pumps, and patient monitors each fail traditional segmentation in a different way, and federal reference architecture is thin: NIST NCCoE SP 1800-8 covers wireless infusion pumps only. The expanded device-type segmentation guide maps an identity-based policy pattern to each modality, including vendor remote-maintenance paths.
How does discovery data from Armis or Medigate become enforcement policy?
Armis and Medigate (now part of Claroty) discover what is on the network; enforcement is a separate decision, and many hospital segmentation programs stall there. The device data to policy workflow behind the Elisity and Armis integration at Main Line Health is documented in the segmentation guide.
What about legacy medical devices that cannot be patched?
Legacy devices running unsupported operating systems cannot take agents or patches, but they can be isolated: identity-based policy restricts each one to the clinical conversations it needs. The step-by-step pattern is in the section on segmenting legacy medical devices without agents.
How should a healthcare delivery organization evaluate microsegmentation vendors?
Healthcare delivery organizations tend to weigh four things: agentless coverage of unmanaged devices, time to enforcement, integration with the discovery tools already deployed, and evidence from named health systems. The top healthcare cybersecurity vendors for 2026 comparison reviews the leading platforms vendor by vendor against sourced, dated criteria.
Frequently asked questions about healthcare microsegmentation
What is healthcare microsegmentation?
Healthcare microsegmentation divides a hospital network into fine-grained policy zones built around the identity of each user and device rather than around network addresses. Policies follow devices wherever they connect, so an infusion pump, a clinician laptop, and a guest phone each receive exactly the access their role requires and nothing more.
Do hospitals need to replace existing network hardware to deploy microsegmentation?
No. Identity-based microsegmentation is agentless and enforces policy through the network hardware a hospital already owns, over any data plane. There is no rip and replace, no new inline appliances, and no downtime window, which is why clinical networks that cannot tolerate disruption choose this model over VLAN re-architecture.
How long does a hospital microsegmentation deployment take?
Identity-based deployments run in weeks rather than multi-year projects, because nothing is installed on the devices and no re-cabling is required. Hospitals typically discover and classify devices first, run policy in a monitor-only mode against live clinical traffic, then promote to enforcement group by group. St. Luke’s University Health Network published its full network-wide rollout timeline in its case study.
Is microsegmentation required for HIPAA compliance today?
Not yet. Today’s HIPAA Security Rule treats segmentation flexibly, but HHS has proposed making network segmentation a required implementation specification in its pending update, which is not final and carries no compliance deadline. Hospitals preparing now phase identity-based segmentation so the same controls satisfy voluntary HHS 405(d) practices and the proposed specification.
How does microsegmentation reduce ransomware blast radius in a hospital?
Microsegmentation limits how far an intruder can move after the first device is compromised. Least-privilege policy means an infected workstation or IoMT device can reach only the destinations its role requires, so ransomware that lands on one device cannot spread across clinical systems. Containment shrinks from an entire flat network to a single policy group.
What is the first step in a hospital microsegmentation project?
Start with discovery and identity. A hospital cannot segment what it has not classified, so the first step is building a live inventory in which every device, managed or unmanaged, is identified by what it is and how it behaves. From that identity baseline, security teams map real traffic flows and simulate least-privilege policy before enforcing anything.
Sources and citations
- Omdia, 2025 microsegmentation survey of 352 cybersecurity decision makers across healthcare and manufacturing, published in “Microsegmentation in Healthcare: Omdia Survey Findings,” Elisity, 2025. Source.
- Elisity, “Healthcare Microsegmentation at 15 Hospitals: St. Luke’s University Health Network,” 2025. Source.
- U.S. Department of Health and Human Services, “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information,” 90 FR 898, Federal Register, January 6, 2025. Source.
- NIST, Special Publication 800-207, “Zero Trust Architecture,” August 2020. Source.
- NIST National Cybersecurity Center of Excellence, Special Publication 1800-8, “Securing Wireless Infusion Pumps,” 2018. Source.
- HHS 405(d) Program, “Health Industry Cybersecurity Practices,” accessed July 4, 2026. Source.
- Elisity, “Healthcare CISO Eliminates Network Complexity with Identity-Based Microsegmentation,” MultiCare Health System case study, accessed July 4, 2026. Source.
- U.S. Food and Drug Administration, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” accessed July 4, 2026. Source.
See identity-based policy on your own clinical network
Explore the healthcare microsegmentation solution and request a demo with the Elisity team. Agentless discovery runs against live traffic, so the first policy simulation uses your real devices, not a lab.
