New research finds a gap in network security deployment as federal regulators move to tighten requirements for clinical environments.
Nearly half of healthcare security leaders experienced a lateral movement cyberattack in the past year, according to a new Omdia survey commissioned by Elisity. The findings indicate that while 56% of healthcare respondents rank microsegmentation as their top initiative to stop these attacks, actual deployment lags behind.
The survey of 352 US cybersecurity decision makers found that 49% of healthcare organizations were hit by these attacks, which involve unauthorized users moving through a network to access sensitive data. Despite the frequency of these incidents, only 6% of healthcare organizations have deployed microsegmentation across more than 80% of their critical systems, compared to a 9% average when combined with the manufacturing sector. The report found that the vast majority of healthcare organizations have segmented less than half of their critical assets.
Clinical Network Challenges
Healthcare environments often rely on legacy architectures such as virtual local area networks and access control lists. These tools frequently cannot be used on medical devices cleared by the Food and Drug Administration, legacy imaging systems, or patient-monitoring equipment.
According to the survey, patient monitoring systems (59%) and Internet of Medical Things devices (55%) are the top challenges for device-level segmentation. These categories are typically unpatchable and mission-critical to patient care.
“Health systems run thousands of connected medical devices that cannot be patched, cannot run an agent, and cannot go offline for clinical reasons,” says James Winebrenner, CEO of Elisity, in a release. “The Omdia findings reflect what healthcare CISOs and clinical engineering leaders have been telling us: The gap is identity, not inventory. Stopping lateral movement in clinical environments requires policy that understands who and what a device is, not where it sits on the network.”
Regulatory and Financial Impact
The findings arrive as the US Department of Health and Human Services moves to strengthen the Health Insurance Portability and Accountability Act Security Rule. A January 2025 notice of proposed rulemaking would make network segmentation a required specification rather than an addressable one.
The financial stakes for cybersecurity remain high. Healthcare has been the most expensive industry for data breaches for 15 consecutive years, with an average cost of $7.42 million per incident, according to the IBM 2025 Cost of a Data Breach Report.
“Healthcare has long been one of the hardest environments for microsegmentation, combining unpatchable medical devices, continuous uptime requirements, and a workforce that moves constantly across managed and unmanaged endpoints,” says Hollie Hennessy, principal analyst at Omdia, in a release. “Our survey shows security leaders have a clear view of the problem—56% rank microsegmentation as their top initiative to stop lateral movement—but deployment at scale still trails ambition across the sector.”
Integration and Awareness Gaps
Integration issues also hinder security efforts. Healthcare respondents named integration with security information and event management, endpoint detection and response, and security orchestration, automation, and response as their top challenges with previous microsegmentation efforts.
Additionally, only 18% of healthcare respondents reported hands-on experience with modern microsegmentation, representing an awareness gap that compounds the execution gap.
ID 421552065 © Wrightstudio | Dreamstime.com
