Sixty percent of health systems are unable to protect unpatchable or agentless medical devices, limiting their ability to achieve sound microsementation-level security, a report from Elisity and the Healthcare Information and Management Systems Society (HIMSS) Market Insights concluded.

Poor visibility into device inventory also is a limitation for 30% of survey respondents. Nearly half reported their cyber insurance carriers demanded specific controls during renewal in the past two years, accelerating timelines across the board. The insights are among many contained in the report, “The Implementation Paradox: Healthcare Leaders Want Microsegmentation-Level Security Without Disruption.”

“For two decades, healthcare did nothing about segmentation because legacy approaches demanded disruptions organizations couldn’t afford,” Elisity CEO James Winebrenner said. “Modern microsegmentation breaks that cycle: deploy in weeks on existing switches, cover every device, manage policies simply, zero downtime. A more modern approach is needed so the industry can seamlessly secure their complex environments, prevent lateral movement attacks, and maintain patient care continuity while achieving HIPAA compliance and HHS 405(d) best practices.”

Connected medical and IoT devices have expanded the attack surface, resulting in new attack vectors that cybercriminals exploit to gain unauthorized access to critical patient care systems and protected health information (PHI). With thousands of devices spanning multiple facilities, many healthcare organizations are struggling to maintain visibility and control.​

Elisity and HIMSS Market Insight’s report takes a deep dive into the gaps or limitations in healthcare organizations’ current IoMT or medical device security and protection strategies, as well as recent actions taken by cyber insurance carriers and the most important return on investment outcomes when considering microsegmentation implementations. Additionally, the report uncovers key decision drivers for healthcare leaders when evaluating microsegmentation solutions as well as the barriers to implementing microsegmentation strategies.

One of the report’s most critical findings is the gap in healthcare organizations’ ability to protect unpatchable or agentless devices. Sixty-two percent of respondents rated their inability to protect these devices as a critical or significant limitation, the highest of any category surveyed. Poor visibility of devices and asset inventory followed at 56%, then policy-management overhead (54%), and lack of continuous monitoring for lateral movement and segmentation failures (52%).

Additionally, concerns about workflow disruptions is the primary reason healthcare organizations do not deploy microsegmentation. In fact, 40% report these concerns as a barrier to implementation in their environments.

Key findings include:

• 60% reported gaps in their ability to protect unpatchable or agentless devices
• Nearly half said their cyber insurance carrier requested specific controls during renewal or underwriting in the last two years
• 42% stated that reducing incident response and breach remediation costs is one of the most important ROI outcomes when considering microsegmentation investments
• 76% said it is highly important that a microsegmentation solution avoids disruption to clinical or operational workflows
• 40% cited concerns about disrupting clinical workflows or patient care during deployment has been a barrier to implementing microsegmentation, followed by insufficient internal staff or specialized security resources to implement and manage the solution (34%), long rollout timelines (32%), and the complexity of integration with multi-vendor network infrastructure across sites (30%)

“Healthcare organizations cannot afford any disruptions that traditional security implementations often require,” said Rob Courtney, Healthcare chief technology officer, Carahsoft. “The report’s findings validate the need for a new, modern approach. Proven solutions like Elisity can help overcome the barriers through advanced microsegmentation to improve security posture, accelerate Zero Trust maturity, and quickly deploy with no downtime—critical for maintaining patient care.”

Research was conducted online among U.S. executives and IT/technology, cybersecurity/information security, clinical technology/biomedical/IoMT, health information management/informatics/data and analytics, and operations/strategy/innovation leaders (managers and above) in healthcare. Respondents were screened for working in organizations with 300 or more hospital beds and annual revenues exceeding $500 million. Additionally, respondents were screened for having a role in their organizations’ strategy and investments related to data infrastructure and network security. Fifty qualified respondents participated in this research. This was a blind data collection effort; Elisity was not identified as a sponsor of the research.

Elisity claims to be a leap forward in network segmentation architecture and is striving to achieve Zero Trust maturity, proactively prevent security risks, and reduce network complexity. Designed to be implemented in weeks without downtime, upon implementation, the platform rapidly discovers every user, workload, and device on an enterprise network and correlates comprehensive insights into the Elisity IdentityGraph. This empowers teams with the context needed to automate classification and apply dynamic security policies to any device, at any time or place on the network. These granular, identity-based microsegmentation security policies are managed in the cloud and enforced using existing network switching infrastructures in real-time, even on ephemeral IT/IoT/OT devices. Founded in 2019, Elisity has a global employee footprint and a growing number of customers in the Fortune 500.