HIMSS Survey: 60% of Health Systems Can't Protect Unmanaged Medical Devices

SAN JOSE, Calif.--(BUSINESS WIRE)--Elisity, the pioneer in identity-based microsegmentation, today announced the release of The Implementation Paradox: Healthcare Leaders Want Microsegmentation-Level Security Without Disruption, a comprehensive report co-published with Healthcare Information and Management Systems Society (HIMSS) Market Insights. Sixty percent of respondents flagged an inability to protect unpatchable or agentless devices as a critical or significant limitation. Poor visibility into device inventory ranked second at 30%. Nearly half reported that their cyber insurance carriers demanded specific controls during renewal in the past two years, accelerating timelines across the board.

"For two decades, healthcare did nothing about segmentation because legacy approaches demanded disruptions organizations couldn't afford," said James Winebrenner, CEO of Elisity. "Modern microsegmentation breaks that cycle: deploy in weeks on existing switches, cover every device, manage policies simply, zero downtime. A more modern approach is needed so that the industry can seamlessly secure their complex environments, prevent lateral movement attacks, and maintain patient care continuity while achieving HIPAA compliance and HHS 405(d) best practices.”

Connected medical and IoT devices have expanded the attack surface, resulting in new attack vectors that cybercriminals exploit to gain unauthorized access to critical patient care systems and protected health information (PHI). With thousands of devices spanning multiple facilities, many healthcare organizations are struggling to maintain visibility and control.​

Elisity and HIMSS Market Insight’s report takes a deep dive into the gaps or limitations in healthcare organizations’ current IoMT or medical device security, and protection strategies, as well as recent actions taken by cyber insurance carriers and the most important return on investment outcomes when considering microsegmentation implementations. Additionally, the report uncovers not only the key decision drivers for healthcare leaders when evaluating microsegmentation solutions, but also, the barriers to implementing microsegmentation strategies.

One of the report's most critical findings is the gap in healthcare organizations' ability to protect unpatchable or agentless devices. Sixty-two percent of respondents rated their inability to protect these devices as a critical or significant limitation, the highest of any category surveyed. Poor visibility of devices and asset inventory followed at 56%, then policy-management overhead (54%) and lack of continuous monitoring for lateral movement and segmentation failures (52%).

Additionally, concerns about workflow disruptions is the primary reason healthcare organizations do not deploy microsegmentation. In fact, 40% report these concerns as a barrier to implementation in their environments.

Key findings include:

• 60% reported gaps in their ability to protect unpatchable or agentless devices
• Nearly half said that their cyber insurance carrier requested specific controls during renewal or underwriting in the last two years
• 42% stated that reducing incident response and breach remediation costs is one of the most important ROI outcomes when considering microsegmentation investments
• 76% said it is highly important that a microsegmentation solution avoids disruption to clinical or operational workflows
• 40% cited concerns about disrupting clinical workflows or patient care during deployment has been a barrier to implementing microsegmentation, followed by insufficient internal staff or specialized security resources to implement and manage the solution (34%), long rollout timelines (32%), and the complexity of integration with multi-vendor network infrastructure across sites (30%)

“Healthcare organizations cannot afford any disruptions that traditional security implementations often require,” said Rob Courtney, Healthcare CTO, Carahsoft. “The report’s findings validate that need for a new, modern approach. Proven solutions like Elisity can help overcome the barriers through advanced microsegmentation to improve security posture, accelerate Zero Trust maturity, and quickly deploy with no downtime – critical for maintaining patient care.”

To download the report, visit https://www.elisity.com/blog/himss-medical-device-security-healthcare-microsegmentation.

Methodology

Research was conducted online amongst Executives and IT/Technology, Cybersecurity/Information Security, Clinical Technology/Biomedical/IoMT, Health Information Management/Informatics/Data & Analytics, and Operations/Strategy/Innovation leaders (managers and above) in healthcare in the United States. Respondents were screened for working in organizations with 300 or more hospital beds and annual revenues exceeding $500 million. Additionally, respondents were screened for having a role in their organizations’ strategy and investments related to data infrastructure and network security. A total of 50 qualified respondents participated in this research. This was a blind data collection effort; Elisity was not identified as a sponsor of the research.

About Elisity

Elisity is a leap forward in network segmentation architecture and is leading the enterprise effort to achieve Zero Trust maturity, proactively prevent security risks, and reduce network complexity. Designed to be implemented in weeks, without downtime, upon implementation, the platform rapidly discovers every user, workload, and device on an enterprise network and correlates comprehensive insights into the Elisity IdentityGraph™. This empowers teams with the context needed to automate classification and apply dynamic security policies to any device wherever and whenever it appears on the network. These granular, identity-based microsegmentation security policies are managed in the cloud and enforced using your existing network switching infrastructure in real-time, even on ephemeral IT/IoT/OT devices. Founded in 2019, Elisity has a global employee footprint and a growing number of customers in the Fortune 500.