Blog
Explore All Blog Posts

Healthcare IoT Network Segmentation: A Cybersecurity Compliance Cornerstone

Published on April 3, 2025
 
By: Maureen Sahualla
 
8 — minute read

In today’s digital healthcare ecosystem, where patient data and connected medical devices are at the heart of operations, cybersecurity has become a non-negotiable priority. Regulatory frameworks like HIPAA in the US and the NIS regulations in the UK have emphasized the need for stringent safeguards to protect sensitive information and ensure operational resilience. One critical strategy for achieving compliance is network segmentation—a proactive cybersecurity approach that not only enhances security but also enables adherence to regulatory standards.

Why Network Segmentation Matters

Healthcare networks are becoming increasingly complex. Interconnected medical devices, patient management systems, legacy systems (such as electronic health record [EHR] systems), and IoT devices—such as those used in building management and security systems—have created a vast attack surface for cyber threat actors to target. Flat, unsegmented networks present significant risk. They can enable cyber threat actors to move laterally, compromising sensitive data and disrupting operations.

Regulatory Requirements Increasingly Focus on Network Segmentation

Network segmentation is emerging as a key component of healthcare cybersecurity requirements. This is because it effectively addresses the unique and evolving vulnerabilities within modern healthcare systems while ensuring compliance with regulatory standards. As a result, many regulations now underscore the significance of network segmentation, emphasizing its role in isolating critical systems and limiting unnecessary communication between network components. The following factors are behind this increased focus:

  • Protecting Sensitive Data: Regulations like HIPAA in the US and GDPR in the UK and EU mandate stringent protections for patient data. Network segmentation isolates sensitive data, such as electronic health records, from less secure parts of the network, reducing unauthorized access risks.
  • Reducing the Spread of Cyber Threats: In healthcare, a flat, unsegmented network enables attackers to move laterally, gaining access to interconnected systems and devices. Segmentation limits this lateral movement, containing cyber threats and minimizing damage.
  • Mitigating IoT and Legacy Device Risks: Healthcare relies heavily on IoT and legacy medical devices, which often lack robust built-in security. Segmenting these devices into isolated network zones prevents them from being entry points to the broader network.
  • Complying with Emerging Standards: Many cybersecurity frameworks and regulations, such as HITRUST in the US and the NIS Directive in the UK, now recognize segmentation as a best practice. Segmentation helps demonstrate compliance with these standards during audits.
  • Ensuring Operational Continuity: Cyber attacks like ransomware can cripple healthcare operations. Segmentation ensures that critical systems remain operational even if one part of the network is compromised, safeguarding patient care and organizational resilience.

US Healthcare Cybersecurity Standards and the Role of Network Segmentation

In the US, no healthcare cybersecurity regulation explicitly says, “you must segment your network.” Instead, US healthcare organizations are primarily governed by regulations that strongly encourage or imply the need for network segmentation as a best practice for securing electronic protected health information (ePHI)—even if they don't always mandate it explicitly. For example:

HIPAA Security Rule

In the US, healthcare cybersecurity compliance standards like the HIPAA Security Rule emphasize the importance of network segmentation to protect electronic Protected Health Information (ePHI). HIPAA also requires that organizations implement “reasonable and appropriate” safeguards. Network segmentation is considered a reasonable safeguard to limit internal access to ePHI and prevent lateral movement by attackers.

Health Information Technology for Economic and Clinical Health (HITECH) Act

The HITECH Act, which reinforces and expands HIPAA security requirements, encourages robust security practices, including segmentation, to reduce breach risks and penalties.

HITECH Safe Harbor Law (2021 Amendment)

The 2021 amendment to the HITECH Safe Harbor Law encourages adoption of recognized cybersecurity practices (for example, NIST CSF or CIS Controls). It also states that if a breach occurs, organizations demonstrating strong security practices (like segmentation) may face reduced penalties.

NIST Cybersecurity Framework

While the NIST Cybersecurity Framework is voluntary for the private sector, it is widely used in healthcare as a best-practice guideline. The NIST CSF strongly recommends network segmentation as part of a layered defense to protect critical assets and reduce the attack surface.

As you can tell from a reading of the guidelines, regulations and standards like HIPAA, HITECH, and NIST in the US make segmentation a clear expectation under broader security requirements.

  • HIPAA leaves flexibility, but regulators expect segmentation as a reasonable safeguard.
  • HITECH Safe Harbor is not a mandate but gives legal incentive to follow segmentation best practices.
  • If you follow the NIST CSF, segmentation is part of core security architecture.

Also, at the end of the day, if ePHI is breached and network segmentation could have prevented it, a lack of network segmentation could be viewed as noncompliance.

UK Healthcare Cybersecurity Standards and the Role of Network Segmentation

In the UK, healthcare cybersecurity regulations and standards do not usually explicitly mandate network segmentation, but like US regulations and standards, network segmentation is strongly recommended and often expected as a reasonable security control under broader data protection and cyber risk management requirements. For example:

UK GDPR/Data Protection Act 2018

The UK GDPR/Data Protection Act of 2018 applies to all organizations processing personal data, including NHS trusts and private healthcare. Organizations must implement "appropriate technical and organizational measures" to protect personal data, including confidentiality, integrity, and availability. Network segmentation is a widely accepted technical measure to prevent unauthorized access to patient data and limit the blast radius of breaches.

NHS Data Security and Protection Toolkit (DSPT)

The NHS Data Security and Protection Toolkit (DSPT) applies to all organizations accessing NHS patient data or systems. Organizations must demonstrate effective access control, network protection, and threat mitigation, and segmentation is a key control for meeting those. NHS England and NHS Digital also recommend network segmentation as part of network security architecture.

National Cyber Security Centre (NCSC) Guidance

The NCSC provides cybersecurity guidance to all UK organizations, and especially to those in critical infrastructure like healthcare. NCSC guidance emphasizes the importance of isolating high-value or sensitive assets through zoning and segmentation to effectively reduce risk.

Cyber Essentials/Cyber Essentials Plus

Cyber Essentials/Cyber Essentials Plus applies to healthcare suppliers and some NHS organizations as a minimum requirement. Segmentation may be required if different trust levels exist across a network (for example, segregating administrative devices from IoT or guest devices).

Network and Information Systems (NIS) Regulations 2018

NIS applies to Operators of Essential Services (OES), including some healthcare providers. It requires risk-based security measures to ensure continuity of essential services. And segmentation is a known mitigation for limiting attack propagation within essential service networks.

By adopting segmentation, healthcare organizations in the UK can not only align with the expectations of regulatory frameworks like UK GDPR, DSPT, NIS, and Cyber Essentials, but also strengthen their defenses against evolving threats. Implementing segmentation demonstrates proactive cybersecurity efforts, safeguards patient data, and supports the continuity of essential services, making it an indispensable strategy for modern healthcare networks.

While network segmentation may not be explicitly mandated by UK healthcare cybersecurity regulations, it is widely recommended and increasingly regarded as a best practice for ensuring robust data protection and cyber risk management.

How Cylera Helps Enable Network Segmentation as a Part of a Broader Healthcare Cybersecurity Compliance Strategy

Cylera plays a pivotal role in enabling network segmentation and supporting compliance with US and UK cybersecurity standards—without disrupting clinical workflows or requiring you to completely re-architect your network. Cylera does this by using a unique approach that supports network segmentation by combining advanced technology with healthcare-specific insights and integrations with popular firewall and NAC solutions. Here’s how:

Comprehensive Asset Discovery and Inventory

The first step in implementing a sound network segmentation strategy for your healthcare IoT and connected medical devices is to have a foundational baseline of what you’re working with. That means being able to quickly and efficiently discover and inventory all of your connected medical devices.

Detailed Device Profiling and Classification

Once you have a comprehensive inventory, you need to be able to obtain detailed device profiles for all the different types of medical devices on your network. This includes information such as:

  • Model and manufacturer
  • Operating system
  • Software and firmware
  • Vendor
  • Device utilization
  • Network services

Having this level of granular detail about each device provides a starting point for medical device and network segmentation policies. You can then further tailor polices to each device based on its risk level and function.

Clinical Workflows and Communication Patterns

The next step in accurate medical device network segmentation is to ensure you understand device network traffic patterns. You must understand how different devices communicate and depend on clinical systems and other infrastructure within a clinical setting. You also need this information to ensure that implementing network segmentation doesn’t disrupt patient care or impact operations.

Automated Policy Generation and Review

Once you have a good understanding of your medical device asset inventory, device profiles, and clinical workflows and communication patterns, you are now ready to “put the pedal to the metal” and really accelerate your healthcare network segmentation program. How do you do this? By generating and using automated network segmentation security policies. With the right healthcare asset intelligence and cybersecurity platform, you can use all your collected intelligence to automatically generate network segmentation policies. The ability to automatically generate network segmentation security policies reduces human error, accelerates segmentation implementation, and helps make sure that the policies can quickly adapt to changing healthcare environments.

Policy Forwarding to NACs and Firewalls for Enforcement

Once Cylera generates automated networks segmentation policies, Cylera integrations with solutions such as Cisco ISE, Cisco DNA, Forescout, Illumio, Extreme Networks, and HPE Aruba ClearPass are able to use the segmentation policies forwarded to them by Cylera to enforce network segmentation and isolate critical devices. This ensures that compromised devices don't create a domino effect out to other devices and compromise vital systems or patient data.

Dynamic Policy Adjustments

Cylera’s automated policy generation also includes dynamic policy adjustments. When a new device joins the network, or an existing device exhibits a different behavior, Cylera uses machine learning and behavioral analysis. This enables change detection and segmentation policy adjustments in real time. It also ensures that network segmentation policies automatically evolve and adapt to changing network conditions and emerging threats.

Next Steps

Cylera empowers healthcare organizations to strengthen their cybersecurity posture. The Cylera platform helps enable effective network segmentation and ensure compliance with both US and UK regulatory standards. It provides unparalleled visibility into connected devices and vulnerabilities and helps and preventing lateral movement. These capabilities protect sensitive patient data, help ensure operational continuity, and meet evolving compliance requirements.

Learn more about how Cylera supports healthcare cybersecurity network segmentation and compliance. Contact us or request a demo. We'd be happy to share some real-world examples from our US and UK customers. See how the Cylera platform enhances healthcare network security and supports compliance with cybersecurity standards.

  • Maureen Sahualla started her cybersecurity career in the mid to late 1990s, right when most people and organizations began to fully embrace the Internet, but often without fully understanding all the associated risks. Since then, it has been a wild ride as the world has gone online, threats have diversified and multiplied, and the cybersecurity industry has continued to grow at the speed of light. Maureen has seen a lot and worn a lot of different hats during her years working for enterprise software companies focused on trying to protect organizations around the world from cyber threats. Currently Maureen serves as Head of Marketing at Cylera, a leading healthcare IoT asset intelligence and security company.

Recent Related Stories

Network Segmentation and Protection
Medical Device Segmentation: Isolating Critical Equipment to Improve Security in Hospitals
Medical devices are becoming more and more interconnected. Being able to establish and maintain healthcare IoT and connected medical device…
Read More
Compliance
HIPAA Security Rule Overhaul: What You Need to Know Now
On December 27th, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released…
Read More
Network Segmentation and Protection
How Healthcare Networks Can Prevent Lateral Movement in Cyberattacks
A cybersecurity attack on a healthcare network is never a “once and done” breach. It’s an ongoing threat which has…
Read More

Categories

Artificial Intelligence (AI) (2)
AI - Defensive (2)
AI - Offensive (1)
Asset Discovery and Inventory (3)
Asset Visibility (3)
Board Communications (1)
CCTV Cameras (1)
Critical National Infrastructure (CNI) (2)
Company (3)
Compliance (13)
Cyber Attack (8)
Cybercrime (3)
Cybersecurity (9)
Cybersecurity Best Practices (5)
Cybersecurity Talent (1)
Cyber Threats (13)
Cybersecurity Startups (1)
Cyberwarfare (2)
Data Breach (1)
Data Enrichment (4)
Events (1)
FDA (1)
Fireside Chat (1)
Fraud (1)
General (8)
Geopolitics (1)
Healthcare (7)
Healthcare Cybersecurity (18)
Healthcare IoT (6)
Healthcare IoT Security (HIoT) (6)
HIPPA (1)
Incident Response (1)
Integrations (1)
Interview (1)
IoT (1)
IoT Security (9)
Inventory (5)
Machine Learning (ML) (2)
Medical Device Security (13)
Medical Imaging (1)
Monitoring (1)
Network Segmentation and Protection (6)
Password Policy (1)
Ransomware (4)
Regulation (3)
Remediation (2)
Risk Analysis (1)
Risk Mitigation (9)
Rural Healthcare (1)
Russia (2)
Security Education (2)
Technology (6)
Technology Company (1)
Threat Detection and Response (8)
Threat Landscape (2)
Threat Intelligence (3)
United Kingdom (UK) (3)
Vulnerability and Risk Management (4)
VPN (1)
Webinar (1)

Connect