Walk into any modern hospital, and you’re walking through a network. Infusion pumps deliver medication on schedule, while MRI machines push scans across switches. Cardiac monitors stream vitals to central stations, and tablets follow doctors and nurses from room to room. IoT cameras are monitoring entire floors while doctors are printing out patient summaries after each visit. An average hospital operates 10 to 15 medical devices per patient bed alone, and once you factor in IoT and OT systems running alongside the clinical fleet, a large health system can have hundreds of thousands of network-connected devices online at any given moment. Much of that networked inventory, of course, is life-critical equipment.
Healthcare cybersecurity conversations have responded by orbiting one idea above all others: visibility. We need to see what’s on the network. When Asimily recently surveyed North American hospital CISOs about the challenge they’d most like to solve right now, 43% pointed to complete device visibility. While it’s a reasonable answer, it also misses something important.
Visibility across all connected devices is necessary, but visibility is not sufficient. Our industry’s framing of the problem has started to obscure a harder truth, which is that what’s waiting on the other side of asset discovery, and how it’s prioritized, is bigger than visibility itself. This has become even more important as hospitals scale IoMT, IoT, and OT asset fleets, and as existing (but still very much in use) devices show their age.
What Happens After You Can See Everything
Take a hospital that has finally achieved a clean inventory of its connected devices. Security teams now have visibility into thousands of assets and a steady stream of behavioral signals to work through. Many of those signals point to vulnerabilities in machines that cannot be patched on a normal cadence, either because the manufacturer hasn’t released a fix or because taking the device offline for maintenance would interfere with patient care or hospital operations. In the survey, 20% of hospital CISOs called data overload their biggest barrier to managing device risk, with others struggling to prioritize which IoT, OT, and IoMT vulnerabilities to remediate first.
But while hospitals are getting better at seeing what’s on their networks, what even fewer have solved is understanding what to do with everything they’ve found. What’s missing is the layer between visibility and a clear, efficient action. Risk prioritization that reflects how a device behaves, its criticality (or not) to patient care, and how impactful an exploit could realistically be given its network is what turns an inventory into something a security team can work from.
Why Segmentation Projects Stall
Nowhere does that judgment gap show up more starkly than in network segmentation, which has become the most prescribed remedy for hospital device security. The principles behind segmentation are intuitive. Should a compromised cardiac monitor have no path to the EMR, and an HVAC have no way to pivot toward billing systems, then the damage from any single intrusion stays contained. Segmentation is also where the prioritization problem becomes most apparent, because policy decisions require the same underlying judgment about which devices matter and how they behave in the real world. Cisco research has found that 79% of organizations consider segmentation a top priority, but only one in three have actually implemented it across both macro and micro layers.
Often, network segmentation projects stall because the people running them don’t have enough context to write policies that scale with new devices. Traditional network access control reduces a device to an IP address and a MAC address, which say almost nothing about device context, or how it normally behaves under load, or what other systems it depends on, or whether a known exploit could realistically reach it from where it sits. Without any of that context, hospital IT and security teams default to writing broad policies meant to avoid disrupting clinical care. While yes, those policies do avoid disruption, they also fail to reduce meaningful risk. I’ve seen countless cases where segmentation ends up living on a slide deck rather than in the network.
An Organizational Problem in Technical Clothing
Running alongside the technical challenges is an organizational one. One-third of CISOs cited internal process issues as their biggest barrier to managing device/equipment risk, putting it roughly even with visibility gaps at 30% and data overload at 20%. In most hospitals, clinical engineering or facilities own the deployment and maintenance of medical, IoT and OT devices. Security finds out about new devices after they’re already on the network. A third-party vendor reconfigures a piece of equipment during a service call and never tells anyone. Ownership of networked devices, in other words, gets passed informally from one department to another until it lands somewhere without the authority to do anything about it.
Hospital CISOs aren’t oblivious to any of this, but they’re managing thousands of network-connected devices under significant budget pressure and organizational silos, all while making sure that nothing they do disrupts patient care. They’ve figured out that visibility is the necessary first step. What remains is the bigger and more important challenge, and it lives in the space between knowing what’s on the network and being able to respond. Short of that cross-team alignment, even the most carefully prioritized risk and the best-designed segmentation policies can falter over time.
Where the Work Actually Lives
Closing that gap starts with risk prioritization. When hospitals make remediation decisions based on how critical a device is to patient care or hospital operations and whether an exploit in their specific network context is actually realistic (and know that confidently), the population of devices demanding immediate attention shrinks dramatically. Our data suggests it usually narrows to about the top 1% of devices by risk. That’s a workable number that a security team can act on without burning through its quarter.
Segmentation should follow that same logic. Policies anchored in real behavioral baselines, deep device context, clinical function, business operations, and live communication patterns hold up over time, and they can be audited and adjusted as environments (inevitably) change. As importantly, they give security leaders something concrete to bring into conversations with clinical engineering, IT leadership, facilities, health technology management and the executives controlling the budget. The endgame is that segmentation stops being a perpetual project and starts being an operating discipline.
Healthcare delivery systems have spent years learning to see their own networks. What comes next, namely deciding what all those devices mean and acting on what actually matters, is the work that will decide whether all that hard-won visibility translates into safer hospitals. It’s the part coming due.
