Navigating the 2026 HIPAA Security Rule Changes: What Network Segmentation Requirements Mean for Healthcare IoT Security

The HIPAA Security Rule is likely to change this year, signalling a shift in the way healthcare organizations will be expected to secure electronic protected health information (ePHI).

The change was announced in December 2024, when the U.S. Department of Health and Human Services released a Notice of Proposed Rulemaking to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The proposal is meant to enhance the HIPAA Security Rule by moving away from flexible, “addressable” safeguards and toward clearly defined, mandatory technical controls.

It’s unclear exactly when in 2026 this change is expected to go into effect, but the change has immediate implications for connected medical devices and the healthcare organizations that manage them. Segmentation is no longer an abstract best practice: it is about to become a regulatory expectation.

Understanding the Proposed Network Segmentation Mandate

What’s Changing?

Historically, the HIPAA Security Rule allowed many safeguards to be “addressable,” meaning that organizations had some flexibility in deciding how to implement those safeguards. The proposed rule changes that. Under the new framework, previously addressable specifications would become required, removing any ambiguity around implementation.

The proposal specifically mentions network segmentation as a required control, meant to keep attackers from moving freely across an organization’s systems once they gain access. 

This change marks a clear shift from risk-based interpretation to prescriptive cybersecurity expectations. For healthcare leaders, it means segmentation will no longer be something you justify selectively. Now it’s something you have to demonstrate.

The Cybersecurity Context

The proposed change is partially the result of the cybercrime landscape. 

Healthcare remains one of the industries most targeted by cybercriminals. In 2022, the healthcare industry experienced an average of 1,463 cyberattacks per week, a 74 percent increase from the prior year. High-profile incidents, including the Change Healthcare breach, have shown how quickly a lack of segmentation can allow an attack to cascade across environments, disrupting care delivery and business operations simultaneously.

Traditional segmentation approaches have struggled to keep pace. Complexity, fear of downtime, and fragile configurations have left many healthcare networks overexposed to risk, even when leaders believed segmentation was in place.

Additional Related Requirements

Network segmentation is just one part of the expectations that will be tightened by this proposed rule. HIPAA is also proposing mandatory multi-factor authentication, encryption of ePHI both at rest and in transit, widespread anti-malware deployment, and annual security testing. Business associates would face a 24-hour notification requirement following security incidents.

Organizations would also be required to maintain comprehensive asset inventories and network maps. In practice, this means that segmentation without accurate asset visibility will be impossible to defend during audits or incidents.

The Medical Device Segmentation Challenge

Why IoMT Makes Segmentation Complex

Medical device environments are fundamentally different from traditional IT networks and can be incredibly complex. For example, a large health system may operate tens of thousands of connected devices from hundreds of manufacturers, each using different protocols, operating systems, and communication patterns. 

Many devices are legacy systems that cannot be patched or modified without regulatory approval. Others must operate continuously, making downtime unacceptable. Clinical workflows often depend on implicit trust between systems. 

Blunt segmentation is often not an option; in many cases, it can break those workflows in ways that directly affect patient care.

Add regulatory requirements and the unique patient safety constraints of specific devices to the mix, and it becomes clear why applying conventional IT segmentation models to IoMT has failed so often.

The Traditional Approach Falls Short

Legacy VLAN and firewall-based segmentation approaches were not designed for the level of device diversity and operational sensitivity in the IoMT landscape. Traditional segmentation is labor-intensive to maintain, brittle under change, and difficult to validate at scale. Healthcare teams often struggle to create accurate device profiles, let alone maintain them as environments evolve.

As a result, many organizations either under-segment to avoid disruption or over-segment and roll changes back when clinical issues arise. Neither outcome satisfies security teams or regulators.

The Cost of Not Segmenting IoMT

Unfortunately, avoiding segmentation is not an option. A single ransomware incident in healthcare can cost millions in recovery, downtime, and reputational damage. According to research from the Ponemon Institute, healthcare is the most expensive industry when it comes to breaches, with breaches costing an average of $42 million. As enforcement tightens, compliance penalties and regulatory scrutiny will add to that cost.

More critically, attacks that reach medical devices can disrupt diagnostics, delay treatment, and compromise patient safety. Without effective segmentation, attackers who breach one system can move laterally within a healthcare organization’s networks, expanding impact far beyond the initial point of compromise.

A Smarter Approach: Beyond Default Segmentation

Targeted Segmentation 

Effective segmentation does not mean isolating every device completely. It means applying controls strategically, based on risk and clinical relevance, focusing protection where it matters most. The goal isn’t broadly to apply segmentation because the rules say so; it’s to reduce attack paths without disrupting care.

The danger of broadly applying segmentation based on rules alone is that static rules can become outdated quickly, leaving healthcare organizations open to risk. 

Integrating segmentation with tools like network access control systems gives healthcare organizations the ability to be more agile, allowing policies to adapt dynamically and intelligently apply segmentation.

Modern Microsegmentation for Healthcare

Microsegmentation is best implemented alongside solutions expressly designed for environments like healthcare. With a purpose-built healthcare security solution, organizations replace manual workflows with automation, real-time visibility, and AI-driven policy recommendations. Instead of assuming devices will behave a certain way, these systems observe actual communication patterns and enforce policies that align with clinical workflows.

While zero-trust principles still apply, they must be adapted for a medical device environment. In healthcare, zero trust is not about denying access by default. It is about allowing only what is necessary, in ways that are provable, auditable, and resilient.

The Foundation: Complete Cyber Asset Visibility

Segmentation doesn’t work if any connected devices are flying under the radar. Healthcare organizations need visibility of all their connected devices, which means automatic discovery and classification of every connected asset (including unmanaged and previously unknown devices) is critical.

Understanding how devices communicate, which systems they depend on, and how critical they are to care delivery is also important for segmentation to be effective. By using real-time network mapping, healthcare organizations gain the context needed to design segmentation policies that reduce risk without breaking operations.

The Business Case Beyond Compliance

Changing segmentation practices is about more than basic compliance and ticking boxes. An intelligent segmentation plan has benefits across an entire healthcare organization, from security to efficiency.

Security Benefits

Even with strict controls in place, sometimes a cyberattack succeeds. A well-executed segmentation strategy can mitigate the damage of a breach, reducing the blast radius of successful attacks. It also enables faster detection, limits the lateral movement of threat actors, and lowers remediation costs by containing incidents before they spread.

Operational Efficiency

Being able to see all your connected devices means that your organization can better manage them. The same visibility that enables segmentation also improves the day-to-day operations of a healthcare organization: leaders gain better insight into device utilization, lifecycle management, and capital planning. Teams spend less time manually tracking devices and are freed up to address more complex risks.

Strategic Advantage

Unlike other connected devices, medical devices are frequently used in life-saving contexts. It makes perfect sense, then, that strong medical device security is increasingly a differentiator for healthcare organizations. Organizations that can demonstrate mature controls, strengthen patient trust, and improve stakeholder confidence are able to position themselves for future innovation that depends on connected care.

Moving from Reactive to Proactive

HIPAA’s proposed network segmentation mandate reflects a broader maturation of healthcare cybersecurity expectations. Medical device environments require solutions designed specifically for their complexity, not adapted from enterprise IT playbooks.

Healthcare organizations should begin planning now; organizations that wait for the final rule risk higher costs, rushed implementations, and unnecessary disruption. Early preparation allows teams to reduce risk methodically, align security with clinical operations, and spread investments over time.

Asimily was designed specifically for the realities of healthcare. It delivers continuous, automated visibility into every connected medical device, understands how those devices behave, and enables intelligent, targeted segmentation that aligns with clinical workflows. Rather than forcing brittle, manual controls onto fragile environments, Asimily helps organizations reduce lateral movement risk, strengthen compliance posture, and protect patient safety without taking devices offline.

The rule may still be proposed, but the direction is set. With Asimily, healthcare organizations can move from reactive compliance to proactive resilience and turn regulatory pressure into a lasting security advantage.

Contact Asimily today for your custom demo.