NDR vs. EDR For Healthcare

You’ve already installed EDR software on all of the endpoints in your healthcare network. As long as it’s working, your whole network should be protected—right?

‍Here’s the TL;DR: EDR (Endpoint Detection and Response) doesn’t really cover all—or even most—of your endpoints. True security relies on defense in depth. If you use EDR without NDR, you’re leaving a huge attack surface exposed.

Wait…EDR Doesn’t Even Cover Most of My Endpoints?

No—and it was never meant to.

Here’s the good news: rare lapses aside, you can count on EDR products to enhance the security of your laptops, desktops, and servers, and it’s true that a lot of attacks originate there. But those aren’t the only devices on a modern healthcare network: infusion pumps alone account for over a third of the IoT footprint in a typical environment, and an average modern hospital bed is now connected to 10-15 medical devices, most of them networked.

These IoT devices typically don’t run on Windows, Mac, or Linux. They use specialized firmware and operating systems that are not compatible with EDR products. Even though these devices now constitute the overwhelming majority of total endpoints in a typical healthcare network, EDR cannot see or protect them.

When a healthcare system uses only EDR, attackers can gain control of many connected devices and operate on the network for days, weeks, or months while security teams remain unaware.

Vulnerable IoT: Real-Life Lessons from PwnedPiper

Many hospital systems depend on pneumatic tube systems (PTS) to transport patient samples, pharmaceuticals, and other materials. While the pneumatic tube technology itself pre-dates computers, modern PTS systems are IoT connected devices.

In 2021, manufacturer Swisslog disclosed a number of vulnerabilities in their Translogic PTS stations. These vulnerabilities allowed any user to gain access to the system without authentication, potentially allowing attackers to disrupt transport of materials, halt the PTS system altogether, or install ransomware.

Soon after the zero-day was discovered, Swisslog announced a patch for 8 of the 9 vulnerabilities—but noted that legacy systems wouldn’t have an available patch. Most IoT/IoMT firmware is patched infrequently, so the vulnerabilities that get exploited most are often years old.

How NDR Covers What EDR Can’t

NDR covers the network traffic between all of the devices on a healthcare network—including the thousands of IoT/IoMT devices in a typical medical environment that aren’t compatible with EDR technologies.

For organizations that already use EDR, NDR from Cynerio offers significant improvements to detection and response capabilities, including:

• Healthcare-specific detection rules: Cynerio NDR-H is built with healthcare in mind, and is trained on normal vs. abnormal traffic in a healthcare environment to minimize false positives.
• Attack response and mitigation: Cynerio NDR-H can be used to contextualize and prioritize response, and can directly aid in remediation with CSA Medical Device Playbooks.
• Identifying ongoing attacks: When you deploy Cynerio NDR-H, you may discover your connected devices are already under attack—so you know exactly what your first remediation priorities are.

While EDR is great at securing devices that use “big three” operating systems, modern healthcare depends on connected devices that it simply can’t reach. Talk to Cynerio today to learn more about how our NDR-H solution can address the attack surface left uncovered by EDR products.