NDR (Network Detection and Response) tools provide visibility into what is really happening on the network and allow risks to be detected early. In practice they are useful not only in healthcare, but generally in any organization with a complex infrastructure. The talk showed how to get the most out of NDR: from asset inventory to threat detection and auditing exceptions.
What NDR sees and why it matters
The absolute basis of security is knowing what devices I have on the network and where they are. NDR, without active intervention, clearly reveals devices, their role and criticality, including those you had no idea existed until now. In a healthcare environment, these can be specific hospital modalities such as CT, X-ray machines, or infusion pumps, for which precise location and oversight are extremely important.
Equally important is verifying whether network segmentation and security policies hold in practice. When new technologies are deployed, temporary exceptions arise for vendors, and NDR helps check whether they were actually removed over time. From the measured links between systems you can determine which communication vectors are essential and which are safer to block to prevent misuse.
From uncovering threats to resolving the "ping-pong" with the vendor
Analysis of network traffic makes it possible to detect malicious activities, such as the presence of malware, attempts at lateral movement, command-and-control communication, or data exfiltration. It also helps with routine operational difficulties—for example, when users complain about a slow application and the vendor claims that "the problem is in the network." Thanks to evidence from NDR, you can determine whether the issue lies at the network or application layer and back up the discussion with facts.
NDR can also uncover a wide range of misconfigurations, such as nonstandard access to external DNS, excessive L2 operational noise, or suspicious services that have no business being in a segment. These findings shorten incident resolution time and reduce the risk of outages, which everyone appreciates, especially in hospital environments. This gives you a quick "audit view" of what is running and what should be turned off.
IT + OT: hospital modalities under one roof
A strength of modern NDR is that they monitor not only IT but also operational technology (OT) networks and connect them into a single picture. Since many attacks first penetrate IT and only then attempt lateral movement toward operational technology devices, full visibility across both worlds is crucial. In healthcare this means spotting suspicious communication aimed at hospital modalities in time and stopping it before it endangers the patient or operations.
NDR tools can assign context to devices based on analysis of domain-specific protocols, for example HL7, thereby simplifying rapid risk assessment. They also help meet regulatory requirements (e.g., NIS2) and provide an overview of external vendors' activities during remote access: who connected, when, to where, and what they did. The result is fewer blind spots, faster responses, and a safer network from IT all the way to OT.
