Skip to main content

Health-ISAC Hacking Healthcare 5-22-2025

This week, Health-ISAC®‘s Hacking Healthcare®  examines A newly published handbook from the the European Union Agency for Cybersecurity (ENISA) that outlines how EU member states may implement cyber stress testing as a part of the growing EU cyber regulatory ecosystem.  Join us as we break down why this new handbook has been created and how it may end up impacting Health-ISAC members.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

 

PDF Version: TLP WHITE Hacking Heathcare 5.22.2025
Size : 222.5 kB Format : PDF

 

Text Version:

Welcome back to Hacking Healthcare®.

Health-ISAC Americas Hobby Exercise 2025

Before we jump into today’s article, we are rapidly approaching the sixth annual Americas Hobby Exercise, and we encourage Health-ISAC members to consider registering their interest to attend. The exercise is an all-day workshop and tabletop exercise with Health-ISAC members and United States Government (USG) agencies. The exercise is designed to raise awareness of issues faced by the healthcare sector during and after a major incident and to build enduring relationships within and across the health sector and government to strengthen understanding, response, and recovery plans and activities.

This year’s Hobby Exercise will be held on June 26 in Washington, DC. Registration and additional information can be found here: https://portal.h-isac.org/s/community-event?id=a1YVn000002g8HlMAI

Additionally, for those seeking to better understand what the exercise looks like and what it has accomplished, we direct you to review previous Hobby Exercise After Action Reports:

Americas Hobby Exercise 2024: https://health-isac.org/hobby-exercise-2024-after-action-report/

Americas Hobby Exercise 2023: https://health-isac.org/hobby-exercise-2023-after-action-report/

 

ENISA Publishes Handbook for Cyber Stress Tests 

The cybersecurity and resiliency of critical infrastructure entities have increasingly become a focus area for national and EU-level policies. The NIS 2 directive, the Cyber Solidarity Act (CSA), Digital Operational Resilience Act (DORA), and the Critical Entities Resilience Directive (CER) have all focused on these issues to some extent, and now the European Union Agency for Cybersecurity (ENISA) has published a handbook to help EU member states address the aspect of cyber stress testing.[i] 

What Is This Handbook For?

In light of the policies referenced above, ENISA sought to develop this 27-page handbook on cyber stress testing “as guidance for national or sectorial authorities overseeing cybersecurity and resilience of critical sectors, at the national, regional or EU level under NIS 2 Directive,” while also noting its potential use “for other supervisory and national authorities under the sectorial regulations, such as those under Digital Operational Resilience Act (DORA) or the Critical Entities Resilience (CER) Directive.”[ii] 

What Is Cyber Stress Testing?

As ENISA notes, there are many different definitions of “cyber stress testing,” but they have decided to define it as a “targeted assessment of the resilience of individual entities and their ability to withstand and recover from significant cybersecurity incidents, ensuring the provision of critical services, in different risk scenarios.”[iii]  

There are many ways to assess the cybersecurity and resiliency of an entity, from highly technical penetration testing to real-time in-person exercises that seek to mimic the conditions of an incident. The handbook takes a different approach, noting that cyber stress tests are “mostly ‘desktop-based’, relying on a technical questionnaire, centered around one or more risk scenarios, which is filled out independently by the entities/organisations that are being tested.”[iv]

In ENISA’s view, cyber stress tests should have a focus on resilience, be scenario-based, possess varying levels of stress, possess metrics to assess resilience qualitatively and quantitatively, and take a systemic risk view. ENISA believes that this type of testing has the advantage of being lightweight, targeted, and objective, while also enabling collaboration between an entity and its national authorities. 

Handbook Contents 

Beyond explaining the genesis of the handbook and defining what cyber stress testing is, the handbook also includes how ENISA views stress testing as part of the larger national supervisory authority toolkit for NIS2, a step-by-step guide for how to conduct the various elements of cyber stress testing, and an overview of how such testing could be conducted at the regional or EU-wide level. Finally, and in keeping with the EU’s strong focus on improving the cybersecurity and resiliency of the health sector, there are two case studies in the appendix, including a three-page health sector example. 

We’ll look into the implications and uses of the handbook in our Action and Analysis section, available to Health-ISAC members. 

 

Action & Analysis 
**Available with Health-ISAC Membership**

 

[i]https://enisa.europa.eu/sites/default/files/2025-05/2025.04311_01_ms_v2.0_Handbook%20for%20Cyber%20Stress%20Tests_en.pdf

[ii]https://www.enisa.europa.eu/news/putting-eu-resilience-to-the-test-enisa-handbook-on-cyber-stress-testing

[iii]https://enisa.europa.eu/sites/default/files/2025-05/2025.04311_01_ms_v2.0_Handbook%20for%20Cyber%20Stress%20Tests_en.pdf

[iv]https://enisa.europa.eu/sites/default/files/2025-05/2025.04311_01_ms_v2.0_Handbook%20for%20Cyber%20Stress%20Tests_en.pdf

  • Related Resources & News