News Item

On the Watch for Incident Response Capabilities in the Health Sector

The European Union Agency for Cybersecurity issues an analysis of the current state of development of sectoral CSIRT capabilities in the health sector since the implementation of the NIS Directive.

Published on November 11, 2021

The meetings of the CSIRT Network and the CyCLONe taking place these days in Ljubljana and online, have set the stage for the publication of the new report on CSIRT capabilities for increased efficiency of incident response tools and processes of specific sectors.

ENISA Report: CSIRT Capabilities in Healthcare Sector

Health organisations such as hospitals rely today on complex critical infrastructures in order to operate. For the year 2020, ENISA received a total of 742 reports about cybersecurity incidents with significant impact from the critical sectors under the Directive on security of network and information systems (NIS Directive). The health sector saw an increase of 47% of such incidents in 2020 compared to the previous year.

Cybersecurity attacks on healthcare can be life threatening for patients and provoke effects on the physical world. These attacks may also affect the entire health supply chain with damaging consequences for all stakeholders concerned such as citizens, public authorities, regulators, professional associations, industries, small and medium enterprises.

The number of cyber threats over the years is now rising proportionally to the growing popularity of emerging technologies such as the Internet of Things (IoT), Artificial Intelligence (AI), big data, cloud computing and the multiplicity of connected devices, among others.

It is the role of Computer Security Incident Response Teams (CSIRTs) to develop the capabilities needed to address such issues and implement the provisions of the Directive on security of network and information systems (NIS Directive).


The report assesses the services developed and currently used by CSIRTs across the Member States, analyses the trends in relation to sector-specific CSIRTs and issues recommendations to strengthen the incident response capabilities (IRC) in the health sector.

Key findings

National CSIRTs are the entities in charge of incident response in the health sector. Although dedicated health sector CSIRTs are still the exception in the Member States, sector specific CSIRT cooperation is developing.

The lack of sector-specific knowledge or capacity of national CSIRTs, lessons learned from past incidents and the implementation of the NIS Directive appear to be the main drivers of the creation of sector-specific incident response capabilities in the health sector.

The study reveals the lack of security culture among Operators of Essential Services (OES). Because the pace of updates quickly outruns the pace of IT technology evolution when healthcare equipment usually has a lifetime of 15 years on average, vulnerabilities tend to accumulate with the obsolescence of the IT layer through the lifecycle of hardware and digital devices. Another challenge the healthcare sector is faced with is the complexity of systems due to the increased number of connected devices leading to an extension of the potential attack surface.

The key force driving the development of incident response capabilities of CSIRTs is the information related to security requirements and responsibilities of organisations for each sector. Shared frameworks for incident classification and threat modelling, education activities and a network allowing communication between incident response actors constitute the main resources and tools currently supporting the development of incident response capabilities.

National health sectoral CSIRTs tend to provide services better suited to the sector.


The sectoral health CSIRTs remain scarce in an environment where specialised support is needed to develop incident response activities. Based on the findings, the recommendations are to:

  1. Enhance and facilitate the creation of health sector CISRTs by allowing easy access to funding, promoting capacity building activities, etc.
  2. Capitalise on the expertise of the health CSIRTs for helping Operators of Essential Services (OES) develop their incident response capabilities by establishing sector-specific regulations, cooperation agreements, communication channels with OES, public-private partnerships, etc.
  3. Empower health CSIRTs to develop information sharing activities using threat intelligence, exchange of good practices and lessons learned, etc.

15th CSIRTs Network meeting and 5th CyCLONe Officers meeting

The two EU cybersecurity networks share a session together for the first time to address cyber incidents and crises management at both technical and operational levels. While the CSIRT Network engages in information sharing and cooperation between Member States at technical level, the EU CyCLONe provides situational awareness among competent authorities acting therefore at the operational level.

ENISA coordinates both secretariats of these networks and provides dedicated tools and expertise as well as the technical infrastructures needed for exercises and training. The Agency, therefore, acts as a facilitator between those different cyber networks including decision-makers responsible for crisis management. More information on this week events are available on the related event pages 15th CSIRTs Network meeting and 5th CyCLONe Officers meeting.


ENISA has been supporting the cooperation between CSIRTs and the development of the CSIRT network for more than 10 years. ENISA started evaluating CSIRT capabilities of individual NIS sectors in 2020, initially focusing on air transport and energy sectors.

ENISA also supports the cooperation of CSIRTs with law enforcement, finance, SCADA systems and energy communities.

Further information

CSIRT Capabilities in Healthcare Sector.

How to set up CSIRT and SOC – Good Practice Guide

Sectoral CSIRT Capabilities – Energy and Air Transport

Driving the Global Ecosystem of Incident Response Capabilities: New Studies Now Available

Brochure - Bolstering Incident Response in Europe

Press Contact

For questions related to the press and interviews, please contact [email protected].

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies