Imagine logging in one morning and – poof – everything’s gone. Not locked, not held hostage… just gone. That’s the kind of cyberattack making waves right now, and it’s not your typical “pay me in Bitcoin” situation. In this episode, we unpack the Stryker cyberattack, a real-world incident that shows how attackers are shifting from making money to making a mess, and why that should have everyone in healthcare (and beyond) just a little more on edge.
In this episode:
The Cyberattack Everyone Should Watch – Especially Healthcare – Ep 553
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
The Cyberattack Everyone Should Watch – Especially Healthcare
[00:34]Global geopolitical tensions often lead to increased cyber activity from nation-state or nation-aligned groups. The private sector, especially healthcare, often becomes collateral damage. The recent cyberattack on medical technology company Stryker is a good example.
What We Know About From Stryker About The Attack
According to the company’s SEC filing:
Key facts:
- On March 11, 2026, Stryker identified a cybersecurity incident affecting certain IT systems.
- The incident caused a global disruption to the company’s Microsoft environment.
- The company activated its cybersecurity response plan and outside experts to investigate and contain the issue.
Additional company statements:
- No evidence of ransomware or malware has been confirmed.
- The company believes the incident is contained.
- Medical products used in hospitals were not affected because they operate separately from internal systems.
Operational impact reported:
- Employees in multiple countries lost access to systems and devices.
As of 3/15 this is their latest update on product safety:
All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use. This event was contained to Stryker’s internal Microsoft environment, and as a result it did not affect any of our products—connected or otherwise. Stryker, much like any Fortune 300 company, has embedded policies and procedures for cybersecurity assurances for our products in the field. This process at Stryker provides additional assurances that no potential vulnerabilities or risk of exploitation related to our connected products exist. Per our standard protocols, we have leveraged this process to confirm that our connected products were not impacted by the incident and remain safe to use.
What Security Researchers and Journalists Are Reporting
Based on KrebsOnSecurity and other security reporting from Healthcare IT News’ Andrea Fox:
What researchers say happened:
- A group calling itself Handala, believed to be linked to Iranian intelligence, claimed responsibility.
- The group claims it conducted a data-wiping attack (a “wiper”), designed to destroy systems rather than demand ransom.
One technical detail researchers are discussing:
- Attackers may have used administrative access to Microsoft Intune, allowing them to remotely reset or wipe devices across the organization.
That type of attack:
- doesn’t require malware
- uses legitimate IT tools
- can wipe thousands of devices very quickly.
Hackers claim:
- hundreds of thousands of devices wiped
- tens of terabytes of data stolen
Important note: Those claims have not been confirmed by Stryker.
Why This Incident Is Different (and Concerning)
This was not a ransomware attack for money. For years we have dealt with these attacks primarily motivated by money. Even nation-state attackers were often looking for money to fund their activities.
Instead it appears to be a destructive disruption attack.
That changes the risk landscape.
Typical cybercrime goal:
- steal data
- demand ransom payment(s)
Destructive cyber operations goals:
- shut down systems
- erase data
- create disruption
Experts say destructive cyber operations like this are increasingly part of state-aligned influence and retaliation campaigns.
Don’t think they won’t steal the data but it may not be to get you to pay them. You will still have a data breach to deal with even if an attack like this happens.
[08:21]3 Reasons Healthcare Should Pay Attention
Everyone should be paying attention to incidents like this, but healthcare organizations should be paying very close attention to this one.
1. Healthcare supply chains are critical infrastructure
Stryker devices are used globally in surgery and hospitals. An attack on a supplier can ripple through healthcare systems. This has been something we have really worked on over the last few years. The supply chain can bring down the whole sector – Change Healthcare has taught us that.
HSCC’s Sector Mapping and Risk Toolkit (SMART) is a great tool to see just how interconnected we are with our supply chains. It will make you a bit overwhelmed, though. BTW, shout out and big thanks to Sam Jacques who was a co-lead of the team that put all of that together. She did our Kardon Club Hangout last month and explained how you can use them to see what could impact your organization.
2. These attacks target business systems not just PHI
The attack disrupted corporate systems, not their medical devices.
But that can still impact:
- ordering
- logistics
- customer support
- service operations
3. Destructive attacks are harder to recover from
If systems are wiped rather than encrypted recovery depends on:
- backups
- device rebuild
- identity recovery
What Organizations Should Do Right Now
We all need to review our protections and plans to consider the change to the threat landscape. We haven’t looked at these events from the perspective that the goal is disruption not ransom. They want to prevent you from operating your business like normal. What better way to get people to notice and talk about it than to attack your doctors, dentists, hospitals and more where you notice they can’t provide care.
Just to be very clear – we are not suggesting people panic. However, to do proper risk management you have to evaluate changes to your risk environment and adjust your plans accordingly.
Everyone should conduct a real risk analysis of the threat, especially since the likelihood has increased. Based on that assessment, you should develop a checklist of actions to take as a precaution. The primary focus should be business continuity, because disruption is the goal of these attacks. The longer they can keep you off balance, the more successful they are at achieving that objective.
Here are some examples of actions you might consider, depending on what is appropriate for your environment.
1. Review identity security immediately
Many destructive attacks start with:
- stolen admin credentials
- compromised identity systems
Focus areas:
- privileged accounts
- conditional access
- MFA strength
2. Test your ability to rebuild systems
If all of your laptops disappear tomorrow: Can you rebuild them all quickly?
Questions to ask:
- How fast can we reimage devices?
- Do we have offline backups?
- Are recovery credentials protected?
3. Review remote management tools
Remote management tools are powerful and are used by most MSPs and internal IT departments. Tools like:
- Mobile Device Management (MDM)
- Microsoft Intune
- Other third party endpoint management agents
Have a discussion about the use of these tools in your environment. You don’t have to know all the details but you should know if they are being used because that opens you up to that risk.
If these tools are compromised, attackers can:
- wipe
- push commands
- disable systems.
4. Prepare for operational disruption
Not every attack is about data theft. Some are about causing chaos.
Organizations should plan for:
- sudden system outages
- device resets
- identity failures
This will be your most important item on your list – review your business continuity plans. We have done episodes on them and covered many free guides to help you.
At the end of the day, this isn’t just another “protect the data” conversation – it’s a “can you still function tomorrow morning?” kind of problem. Healthcare organizations often think about cybercrime as a data breach issue, but increasingly, the bigger risk is operational disruption. The Stryker incident makes that painfully clear: a cyberattack doesn’t have to steal patient records to create a full-blown healthcare crisis. Sometimes, all it takes is pulling the plug on your ability to operate – and suddenly, everything stops.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
