Stryker attack underscores growing cyber threat to health systems
Advisory from federal agencies warn U.S. organizations to amp up efforts to protect information systems from Iranian-based hackers.
While the military action in Iran seems to be a world away from American shores, adversarial action is not a respecter of borders in the computer age.
That became very clear earlier this month, as an Iran-linked hacker group took credit for a cyberattack on Stryker, a technology company specializing in surgical equipment, orthopedic implants and neurotechnology.
The group, known as Handala, took credit for the attack, by which it claimed to have wiped information from more than 200,000 servers, mobile devices and other systems, also contending that it took 50 terabytes of data from Stryker’s systems.
The attack reportedly forced the company to temporarily close its offices in some of the 79 countries in which it operates and resulted in a global outage.
By March 19, Stryker said the incident no longer affects “any of our products – connected or otherwise. All Stryker products across our global portfolio, including connected, digital and life-saving technologies, remain safe to use. This includes our navigation products.”
On Monday, March 23, the company reported that it believes it has contained the incident and has regained access to its systems, removing malicious files the hackers had installed on its internal Microsoft systems.
While the federal officials say that it has seized websites tied to the attackers’ operations, there are increasing warnings that this and other attacks may be aimed at key U.S. organizations, including hospitals, in response to American aggression in the Mideast.
Specific cyber guidance
The Stryker attack underscores concerns that federal agencies expressed because of the attack on Iranian sites by the U.S. and Israel and responses by Iran.
The Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and other federal agencies issued an advisory earlier this month, warning that Iranian groups could be seeking to attack critical infrastructure, including the healthcare sector.
The alert is concerning because groups associated with the Islamic Revolutionary Guard Corps previously have attacked “dozens of U.S. victims,” including the healthcare and public health sectors.
“Iranian-affiliated cyber actors and hacktivist groups may still conduct malicious cyber activity,” the warning notes. Agencies “are continuing to monitor the situation and will release pertinent cyber threat and cyber defense information as it becomes available.”
The agencies warn that attackers look for targets of opportunity “based on the use of unpatched or outdated software with known common vulnerabilities and exposures or the use of default or common passwords on Internet-connected accounts and devices.”
The agencies note that attacks continue challenges that Iranian actors have attempted in the past. “Over the past several months, Iranian-aligned hacktivists have increasingly conducted website defacements and leaks of sensitive information exfiltrated from victims,” the notice indicates. “These hacktivists are likely to significantly increase distributed-denial-of-service campaigns against U.S. and Israeli websites due to recent events.”
Finally, the agencies warn that Iranian-affiliated cyber actors may collaborate with other criminal groups on ransomware attacks or clandestinely encrypting information.
Wider threats noted
The growth of Iranian threats is part of a broader pattern of risks to national cybersecurity, other federal agencies note.
The Office of the Director of National Intelligence recently released the 2026 Annual Threat Assessment of the U.S. Intelligence Community. According to an analysis by the College of Health Information Management Executives (CHIME), ”this report reflects the insights of the entire (intelligence community).”
In recent testimony before the Senate Select Committee on Intelligence, Director of National Intelligence Tulsi Gabbard’s opening remarks noted that, in the “cyber domain, China, Russia, Iran, North Korea and non-state ransomware groups will continue to seek to compromise U.S. government and private-sector networks as well as critical infrastructure to collect intelligence, create options for future disruption and for financial gain.”
The risks are heightened for healthcare organizations, and the attacks on Stryker – bearing a resemblance to vulnerabilities exposed in attacks on Oracle and Change Healthcare – show the potential for serious downstream effects on the industry when industry technology suppliers are breached.
Vulnerability awareness
“Attacks like this unfortunately aren’t surprising,” says Skip Sorrels, field chief technology officer and chief information security officer for Claroty, a technology security systems provider. “Even before the latest geopolitical tensions, hacktivist activity targeting healthcare and other critical infrastructure had been steadily increasing, and that trend makes organizations like medical device manufacturers and hospitals more likely to be caught in the crossfire.”
Increased attack vectors mean it’s incumbent on organizations to improve cybersecurity practices and exercise heightened awareness.
“In many cases, attackers simply find the path of least resistance — an exposed system, an unsecured management console or credentials that allow them to move deeper into the environment,” Sorrels notes.
“Once they gain administrative access, they effectively hold the keys to the kingdom and can disrupt everything from mobile devices to operational systems.
“As a former ICU nurse, I’ve seen firsthand how even small technology outages ripple through care delivery, which is why cybersecurity in healthcare must be treated as part of patient safety, with organizations prioritizing visibility into their cyber-physical systems and closing those ‘open doors’ before attackers find them.”
Proactive steps to take
The recent federal advisory suggests the following safety measures.
Disconnect operational technology and industrial control systems from the public Internet.
Ensure devices and accounts are protected with strong, unique passwords or employ multi-factor authentication.
Implement phishing resistant multi-factor authentication.
Apply manufacturers’ latest software patches for Internet-facing systems.
Monitor user access logs for remote access to networks.
Establish processes that prevent unauthorized changes, loss of view of control to operational technology.
Ensure business continuity and incident response plans are in place, review them and update them as necessary.
Rehearse recovery efforts for critical systems and related actions.
Consider how leaked credentials could be leveraged to conduct malicious activity and ensure security measures are in place to mitigate the impact of any potential leaks.
Fred Bazzoli is the Editor in Chief of Health Data Management.