The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert advising organisations to harden their security posture in light of a recent cyberattack on medical device company Stryker.
Noting that the cyberattack on Stryker affected the its Microsoft environment, CISA has urged organisations to harden their network security by taking a range of actions.
Go deeper with GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
In designating administrative roles, the regulator advises that organisations use ‘principles of least privilege’. This directive means organisations should assign only the minimum permissions necessary to complete day-to-day operations for Microsoft’s Intune cloud-based endpoint management solution. CISA also advocates for the enforcement of phishing-resistant multi-factor authentication (MFA) and privileged access hygiene, and to configure Intune access policies that require multi-admin approval.
The cyberattack on Stryker began in the early hours of 11 March, with Stryker’s headquarters in Cork, Ireland, the first site affected by the incident.
In the days following the attack, Stryker told customers the incident had affected its “own internal Microsoft environment”, and that disruptions persisted vis-à-vis order processing, manufacturing and shipping protocols.
In a Form 8-K with the US Securities and Exchange Commission (SEC), Stryker said the incident caused, and was expected to continue to cause, “disruptions and limitations of access to certain of the company’s information systems and business applications supporting aspects of the company’s operations and corporate functions”.
Organisations told not to view security posture as static
Iran-linked hacktivist group, Handala, claimed responsibility for the attack on Stryker. The group said the action was carried out in retaliation for “the brutal attack on the Minab school and in response to the ongoing cyber assault on the Axis of Resistance”.
On 28 February 2026, the first day of the 2026 Iran war, the Shajareh Tayyebeh girls’ elementary school in Minab, Hormozgan province in southern Iran, was bombed. Upwards of 150 children are thought to have been killed in the attack.
Handala went on to claim that its attack on Stryker had “wiped” over 200,000 of the company’s systems and extracted 50 terabytes (TB) of critical data across Stryker’s offices in 79 countries.
California-based Reach Security, a cybersecurity company, highlights that when bad actors gain access to systems that manage devices or security tools, they can use built-in capabilities to attack.
In written comments provided to Medical Device Network, Reach CEO Garrett Hamilton said: “Our research shows those environments drift constantly unless they’re continuously validated.”
Over time, Hamilton highlights that these systems are prone to ‘configuration drift’, which can “quietly erode defences”.
“The fact that nation-state actors are choosing this path is a ‘strong signal’ to defenders,” Hamilton continued.
“If highly resourced adversaries are deprioritising zero-days in favour of configuration weaknesses, it suggests that many organisations are still leaving too much exposed. The takeaway from this incident is not simply “secure your devices,” though that is table stakes. The deeper lesson is that security posture cannot be treated as static.”
For the medtech industry, Christian Espinoza, CEO of US security firm Blue Goat Cyber, highlights that there is a growing expectation from regulators that cybersecurity be managed across the total product lifecycle and that vulnerabilities and software supply chain risks are actively monitored and addressed.
These tenets are evident in a US Food and Drug Administration (FDA) guidance document on cybersecurity issued in February 2026. The document highlights that there is an expectation for pre-market submission packages for medical devices to pay attention to factors such as total product lifecycle (TPLC) cybersecurity management and the continuous monitoring of vulnerabilities.
Espinoza concluded: “Incidents like this underline that medtech has to treat identity, device management and business continuity as core patient‑safety functions, not back‑office IT issues.”
According to Dr Andrew S Thompson, director of therapy research and analysis for medical devices at GlobalData, the attack on Stryker suggests that global regulators, such as CISA, should be calling for “greater international cooperation” and for the strengthening of the ISO-27001 cybersecurity standards, and more so given that many companies are not using Microsoft Intune.
“Stryker had ISO-27001, but CISA’s request suggests that an early analysis indicates that Stryker, despite certification, was complacent,” Thompson said.
