When an apparently pro-Iranian hacktivist group named Handala allegedly wiped data from more than 200,000 systems tied to Stryker’s device management environment earlier this year, the incident did more than disrupt one company’s operations. It sent a warning shot across the entire healthcare ecosystem: the adversaries targeting critical infrastructure today are not always chasing a ransom. Sometimes, they are chasing chaos.
That distinction matters, and most healthcare organizations are not yet prepared for it.
A new threat calculus
The Power of Real World Data to Study Women’s Health at Scale
Veradigm examines key clinical trends, comorbidity profiles, and treatment trends across adolescence, reproductive years, and peri-/post-menopause. Download it today!
For the better part of a decade, healthcare’s cybersecurity posture has been shaped largely in response to ransomware. Lock down endpoints. Back up data. Have a recovery plan. Those measures remain essential, but they were built to counter a financially motivated adversary: one who wants your money and will restore your systems once they get it.
Geopolitically motivated attackers operate under a fundamentally different motive. Groups acting on behalf of nation-state interests, or in alignment with them, are often seeking to demonstrate power, sow disruption, or retaliate against perceived enemies. Their tools may include destructive malware, data wipers, and coordinated disinformation. Their goal is not a payday. It is paralysis.
Healthcare has become a preferred target for these actors precisely because of what is at stake. Hospitals cannot simply go offline. Medical devices cannot always be safely shut down. A disrupted supply chain can delay surgeries, compromise medication management, and affect patient outcomes in ways that are immediately visible to the public. For an adversary seeking to create fear and erode confidence in a country’s institutions, healthcare is an extraordinarily effective pressure point.
The supply chain is the attack surface
The Hidden Administrative Tasks Draining Small Practices
Small practices play a critical role in healthcare delivery, but they cannot continue to absorb ever-increasing administrative demands without consequences.
The Stryker incident also illustrates a risk that the industry has been slow to fully internalize: healthcare’s attack surface extends far beyond the hospital perimeter. Every vendor, device manufacturer, and software provider connected to a health system represents a potential entry point, or, as in this case, a potential point of failure.
Modern hospitals rely on hundreds of third-party systems. Imaging platforms. Infusion pumps. Clinical communication tools. Revenue cycle software. These integrations create efficiency and enable better care, but they also mean that a cyberattack on a vendor can cascade rapidly into clinical environments, disrupting workflows and potentially affecting patient safety, even when the hospital itself has done nothing wrong.
Following the Stryker incident, hospitals in Michigan took medical devices offline as a precaution and activated backup communication systems. Those are the right responses. But they also reveal a fragility that healthcare leaders should find deeply uncomfortable: facilities were reacting to an event they did not cause and could not have prevented through their own security controls alone. That is the nature of third-party risk, and it demands a more sophisticated response than most vendor management programs currently provide.
The federal framework: Building resilience across sectors
The U.S. government has recognized the interconnected vulnerability of critical infrastructure for years. National Security Memorandum 22 (NSM-22), signed in April 2024, updated the nation’s foundational framework for critical infrastructure protection — explicitly acknowledging that the threat environment had shifted from counterterrorism to strategic competition and nation-state cyber activity. Earlier this year, the Trump Administration’s Cyber Strategy for America reinforced that posture, identifying healthcare alongside energy, financial services, and telecommunications as a top priority for hardening and supply chain security. Taken together with a steady drumbeat of sector-specific advisories from the Cybersecurity and Infrastructure Security Agency (CISA), the message from Washington has been consistent: in an era of escalating geopolitical tension, adversaries will probe our most essential systems.
Healthcare has its own coordination mechanism designed for exactly this kind of threat. The Health Sector Coordinating Council (HSCC), a public-private partnership between the Department of Health and Human Services and industry stakeholders, exists to align the sector’s defenses and improve collective response. The HSCC’s Cybersecurity Working Group has produced guidance specifically addressing supply chain risk, medical device security, and incident response, resources that are often underutilized, particularly in smaller or resource-constrained organizations.
This summer, the HSCC is planning to run a national cyber exercise: a sector-wide simulation of the kind of large-scale, coordinated attack that could simultaneously affect multiple facilities, vendors, and critical systems across healthcare. It is exactly the kind of event that should be on every security and operations leader’s calendar. These exercises expose gaps that tabletop discussions and policy reviews simply cannot surface: the moments where communication breaks down, where decision authority is unclear, and where downtime procedures that look solid on paper fall apart under simulated pressure. Organizations that participate will leave with a far more honest picture of their actual resilience, and a roadmap for closing the gaps before a real adversary finds them first.
Rethinking defense for a different kind of adversary
Defending against geopolitically motivated attackers requires healthcare organizations to think differently about both their threat intelligence and their resilience strategy. Here is what that looks like in practice.
First, understand your adversary’s motives and methods. Threat intelligence is not just for large academic medical centers with dedicated security operations centers. Every organization should have access to sector-specific threat feeds and should understand which threat actors are currently active, what their known tactics are, and whether recent geopolitical events have elevated risk in their specific region or specialty. CISA’s advisories and the Health-ISAC’s threat bulletins are a starting point, but organizations should also ensure their security teams are contextualizing global events through a healthcare lens.
Second, validate that existing controls are calibrated for destructive threats. Many organizations have evaluated their security posture primarily against ransomware scenarios. Destructive attacks follow different patterns, they may not trigger the same alerts, may not follow the same dwell times, and may not give organizations the recovery window that ransomware typically does. Tabletop exercises and security control testing should explicitly include wiper malware and infrastructure disruption scenarios.
Third, harden your third-party risk management program. Organizations should have real-time visibility into the connectivity between their internal networks and vendor-managed systems. They should know which clinical and operational functions depend on which vendors, and they should have documented downtime procedures that can be activated quickly if vendor support is disrupted. The question to ask is not just “has our vendor been breached?” but “what happens to our operations if their systems go dark?”
Fourth, invest in detection and response, not just prevention. Geopolitically motivated attackers often have significant resources and patience. Prevention controls will not stop every intrusion. Organizations that invest in continuous monitoring, rapid detection, and well-rehearsed incident response capabilities will be better positioned to minimize the impact of an attack when prevention fails, and at some point, for some organizations, it will.
Interconnectedness is the new normal
There is a temptation in healthcare to treat cybersecurity incidents at vendors or other sectors as someone else’s problem. The Stryker incident should put that temptation to rest. The modern healthcare ecosystem is deeply interconnected, with device manufacturers, software providers, logistics companies, and IT infrastructure firms. An attack anywhere in that ecosystem can affect patient care everywhere.
This is precisely why the federal government has framed healthcare as critical infrastructure and why coordination mechanisms like the HSCC exist. Cyber threats do not respect organizational boundaries, and neither should our defenses. Healthcare leaders who treat cybersecurity as an IT problem are already behind. Those who treat it as an operational and patient safety imperative, one that requires board-level attention, cross-sector collaboration, and continuous investment, are the ones building the resilience that will matter when the next incident occurs.
Because there will be a next incident. The geopolitical forces driving these attacks are not abating. The adversaries are learning from each engagement. The only question is whether the healthcare sector will learn faster.
Photo: Traitov, Getty Images
Dave Bailey is Vice President of Consulting Solutions & Strategy at Clearwater, where he leads the development and delivery of enterprise-level cybersecurity and risk management services for healthcare organizations nationwide. With more than 24 years of cybersecurity experience, including 14 years focused on healthcare, Dave is a trusted advisor to executive teams navigating complex regulatory, operational, and cyber risk challenges.
A recognized authority in cyber risk management and NIST Cybersecurity Framework assessment and implementation, Dave brings a strategic, business-aligned approach to security transformation. He previously served 13 years as a Communications and Information Officer in the United States Air Force, with leadership assignments spanning the Pentagon, domestic bases, and overseas operations. Dave holds an Executive MBA from Quantic School of Business and Technology and is a CISSP, blending executive perspective with deep technical expertise.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.