The Stryker cyberattack is a live case study in how third-party risk shows up in the real world, not in a management slide deck. A pro‑Iran group, Handala, claims it broke into Stryker’s Microsoft‑centric environment, wiped hundreds of thousands of devices, and walked away with tens of terabytes of sensitive data. The attack hits not just corporate IT but also impacted the order processing, manufacturing, and shipping of its connected medical devices, hospital beds, and orthopedic implants, exposing how fragile and concentrated healthcare becomes when healthcare organizations all lean on the same digital backbone.

The outage is already causing visible disruption: plants and distribution centers have been crippled, delaying supply of critical products to hospitals and clinics. Service and maintenance for installed devices are degraded as systems used to schedule, coordinate, and support field teams are impacted. Communication with customers and suppliers is harder as collaboration, ordering, and ticketing tools go offline or into contingency mode.

Stryker Attack Unleashes A Trifecta Of Third-Party Risk

Underneath all of this is a trifecta of third‑party risk:

  • The risk to Stryker. Attackers appear to have taken advantage of the healthcare sector’s overreliance on a small set of IT and cloud providers. Intune for unified endpoint management for laptops and phones supports is a default player, supporting over 72% of hospitals with over 500 beds, turning a trusted management channel into a direct path into core systems. When that control plane was flipped, it knocked out plants, field service, and support, not just email.
  • The risk from Stryker. The roughly 50 terabytes of data that the attackers claim to have stolen may include design files, ERP and logistics data, supplier contracts, hospital records, and public‑sector information that can be repurposed into convincing phishing, payment fraud, fake recalls, and network intrusions that appear to come from Stryker itself.
  • The risk to employees. Many employees allowed Stryker to manage their personal devices in a BYOD model. When Intune‑enrolled phones and laptops were wiped, a “company breach” instantly became personal. Social media posts claiming to be Stryker employees indicate that they lost personal information like photos, financial records, password managers, and MFA apps, thereby providing a new opening for account takeover and scams tied to the still unfolding cyber incident.

Preparing For The Next Critical Risk Event

For security and risk pros, the “what now?” is practical, not theoretical. Here’s how you can prepare for the risk, not just respond to the threat:

  • Map and stress‑test your critical dependencies. Keep an up‑to‑date view of critical SaaS, cloud, UEM, and MedTech providers, and run exercises that assume a Stryker‑style outage at one or more of them at the same time. This includes all your enterprise management and security platforms like IDP, UEM, DLP, EDR/XDR, or ZTNA that run in the cloud.
  • Assume third parties can be compromised. When a critical supplier is hit, rotate credentials, tighten controls on vendor‑branded communications, and brief staff on how attackers may impersonate that vendor.
  • Third-party risk includes remote support access. Segment networks around crucial vendors, enforce least‑privilege access, and treat MedTech and IT providers with remote access as part of your own attack surface, not someone else’s problem.
  • Detect and respond to anomalous traffic heading towards OT. Set alerts for traffic that deviates from established baselines for your operational technology equipment, including from trusted vendors and IT systems and establish and practice response plans to maintain safe operations while shutting down threats.

We’re continuing to follow this story as details unfold. Schedule a guidance session with us to discuss third-party risk, concentration risk, OT, and UEM at your organization.