Stryker breach makes medical device cybersecurity a boardroom issue
To view our article on the Today’s Medical Developments Magazine website, click here.
Editor's Note: This article originally appeared in the June 2026 print edition of Today's Medical Developments under the headline “What Stryker’s wake-up call means for every medtech CEO”.
At 3:30 a.m. EDT March 11, 2026, Stryker employees across three continents woke up to blank screens. A pro-Iran hacking group called Handala, which multiple threat intelligence firms including CrowdStrike and Microsoft have linked to Iran’s Ministry of Intelligence, had compromised a Microsoft Intune admin account and triggered a mass wipe command across more than 200,000 systems in 79 countries. Manufacturing stopped. Order processing froze. Shipping halted. Maryland’s emergency responders lost access to Stryker’s LifeNet patient data system. It took three weeks to fully restore operations, and the disruption materially impacted Stryker’s first-quarter earnings.
Stryker is far from alone. In April 2026, Medtronic confirmed hackers breached its network, with the ShinyHunters group claiming more than 9 million stolen records. UFP Technologies and TriMed disclosed breaches earlier in the year. According to RunSafe Security’s 2026 Medical Device Cybersecurity Index, 80% of cyberattacks affecting medical devices now disrupt patient care.
The broader healthcare ecosystem is just as exposed. The Change Healthcare ransomware attack in 2024 affected 190 million individuals, disrupted claims processing for 74% of hospitals, and cost UnitedHealth Group an estimated $2.5 billion. Look across all these incidents and a pattern emerges: the exploited weaknesses were preventable. Compromised credentials without multi-factor authentication (MFA). Over-privileged admin accounts. Poor network segmentation. We’re not talking about sophisticated nation-state encryption cracking here. Change Healthcare got breached because someone didn’t turn on MFA. That’s the cybersecurity equivalent of leaving your front door unlocked.
The FDA has drawn a clear line. Section 524B now requires any connected medical device to demonstrate “reasonable assurance of cybersecurity” before reaching market, backed by Software Bills of Materials, secure development frameworks, and the ability to release critical patches within 60 days. The QMSR, effective February 2, 2026, takes it further by formally embedding cybersecurity into quality management through alignment with ISO 13485. Security is now inseparable from design controls, risk management, and post-market surveillance.
The companies succeeding treat security as a design requirement, not an aftermarket add-on. MedCrypt, which builds cybersecurity directly into medical device architecture, has maintained zero FDA rejections on cybersecurity grounds by embedding encryption, authentication, and vulnerability monitoring from the earliest design phase.
Stryker’s experience, also offers a lesson. The company’s architectural separation between IT infrastructure and connected medical products meant a catastrophic administrative wipe didn’t turn into a patient safety crisis. No clinical devices were compromised. That design decision proved its value under the worst possible conditions.
Cybersecurity is also reshaping how medtech deals get done. Research has shown the likelihood of a breach doubles the year before and after a healthcare merger closes, as organizations merge IT systems and operate with temporary workarounds during integration. That risk has made cyber due diligence a required part of any serious acquisition. A weak security posture or breach history now directly affects deal pricing and indemnification clauses.
The flip side is the growing threat has turned medical device cybersecurity into an investment category of its own. The device security market hit $3.46 billion in 2025, and Axonius validated the space with its acquisition of medical device security specialist Cynerio for more than $100 million last July. When acquirers and investors are spending that kind of capital on security solutions, it tells you everything about where the industry sees the risk heading.
I’ve sat across the table from executives who still view cybersecurity as an IT budget line. That mindset is becoming a liability, and increasingly, it shows up in valuation. If your cybersecurity strategy still lives in IT and never makes it to the board agenda, the lesson from Stryker, Medtronic, and Change Healthcare is simple: it’ll eventually make it there, just on someone else’s terms.
