The Stryker cyberattack was a large-scale incident that disabled more than 80,000 devices and significantly disrupted operations. Total losses are estimated at $80–$100 million once technology, operational, and legal costs are included. Every healthcare organization can draw practical lessons from this event.

The Iranian group Handala used a mix of stolen credentials and then abused internal Microsoft Intune mobile device management (MDM) administrative capabilities to cause damage, rather than deploying traditional malware. Handalacombines the technical sophistication associated with nation-state operations with the speed and visibility of a hacktivist group. The healthcare sector’s mix of legacy technology, high-value data, regulatory complexity, and life saving operations makes it an attractive target for both financially motivated and state-sponsored attackers.

MDM platforms can be among the most dangerous and under-defended attack surfaces in It infrastructure. Microsoft Intune centralizes control across thousands of endpoints, creating a control that can allow complete organization disruption if compromised. By leveraging core IT infrastructure, Handala was able to shut down and wipe devices across the organization.

Organizations must plan for what happens after perimeter defenses are breached. Steps to reduce risk and limit impact include:

▪ Redundant approvals: Require dual authorization for high-impact actions such as remotely wiping devices.

▪ Isolation and segmentation: Separate IT and device-management infrastructure where possible to reduce blast radius and contain compromise.

▪ On Going Monitoring: Monitor and alert on administrative actions, and detect abnormal patterns (for example, sudden spikes in wipe commands).

Cybersecurity must be treated as an ongoing investment, not a one-time project. A continuous focus on risk, effective controls, and what applications and data are used are essential to maintaining organization operations and reducing the risk of costly disruptions.