Photo: Martin Barraud/Getty Images
Due to a cyberattack on Stryker's Microsoft environment on Wednesday, Michigan health systems that use the company's medical devices may have taken some equipment made by the company offline, local reports said.
One cybersecurity expert offers health systems supply-chain cyber risk advice.
WHY IT MATTERS
Kalamazoo, Michigan-based Stryker is believed to have been perpetrated by the pro-Iranian hacktivist group Handala, which has claimed responsibility, as a response to actions related to the Iran war, according to a report by KrebsonSecurity.
The threat actors erased data from more than 200,000 systems, servers and mobile devices. A source told KrebsOnSecurity the remote attack appears to have used Microsoft Intune's unified, web-based administrative console to wipe all devices connected to it.
While Stryker said it has "no indication of ransomware or malware and believes the incident is contained," in a compliance report filed with the U.S. Securities and Exchange Commission on March 11, "the incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the company's information systems and business applications supporting aspects of the company's operations and corporate functions."
The company asked its Portage, Michigan, employees to stay off its network, refrain from using computers and stay off WiFi until systems could be restored, according to Fox 17 news.
A sign on the company's facility door said: "For work phones it's recommended to remove the Stryker Management profile," that report said.
The Michigan Department of Health and Human Services said some hospitals are taking precautions, according to a report by CBS News affiliate WWMT. We've reached out to the department for further details and will update this story if they are provided.
Nick Andersen, acting director of the Cybersecurity and Infrastructure Security Agency, told Healthcare IT News that the agency has opened an investigation despite the ongoing partial shutdown of the Department of Homeland Security.
"We are working shoulder-to-shoulder with our public- and private-sector partners as we continue to uncover relevant information and provide technical assistance for the targeted attack on Stryker, while steadfastly standing at the ready to defend our nation's critical infrastructure," Andersen said on Friday by email.
No further details about healthcare sector-specific alerts or mitigation actions for medical devices, operating systems and/or specific software have been provided at this time.
At this time, the threat of attacks from pro-Iranian threat actors focuses on destruction, and the danger of a single vendor compromise can cascade across hundreds of health systems, said Dave Bailey, vice president of consulting at Clearwater Security.
"Healthcare security teams should treat the incident as a supply-chain cyber risk event, emphasizing vendor access management, network segmentation for medical devices and continuity planning for clinical technology services," he said by email on Friday.
He recommended mitigation and monitoring actions for healthcare entities include:
- Restrict or closely monitor connectivity between hospital networks and Stryker-managed systems, applications or vendor support channels until full remediation and assurance are provided.
- Verify the operational status of medical devices and ensure fallback or downtime procedures are available in case vendor connectivity or support services are disrupted.
- Review endpoint security controls for devices running Windows or mobile device management software tied to vendor environments, given reports of remote device wiping affecting connected endpoints.
- Monitor vendor communications and sector advisories for updates on vulnerabilities, patching requirements or device-specific guidance.
- Maintain heightened vigilance for phishing, credential theft or supply-chain compromise attempts that could leverage the disruption as a pretext.
The LARGER TREND
Sen. Gary Peters, D-Michigan, told WWMT that the cyberattack "signals the real-world threats that communities face because of President Trump's war in Iran." Peters criticized the Trump administration for funding cuts to federal cybersecurity programs that monitor threats to critical systems like healthcare and would warn constituents about the threat of retaliation from Iran.
As part of CISA's Common Vulnerabilities and Exposures program contract, which is set to expire next month, the agency has warned critical sectors for several years about cyber threat actors affiliated with Iran and the Iranian government’s Islamic Revolutionary Guard Corps.
The Trump administration has "gutted the counterterrorism and cyber defense programs that are meant to identify potential attacks and help communities respond to them if they occur," Peters said in a statement shared Thursday with the news affiliate. "We have a duty to help our communities defend against the threats they face," he said.
ON THE RECORD
"While we never want situations like this to occur, we plan for these moments," said Stryker CEO Kevin Lobo in an open letter to employees on Thursday. "Our mitigation protocols were quickly activated to protect our employees, our sites and most importantly, our customers and the patients they serve."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
