What health systems learned from the Stryker cyberattack

The recent cyberattack on medtech company Stryker must serve as a “wake-up call” about hackers’ evolving tactics, even as it illustrates a “new normal” in healthcare, health system leaders told Becker’s.

Hackers disrupted the firm’s internal Microsoft environment March 11, causing health systems to evaluate their exposure and, in some cases, restrict connectivity to the devices. The company noted that the incident “did not affect any of our products — connected or otherwise” and did not involve ransomware or malware.

“The recent incident underscores the importance of third-party risk management, resiliency, and identity management,” said Steven Ramirez, vice president and chief information security and technology officer of Reno, Nev.-based Renown Health. “As cybersecurity teams increasingly rely on tools to protect systems and automate internal tasks, it is critical to ensure those systems are properly secured so they cannot be used against us. This incident also serves as a clear wake-up call regarding the near-term use of AI by attackers.”

In a March 15 update, Stryker said all of its products are safe to use. The firm manufactures a variety of surgical platforms, implants and smart hospital devices.

“It is completely safe for Stryker sales representatives to be on-site in hospitals and facilities,” the company said. “It is also safe for you to communicate by phone or email with Stryker personnel.”

An Iranian-linked cybercriminal group reportedly claimed responsibility for the hack (though Stryker has not confirmed this).

After the cyberattack, Loma Linda (Calif.) University Health changed how it manages access to its Microsoft 365 and Intune platforms, said Patrick Voon, executive director of information security.

“Even if the security incident did not impact us from a data breach perspective and did not pose any imminent threat to us, we were able to learn from it and make the necessary improvements in our own environment to prevent a similar exploit from happening to us,” he said.

Health systems plan for third-party cybersecurity incidents, as they have been increasing in recent years as organizations rely on more technology vendors and improve their internal cybersecurity.

“This increases the importance of our resiliency practices like downtime procedures and cross communications throughout the organization to keep clinical leaders and care providing teams aware of immediate impacts and engaged in continuity of care delivery,” said Jack Kufahl, chief information security officer of Ann Arbor-based Michigan Medicine. “It could be that this is the new normal that we all must adapt to address as a sector.”

Dennis Leber, PhD, chief information security officer of Chattanooga, Tenn.-based Erlanger Health System, said the event highlights the need to elevate cybersecurity to a completely separate business function, not just a part of IT.

“Third-party and supply chain management lives with cybersecurity, but must be incorporated into the overall enterprise risk management program,” he said.

Cybersecurity executives must “lead with confidence” during situations like this and be willing to collaborate both “internally and externally,” Dr. Leber said.

“Downtime procedures must be practiced before an event occurs,” he added. “Do not have unanswered questions that we should absolutely know the answers to.”

The post What health systems learned from the Stryker cyberattack appeared first on Becker’s Hospital Review | Healthcare News & Analysis.