What the Stryker Attack Actually Means for Medical Device Companies

The Stryker attack has generated a lot of coverage this week. Most of it focuses on the headline: pro-Iranian hackers, thousands of devices wiped, a major medical device manufacturer disrupted. RAPS is already asking whether this changes how FDA will think about cybersecurity requirements going forward.

Here's what most of the coverage is missing.

This wasn't ransomware. That matters.

Ransomware has a logic to it. The attacker wants payment. That means they need you to be able to operate well enough to negotiate and pay. There's perverse restraint built into the model.

A wiper attack has no such restraint. The goal is maximum destruction. There's no ransom demand, no negotiation window, no decryption key waiting if you pay. You lose the data and the systems, and the attacker walks away with nothing except the disruption itself. For nation-state actors tied to geopolitical objectives, that's exactly the point.

Most device companies are building their cybersecurity posture around FDA's 524B requirements: SBOMs, premarket submission documentation, post-market vulnerability monitoring, a plan for coordinated disclosure. That's the right foundation. But 524B was written to protect patient safety from device vulnerabilities. It wasn't written to defend against an adversary who wants to wipe your manufacturing infrastructure off the map.

FDA compliance and operational resilience are two different problems.

If your regulatory affairs team has your cybersecurity documentation in order but your IT team doesn't have an incident response plan that covers destructive attacks, you have a gap. A significant one.

Stryker said the damage is contained. That's good. It also means they had the incident response capability to contain it, which is exactly what most smaller device companies and SaMD startups do not have.

The companies most at risk right now are in the $10M-$100M range: too large to be invisible, too small to have dedicated security operations, and increasingly connected enough to be attractive targets. Many of them have spent the last two years building out their FDA cybersecurity documentation for 510(k) submissions. That work matters. But it's not the same as having an incident response plan that accounts for a wiper.

What you should actually do this week

A few concrete things worth doing right now:

First, check whether you have an incident response plan that covers destructive attacks specifically. Skip the boilerplate ransomware scenarios and the "contact the ISAC" language. You need a real playbook for what happens when someone wipes your systems.

Second, make sure you know what your critical business systems are and how long recovery takes from backup. If the answer is "we're not sure" or "weeks," that's the gap to fix.

Third, if you're currently building your premarket cybersecurity documentation for an FDA submission, don't treat it as your security strategy. The two overlap, but your submission package won't protect you from a Handala Team. Your security architecture will.

The readiness question

We built CyberMed's readiness assessment to help device companies understand where they stand against FDA's 524B requirements. That's still the right starting point for most clients.

But the Stryker attack is a reminder that the compliance floor is just that: a floor. What happens after your submission clears is a different conversation. One that more companies should be having now, before an incident forces it.

If you haven't looked at your cybersecurity posture recently, our readiness assessment is a fast way to see where the gaps are. Takes about 10 minutes and gives you a score with specific recommendations.

Take the readiness assessment

---

Jose Bohorquez is the founder of CyberMed, a medical device cybersecurity consulting firm specializing in FDA premarket submissions, penetration testing, and cybersecurity risk assessments for SaMD companies and connected device manufacturers.