Building a Reactive Risk Program: Dynamic Posture and Resilience in Healthcare Cybersecurity

by Morgan Hague | Sr. Manager, IT Risk Management & AI Security Lead 

The current geopolitical environment has elevated cyber risk for U.S. healthcare and MedTech organizations beyond baseline levels. Following the outbreak of a novel conflict in the Middle East on February 28, 2026, multiple federal agencies, including CISA, the FBI, and the NSA, issued advisories warning that nation-state-affiliated cyber actors may target U.S. critical infrastructure in retaliation. Health-sector organizations were explicitly named as a high-priority concern.^[1][2][3] 

In a significant escalation of geopolitical cyber warfare, Michigan-based medical technology giant Stryker has been hit by a massive, global system outage. The attack, which began shortly after midnight on March 11, 2026, has reportedly paralyzed the company's operations across 61 countries, affecting its 56,000-strong workforce and raising serious concerns about the global healthcare supply chain. 

The Attack: Destructive “Wiper” Malware 

Unlike typical ransomware attacks where hackers encrypt data to demand a fee, early reports suggest this was a destructive wiper attack. 

• System Wiping: Employees worldwide reported that corporate laptops, mobile phones, and servers were remotely wiped, permanently erasing data and operating systems. 
• The Defacement: Login screens on affected Windows devices were reportedly replaced with the logo of Handala, a hacking group linked to Iranian interests. 
• Scale of Impact: The group has claimed on social media to have wiped over 200,000 systems and exfiltrated 50 terabytes of sensitive data. 

Who is Handala? 

Cybersecurity analysts identify Handala as a “faketivist” group, a front for sophisticated, state-sponsored cyber operations. The group has been linked to Iran’s Ministry of Intelligence (and the threat actor known as Void Manticore). 

The timing of the attack appears to be a direct reprisal for recent U.S. and Israeli military actions against Iran. Handala publicly stated the hack was retaliation for recent actions in the region, signaling that the digital front of the conflict is targeting critical infrastructure and major Western corporations. 

Global Operational Fallout 

The outage has had immediate and severe consequences for Stryker’s internal operations: 

• Manufacturing Shutdowns: In Ireland, home to Stryker’s largest manufacturing hub outside the U.S., thousands of workers were sent home as production systems for orthopedic implants and surgical tools went dark. 
• Employee Lockdown: Stryker issued urgent alerts instructing staff to disconnect all company-issued hardware from the internet and to avoid powering on any devices to prevent further spread. 
• Supply Chain Risks: As a leading provider of everything from robotic surgery systems to hospital beds, a prolonged outage at Stryker could cause a “cascade effect” in hospitals that rely on their equipment for daily surgeries and patient care. 

What’s Next? 

Stryker has officially confirmed the “global network disruption” and stated they are working with external experts, including Microsoft and national security agencies (such as Ireland’s National Cyber Security Centre), to contain the breach. 

While the company claims they have “no indication of ransomware” and believe the incident is contained, the destructive nature of wiper malware means that “restoring” systems is not a simple matter of decrypting files, it often requires a total rebuild of the IT infrastructure from the ground up. 

As the conflict in the Middle East spills into the digital realm, this incident serves as a stark reminder that the healthcare sector is now a primary target in the theater of modern cyber warfare. 

Why Static Programs Fail in Dynamic Threat Environments 

This incident reflects a broader pattern. A March 2026 CyberCube analysis found that 12% of large U.S. firms, including 28 healthcare organizations, are among the most vulnerable to Iran-linked attacks. Handala has previously claimed attacks against fuel systems in Jordan and an Israeli energy exploration company. Handala observed tactics include supply-chain footholds through IT and service providers, followed by amplification through public disclosure.^[5][4] 

This is not an isolated data point. It is consistent with a years-long trend of nation-state affiliated cyber actors demonstrating both the intent and capability to target U.S. healthcare and critical infrastructure, and it reinforces a broader principle that healthcare security programs must recognize: threat likelihood is not a constant. 

Most enterprise risk programs are designed around periodic assessment cycles, annual or semi-annual reviews that snapshot an organization’s risk at a point in time. This model alone is structurally limited. The inputs that drive risk, particularly the likelihood that a given threat will materialize, are subject to change based on factors entirely outside an organization’s control. 

Geopolitical events as an example medium can illustrate this clearly. When Russia launched its full-scale invasion of Ukraine in February 2022, CISA’s “Shields Up” campaign and HC3 advisories alerted the healthcare sector to a meaningfully elevated risk of spillover from Russian state-sponsored cyber operations. The advisory landscape shifted overnight, but for organizations whose risk programs could not reflect that shift until the next scheduled review cycle, the window for proactive response was effectively lost.^[6][7] 

The same dynamic is at play today. In June 2025, joint advisories from the FBI and CISA warned that Iranian-linked actors were actively targeting vulnerable U.S. networks. In October 2024, CISA had already profiled Iranian threat actor tactics specific to healthcare, including password spraying against Microsoft 365 environments, MFA push-bombing, exploitation of unpatched VPN appliances, and spear-phishing targeting both clinical and administrative staff. These advisories provide advance indicators of intent but only organizations whose risk programs are structured to act on them benefit from that forewarning.^[8][9] 

An additional structural consideration has emerged in early 2026: CISA, which has historically provided direct coordination and early warning support to the health sector, is currently operating with reduced capacity. Organizations should not assume the same level of external backstop that has previously been available, reinforcing the case for internally-driven, intelligence-informed risk management.^[10] 

Principles of a Dynamic Risk Posture 

A dynamic risk posture does not require replacing existing frameworks. NIST CSF 2.0, HIPAA Security Rule requirements, and HITRUST CSF assessments all accommodate and implicitly expect that risk ratings are revisited in response to material changes in the threat environment. What is required is the operational infrastructure to act on that expectation. 

The following principles provide a practical foundation. 

Threat-informed risk tagging. Risk items in your register should be associated with relevant threat actor profiles and attack vectors. When an advisory references a specific tactic or actor, you should be able to immediately identify which existing risks are implicated. Without this linkage, advisories become informational rather than actionable. 

Pre-defined likelihood adjustment criteria. Establish documented thresholds that trigger out-of-cycle likelihood reviews; for example, a CISA advisory naming your sector, a confirmed wiper or ransomware attack against a peer organization, or a significant geopolitical escalation involving a known adversary. These criteria remove ambiguity and enable faster response. 

Clear escalation and decision authority. Out-of-cycle risk adjustments require defined governance. Who has authority to elevate a risk score? What threshold triggers executive notification or board reporting? These questions should be answered in policy before an incident occurs. 

Continuous feed integration. Threat intelligence inputs including H-ISAC advisories, CISA KEV updates, or FBI Private Industry Notifications should feed directly into risk program workflows rather than sitting in inboxes awaiting triage. 

‘Threat-aligned’ security can take many forms and can be implemented without breaking the bank in a meaningful way for organizations of all sizes. Leveraging open-source toolkits like MITRE’s ATT&CK and other offerings permit the ability to map your key risks, systems, and other data points without having a formally established threat intelligence function or similar. Realizing the benefits in principle without impacting other existing commitments is a critical goal for organizations new to dynamic risk management. 

Shifting Towards Program Resilience 

Dynamic risk management improves an organization’s ability to prioritize and prepare. But no program can prevent every attack. The Stryker incident is a useful illustration of how a single compromised administrative function can translate into widespread operational disruption. Moody’s has noted that ransomware and data-wiping attacks are “particularly impactful from a ratings standpoint because of their ability to degrade critical services and weaken the trust relationship with customers”. For healthcare organizations, that degradation has direct patient safety implications.^[4][5] 

This is why resilience, the ability to maintain operations and recover rapidly in the face of a successful attack, must be treated as a parallel investment to risk reduction, not a downstream priority. 

Protect availability as a first-order concern. In healthcare, the inability to access clinical systems carries immediate potential for patient harm. Resilience investments should be sequenced accordingly: network segmentation, redundant connectivity, offline backup capabilities, and documented manual fallback procedures warrant prioritization over controls that address lower-impact scenarios. 

Test recovery under realistic conditions. Backup and disaster recovery capabilities that have not been validated under realistic attack scenarios provide limited assurance. Immutable, air-gapped backups are a necessary safeguard particularly given that device-management platforms like Intune, if compromised, may affect managed backup endpoints as well. Recovery exercises should stress-test operational continuity, not just technical restoration.^[4] 

Harden identity infrastructure. The tactic profile for Iranian-linked actors consistently includes credential-based initial access: password spraying, MFA bypass, and privilege escalation. Enforcing phishing-resistant MFA, auditing administrative accounts, applying least-privilege access principles, and monitoring for anomalous authentication behavior are both preventive and resilience-oriented measures that reduce the blast radius of an initial compromise.^[9][11] 

Extend resilience to third parties. Handala’s documented preference for supply-chain footholds through IT and service providers is directly relevant to healthcare organizations that rely heavily on managed service providers, EHR vendors, and medical device support ecosystems. Vendor access should be scoped, monitored, and terminable at short notice. Contractual resilience obligations and incident notification timelines should be reviewed.^[11][4] 

Account for cyber insurance limitations. Organizations should consult with their brokers and legal counsel regarding war exclusion clauses in cyber insurance policies. Moody’s has specifically noted that attacks linked to a military conflict may trigger coverage challenges, potentially shifting costs directly to the organization’s balance sheet.^[5] 

Recommended Immediate Actions 

Given the current advisory environment, organizations should take the following steps regardless of where they are in their assessment cycle: 

1. Review and update threat likelihood scores for risks associated with credential-based attacks, device management platform abuse, and supply-chain compromise. 
2. Verify MFA coverage across administrative accounts, remote access entry points, and cloud management consoles, with particular attention to phishing-resistant implementations. 
3. Audit privileged access to endpoint management and device enrollment platforms, restricting scope to the minimum necessary. 
4. Validate backup integrity and recoverability, including confirming that backup environments are not reachable from endpoints enrolled in managed device platforms. 
5. Review vendor access controls and confirm that third-party remote access sessions are monitored and terminable. 
6. Engage H-ISAC and relevant ISACs for sector-specific threat intelligence in the absence of full CISA operational capacity. 

How Meditology Supports Dynamic and Resilience-Focused Programs 

Where organizations face the challenge of translating advisory signals, like those currently in circulation regarding current threat activity, into concrete program adjustments, we help establish the governance structures, likelihood modeling frameworks, and escalation pathways that make that translation possible.  

Our assessments explicitly evaluate the degree to which an organization’s risk program can flex in response to changing conditions, and our resilience evaluations examine recovery capability, third-party dependency exposure, and clinical downtime procedure maturity at a department level. 

For organizations seeking to mature their programs in response to the current threat environment, we recommend beginning with a structured gap assessment that evaluates both risk posture flexibility and operational resilience; with outputs prioritized against the threat actor profiles most relevant to your organization’s sector, size, and technology environment. 

How Prepared is Your Organization? 

The attack on Stryker is a sober reminder that cybersecurity mandates proactive risk management and has ultimately morphed into a game of survival. When state-sponsored actors deploy wiper malware or similar destructive mechanisms, the goal is total disruption of the healthcare delivery mission. 

Is your organization ready to withstand a high-impact “black swan” event? 

Meditology Services is here to help you move beyond basic compliance and toward true operational resilience. Our experts specialize in preparing healthcare entities for the unthinkable through: 

• Risk Program Development: Apply the principles of dynamic risk and scale your program to an executive level with intelligent design and effiicent mechanisms. 
• Incident Response Preparedness: We help you build and refine robust playbooks that account for destructive malware and total system loss. 
• Executive Tabletop Exercises: We facilitate high-stake simulations to ensure your leadership team is prepared to make critical decisions under pressure. 
• Supply Chain Risk Management: We assist in identifying and mitigating the “cascade effect” risks posed by outages at critical vendors and MedTech partners. 

It is happening more and more frequently, and no organization is immune to these evolving global threats. Let’s work together to ensure you are prepared for whatever comes next. 

Get in touch today to learn how Meditology Services can be your partner in keeping your organization secure and resilient! 

About the Author

Morgan Hague | Sr. Manager, IT Risk Management & AI Security Lead 

Morgan is an experienced security and emerging technologies consultant, with varied expertise across information security, organizational governance, and IT audit practices. As the leader of the Security Risk Assessment and Strategic Risk Transformation service lines at Meditology, he has led and contributed to hundreds of consulting engagements across public and private entities.  

Since 2019, he has served as lead architect and product owner of an innovative risk quantification, analysis, and reporting solution utilizing MITRE ATT&CK and similar authoritative sources to establish a data-driven and dynamic mechanism to assess, report on, and manage organizational risk – supporting a variety of premier healthcare organizations, including the nation’s largest hospital system. Morgan is currently the President of InfraGard Atlanta, and an effort lead for OWASP’s AI Security Guide. 

Resources

1. https://www.alstonprivacy.com/new-york-department-of-health-issues-urgent-cybersecurity-warning-following-u-s-strikes-on-iranian-nuclear-facilities/   

2. https://www.jdsupra.com/legalnews/hospitals-critical-infrastructure-7046593/   

3. https://www.aha.org/news/headline/2026-03-03-fbi-reminds-potentially-malicious-activity-iranian-cyber-actors   

4. https://www.hstoday.us/subject-matter-areas/cybersecurity/iran-cyber-retaliation-and-a-stress-test-for-americas-critical-infrastructure-defense/       

5. https://www.cybersecuritydive.com/news/us-entities-cyber-risk-iran-war/814313/     

6. https://www.cmhealthlaw.com/2022/03/increased-cyber-risk-for-health-care-organizations-due-to-the-russia-ukraine-conflict/   

7. https://www.bankinfosecurity.com/russia-ukraine-war-threats-facing-healthcare-sector-a-18605   

8. https://media.defense.gov/2025/Jun/30/2003745375/-1/-1/0/JOINT-FACT-SHEET-IRANIAN-CYBER-ACTORS-MAY-TARGET-VULNERABLE-US-NETWORKS-AND-ENTITIES-OF-INTEREST-508C.PDF   

9. https://www.hipaajournal.com/iranian-threat-actors-targeting-healthcare/    

10. https://www.cnbc.com/2026/03/03/iran-cisa-cybersecurity-war-threat.html   

11. https://gocloudwave.com/wp-content/uploads/2026/03/Iran_CyberBulletin_CloudWave_final.pdf    

This article references information current as of March 11, 2026. The Stryker incident cited herein is developing; organizational details may be updated as further information becomes available.