The high-profile cybersecurity incident at Stryker last month was a sharp reminder that cybersecurity events do not need to directly impact connected medical devices to still disrupt patient care. On March 11, Stryker disclosed a cyberattack that caused a global disruption to parts of its Microsoft environment, affecting order processing, manufacturing, and shipping. While the company stated its products remained safe to use, public reporting later indicated that some patient-specific procedures were rescheduled due to delays.
This month’s CISO Brief examines what the Stryker incident exposed about third-party risk and why healthcare leaders should treat vendor resilience as a continuity issue, not just a procurement or compliance exercise.
What Stryker Exposed About Third-Party Risk
Why It Matters Now
Managing third-party cyber risk is a matter of resilience and continuity, not merely a vendor management exercise. When a key partner encounters difficulties, the repercussions can quickly affect workflows, communications, and patient care. While awareness of these issues is increasing, proactive measures are still lagging.
In fact, based on recent polling of healthcare IT leaders in March we found that while the majority of them were concerned about the incident, only 14 percent had worked quickly to implement any changes.
Concern is rising faster than action when it comes to TPRM, and while that’s positive it’s not enough.
Stryker Is Not Alone
The Stryker incident was not an isolated event. Intuitive Surgical, a leader in minimally invasive care and robotic-assisted surgery, also reported that an unauthorized third party accessed information from certain internal IT business applications through a targeted phishing incident. Intuitive stated that its products, customer operations, manufacturing environment, and hospital customer networks were not affected. That distinction matters. It shows the value of segmentation and reinforces that not all vendor incidents produce the same operational outcome.
What Must Leaders Know About Third-Party Risk?
Building resilience means identifying critical dependencies, understanding where single points of failure exist, and determining how well the organization can continue operating if one of those dependencies is degraded or unavailable.
Things to Know
- TPRM is not only a data issue, it’s a business continuity and patient care issue
- Critical vendors can become single points of operational failure
- Product inventory alone does not equal operational readiness
- Downtime planning must include external partners and their dependencies
- Resilience requires clear ownership and fallback plans, and clear decision clarity before an incident occurs
What Should You Discuss With Your Team Following the Stryker Incident?
- Does your organization require multi-admin approval for significant actions? This means more than one account must sign off on high-impact activities such as wiping endpoint devices.
- How segmented are your business and clinical networks? Increased segmentation with proper access control can inhibit an attacker’s lateral movement capabilities across systems.
- Which role-based access controls (RBAC) need immediate validation? Enforcing least privilege principles limits what attackers with legitimate credentials can access and what privileges they can escalate.
- How can you use this incident to educate employees about security hygiene and operational discipline?
- Do your bring-your-own device (BYOD) policies protect your organization if a third-party tool deletes or modifies employees’ personal information on devices also used for work?
Threats To Be Aware Of
Heightened Geopolitical Tensions and Potential Cyber Implications for U.S. Healthcare
Overview:
There are no confirmed large-scale retaliatory campaigns targeting U.S. healthcare providers at the time of reporting. Still, heightened geopolitical tensions continue to raise the risk of disruptive cyber activity, particularly against exposed and underprepared environments.
Healthcare Impact:
Healthcare remains a high-value target because disruption carries immediate operational consequences and high media visibility. Even without a sector-wide campaign, this kind of pressure raises the importance of patching, credential protection, exposure management, and downtime readiness.
Recommended Actions:
Use these moments to validate external exposure, confirm multi-factor authentication (MFA) coverage, review monitoring for credential abuse, and make sure downtime procedures are ready if conditions change quickly. If tensions escalate, where is your organization most exposed operationally?
Stryker/Veeam/Windows
Overview:
March brought a sharp reminder that resilience can break in more than one place at once. The disruptions at Stryker and Intuitive, critical Veeam vulnerabilities, and Microsoft’s move to disable RC4 by default all show that core dependencies can quickly become operational problems.
Healthcare Impact:
This is not just about security hygiene. It is about continuity. When a critical vendor is disrupted, a backup platform is exposed, or identity infrastructure still relies on weak legacy settings, the risk can spread quickly from IT into clinical and business operations.
Recommended Actions:
- Review dependency on critical vendors
- Confirm Veeam remediation status
- Identify any remaining RC4 or legacy authentication exposure before they become a larger operational issue
Questions to Ask Your Team:
- What breaks first if a critical vendor, backup platform, or identity service goes down?
- Where are we still relying on legacy configurations we should have already retired?
Operations Brief – Token Access
Overview:
Attackers are continuing to bypass MFA by stealing session tokens and reusing trusted access. The problem is no longer just bad passwords. It is valid access in the wrong hands.
Healthcare Impact:
In healthcare, token abuse can grant attackers quiet access to email, cloud apps, patient data, and administrative systems without triggering the alerts teams expect from a traditional login attack.
Recommended Actions:
Strengthen conditional access, enforce device trust, monitor for suspicious session behavior, and ensure the team can quickly revoke active sessions during an incident.
Questions to Ask Your Team:
- Are we treating MFA as enough, or are we watching for abuse after authentication?
- How quickly can we detect and shut down suspicious live sessions?
Peer Pulse: The Third-Party Problem with Scott Doerr
We sat down with Scott Doerr, vCISO at Fortified to understand how third-party risk is evolving and what that means for healthcare providers.
Russell: How has your approach or perspective to third-party risk management changed following recent vendor-related cybersecurity incidents and the proliferation of AI?
Scott: One of the biggest changes in perspective is that vendor risk is no longer just about data exposure. It is about operational dependency. Many organizations have vendors that are embedded into clinical workflows, revenue cycle operations, imaging, medical devices, and patient communications. When those vendors experience a cyber incident, the impact is not limited to an IT issue. It can disrupt patient care, delay procedures, and significantly impact revenue and operations.
Because of this, I now evaluate vendors in three major areas:
- Access Risk – scrutiny on how vendors access systems and data
- Resilience and Downtime Preparedness – Recent incidents have reinforced the importance of asking vendors operational questions, not just security questions.
- Incident Response Coordination. – Another major shift is evaluating how vendors will communicate and operate during a cybersecurity incident
Overall, third-party risk management is evolving from, “does this vendor meet security requirements?” To, “can our organization continue operating if this vendor is compromised or unavailable?”
Russell: How would you recommend reassessing risk for critical vendors vs non-critical vendors today?
Scott: Organizations should reassess vendors based on operational criticality, access, impact to patient care, and/or business operations, not just whether the vendor stores sensitive data.
A simple way to think about this is:
- If this vendor is compromised, what happens to our data?
- If this vendor is unavailable for 5 days, what happens to our operations?
These two questions assess vendors from a security-risk and an operational risk standpoint.
A mature third-party risk management program focuses the most attention on the vendors that could halt operations, impact patient care, or significantly disrupt the business, not just the vendors that store sensitive data.
Russell: How do you balance operational reliance on vendors with the need for stronger security accountability with other stakeholders?
Scott: The way to balance operational reliance with security accountability is through shared responsibility, governance, and clear expectations, not by trying to push all responsibility onto either IT, cyber security teams, or the vendor.
One of the most important mindset shifts organizations must make is that third-party risk management is not owned solely by IT or cybersecurity. Vendor risk affects clinical operations, revenue cycle, patient safety, and business continuity. Because of this, vendor risk decisions, especially for critical vendors, should be treated as enterprise risk decisions and governed at the executive level. Security teams should inform risk, but leadership ultimately accepts risk when they decide to rely on a vendor.
And remember, the goal is not to avoid vendor risk. The goal is to govern vendor risk.
Organizations should not aim to eliminate reliance on vendors, that is unrealistic.
Instead, organizations must ensure that reliance on vendors does not become uncontrolled risk, and that vendor risk decisions are made intentionally, governed appropriately, and understood at the executive level.
Russell: What recommendations would you make to healthcare IT leaders who may still be underestimating third-party risk?
Scott: The biggest recommendation I would make to healthcare IT leaders is this, third-party risk is not just a data privacy issue, it is an operational resilience and patient safety issue.
Many organizations still evaluate vendors mainly based on whether they store PHI or pass a security questionnaire. The problem is that recent vendor incidents have shown that the biggest impact often comes from system outages and operational disruption, not necessarily data breaches.
Some basic recommendations would be to:
Identify Your Critical Vendors Immediately – If an organization does nothing else, they should build a list of critical vendors and ask one simple question for each. “If this vendor is unavailable for 3–5 days, what happens to our organization?
Treat Vendor Outages Like Ransomware Scenarios- Healthcare organizations spend a lot of time planning for ransomware attacks on their own network, but many have not planned for a ransomware attack on a critical vendor.
Stop Treating TPRM as a Compliance Exercise – If third-party risk management is only sending questionnaires, collecting SOC 2 reports, checking a compliance box, and then filing documents away then the organization is not actually managing third-party risk. The organization is documenting it.
Assign Business Owners to Every Vendor – Every vendor should have a business owner, not just an IT contact.
Elevate Third-Party Risk to Leadership and the Board – Third-party risk should be reported to executive leadership and the board as part of enterprise risk management.
Closing Perspective
March’s incidents reinforced a broader leadership challenge; healthcare organizations must adopt an assume a disruption mindset that places patient care continuity at the center of cyber resilience.
Resilience depends on identifying the operational pressures that create risk and acting on them before those become an impacting outage. That includes internal capabilities, external vendors, and the technologies and data flows that connect them all.
Stay safe, healthcare.
