When Applied Policy first examined cybersecurity in healthcare in 2024, the dominant concern was ransomware. The $22 million ransom demand in the cyberattack on Change Healthcare—which followed shortly after our series ran—appeared to confirm the prevailing model: financially motivated actors, payment demands, and an eventual, if painful and costly, path to recovery.
Last month’s cyberattack on Stryker has upended that playbook.
On March 11, 2026, employees at the Michigan-based company found that their phones and computers had been erased, rendering key systems inaccessible. There was no ransom note. No demand for payment. No malware spreading in any pattern an incident response framework had anticipated. Attackers who had obtained administrator-level credentials used the company’s own device management tools to erase thousands of devices at once.
A pro-Iranian hacktivist group claimed responsibility for the attack, framing it as retaliatory. In disclosing the incident through 8-K filings with the U.S. Securities and Exchange Commission, Stryker confirmed that forensic investigators from Palo Alto Networks Unit 42 identified a malicious file used to execute commands while concealing the attackers’ activity.
The incident is forcing healthcare executives and policymakers to reassess existing security assumptions. It has also underscored the importance of federal resources such as the Administration for Strategic Preparedness and Response (ASPR) in coordinating preparedness and response across the healthcare sector.
Federal Roles in Healthcare Cybersecurity and Preparedness
Several federal agencies support the healthcare sector in preparing for and responding to disruptive cyber events. The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, provides threat intelligence, incident response support, and coordination across critical infrastructure. The Food and Drug Administration establishes and enforces cybersecurity requirements for medical devices. Within the Department of Health and Human Services, the Office of the Chief Information Officer and the Office of Information Security lead cybersecurity efforts, including threat analysis, information sharing, and coordination with public and private healthcare stakeholders.
These functions are essential to understanding and mitigating cyber risk. They are less focused on what happens after a disruption occurs, when care must continue despite the loss of systems.
That challenge—maintaining care delivery during system disruption—aligns more closely with the role of ASPR, particularly its focus on continuity of operations. While ASPR is not a cybersecurity response agency in the traditional sense, its preparedness framework has increasingly incorporated cyber-related risks. In its role supporting the healthcare and public health sector, ASPR also contributes to coordination across public and private stakeholders focused on resilience and sustained operations in the face of disruption.
Through the Hospital Preparedness Program, ASPR has integrated cybersecurity into broader preparedness activities, including downtime planning, continuity of operations, and coordination across healthcare coalitions. Authorized under the Pandemic and All-Hazards Preparedness Act and administered by the Administration for Strategic Preparedness and Response, the program supports state and regional readiness for a range of public health emergencies, including those affecting healthcare system infrastructure. ASPR’s Technical Resources, Assistance Center, and Information Exchange (TRACIE) provides operational guidance to providers managing disruptions to clinical and administrative systems, including during periods when systems remain unavailable.
This approach is relevant to incidents such as the disruption affecting Stryker Corporation. While the full downstream effects of the incident are still being assessed, the interruption of internal systems and business processes illustrates how a cyber event can create operational challenges even in the absence of ransomware. Organizations that planned primarily for technical recovery, restoring systems and identifying the intrusion vector, may be less prepared for the next step: maintaining operations in the interim.
Implications for Preparedness and Continuity of Operations
Of course, the Stryker incident does not invalidate existing cybersecurity practices. Controls such as multi-factor authentication, privileged access management, and endpoint protections remain critical. CISA’s advisory following the incident emphasized the importance of securing device management systems.
At the same time, the incident points to a broader range of scenarios that do not follow established patterns.
For healthcare organizations, this means greater attention to continuity planning, operational exercises, and coordination with regional partners. For policymakers, it raises questions about how existing preparedness resources are used and whether they are reaching the organizations most likely to need them.
Cyber risk in healthcare is no longer limited to financially motivated disruption. Recent incidents indicate a threat landscape that is persistent and evolving. In that environment, the ability of the healthcare system to continue functioning during a disruption becomes a central consideration.