From surgical robots and knee implants to software and medical cleaning supplies, Stryker is an international medical device company whose products tend to be used behinds the scenes in health care. But patients may recognize the name after visiting a local hospital room.
The Michigan-based company, which announced Wednesday that it was hit with a cyberattack attributed to activist hackers linked with Iran, is one of the largest makers of hospital beds and other health care-related furniture.
So, while most of what Stryker makes is invisible to patients, it is not difficult to spot the company’s logo on the heavy-duty wheeled bed frames that are routinely pushed through hospital hallways in many local hospitals.
A survey of local medical providers found that while all said they use Stryker products, none have detected any sort of suspicious activity since the attack started.
Niko Behar, an adjunct faculty member and cybersecurity specialist in the Shiley-Marcos School of Engineering at the University of San Diego, said that there have not yet been any reports that the attack has spilled from Stryker’s own internal networks to those run by the hospitals that use its products.
“A large company like this getting breached and no hospitals reporting any side effects in my opinion means that Stryker was probably successful in containing the attack within their own environment,” Behar said. “That is not to say that things won’t potentially get worse; we don’t have enough information right now to say that for sure.”
And medical information teams are not sitting back and waiting.
Josh Glandorf, chief information officer at UC San Diego Health, said that the reaction was immediate when the organization received word of the strike against Stryker.
“We’ve cut our network connectivity to the Stryker system; we’ve taken all of our known connections to Stryker and have shut those down for now, until the cyberattack is resolved.”
Dr. Gene Ma, chief executive officer of Tri-City Medical Center in Oceanside, said the organization’s approach was similar.
“Out of an abundance of caution, we also took precautionary measures to sever any connections with Stryker platforms until Stryker is able to provide greater clarity and reassurances,” Ma said.
These days, even beds can be vectors of attack, potentially providing links from vendors into hospitals through “cloud” functions that enable functions such as remote monitoring by checking in with remote servers.
Stryker has been a leader in this area, stating on its website that it offers the “only truly wireless hospital bed on the market,” which is equipped with a bed scale, a three-zone adaptive bed alarm and integrated “iBed” capabilities, including automatic monitoring of siderail position and height settings that can be wirelessly transmitted to nurse stations and hospital records systems.
With massive and expensive cyberattacks costing hospitals hundreds of millions of dollars per year in lost productivity, legal settlements and poor publicity, health systems have spent heavily in recent years digging their digital defenses deeper.
Some of this work, Glandorf said, involves “network segmentation,” configuring the digital landscape that computers use to communicate in ways that keep different departments or functions separate, so hacking into, say, the accounting department does not make it easy to identify and attack the places where medical records are stored. And there have been heavy investments in early-warning software, some of it now run by artificial intelligence, to warn security teams as quickly as possible if something looks suspicious.
Those capabilities came to bear Wednesday when it became clear that the threat was associated with one particular vendor. Having already done the work to track where different types of equipment are inside the organization, it was easier to issue a blanket order to limit risk.
“It allows you to very quickly just quarantine a specific vendor,” Glandorf said.
And, he added, while this sort of action shuts down communications to Stryker’s servers, most technology, such as software that nurses use to communicate with each other all day long, can still function locally.
While UC San Diego, Behar noted, has been at the forefront of cybersecurity improvements in health care, and it cannot be assumed that every health system in the nation has similar capabilities, the professor said that medicine has upped its game in recent years.
They really haven’t had a choice.
“This has been front-and-center in the news for years now, and they know what can happen, that they might have to go on the news, they might have to write a letter to patients,” Behar said.
But he added that today’s protections, improved as they might be, will need to keep evolving if they are to keep up with new attacks.
Some San Diego medical providers disconnect from Stryker network because of cyberattack
