When the Ambulance Can’t Call Ahead: Why the Stryker Hack Is Different
March 2026
Hundreds of healthcare organizations have been breached or disrupted over the past decade. Hospital systems have gone dark. Patient records have been ransomed. Clinical workflows have ground to a halt. Each incident is serious. Each one costs money, time, and in some cases, lives. But in my years working both as a cybersecurity consultant and as an EMT, I have never seen a cyberattack that threatens the prehospital care continuum quite like this one.
On March 11, 2026, the Iranian-linked hacktivist group Handala – assessed by Palo Alto Networks as an operational arm of Iran’s Ministry of Intelligence and Security – executed a wiper attack against Stryker, one of the world’s largest medical device and technology companies. Using a compromised Microsoft Intune environment, the attackers remotely wiped over 200,000 systems, servers, and mobile devices across Stryker’s operations in 79 countries. The attackers framed the operation as retaliation for recent U.S. missile strikes on Iran. The target, however, was not a military installation. It was the backbone of emergency medical infrastructure in the United States. This is not just another healthcare breach. This is different – and those of us who have worked both sides of the patient care door understand exactly why.
The LifeNet Problem Nobody Is Talking About
Stryker’s LifeNet system is a cloud-based platform that transmits real-time patient data – most critically, 12-lead ECG readings – from LIFEPAK monitors in ambulances directly to receiving hospitals. When a paramedic is managing a STEMI patient in the back of an ambulance at 70 miles per hour, that transmission is not a convenience. It activates the cath lab before the patient ever hits the ED doors. It is the digital bridge between prehospital assessment and definitive care. Maryland’s Institute for Emergency Medical Services Systems reported that LifeNet was “non-functional in most parts of the state” in the immediate aftermath of the attack. Hospitals began disabling transmission capabilities as a precaution. Electronic Patient Care Report (ePCR) platforms that integrate with LifeNet, including widely used systems like ImageTrend, initially halted data transfers. For EMS providers, this is not a network inconvenience. It is a broken communications link in a system where minutes are measured in myocardial tissue and neurons. As an EMT, I can tell you what it means to work without that link. Treatment decisions that normally benefit from physician oversight now rest entirely on field assessment. Hospitals lose advance notification if the paramedic isn’t able to perform a radio consultation. Teams that would have been staged and ready could be caught unprepared. The margin for error compresses.
The Broader Supply Chain Threat
The disruption extends beyond real-time data transmission. Stryker supplies virtually every major U.S. hospital that performs surgeries – orthopedic implants, surgical robots, power stretchers, hospital beds, and defibrillators. The company’s electronic ordering system was taken offline. Elective procedures may be postponed. Inventory replenishment for critical surgical supplies is uncertain. The American Hospital Association acknowledged it was actively monitoring potential supply chain impacts as they develop. This is the nature of third-party risk that I counsel clients on every day: a single vendor’s compromise becomes a systemic failure across hundreds of dependent organizations simultaneously. The difference here is that the downstream impact is not a delayed invoice or a degraded SLA. It is a delayed surgery or an unequipped crash cart.
A New Category of Threat
Handala has historically targeted Israeli civilian infrastructure. The Stryker attack marks its first known strike against a major U.S. business, and the choice of target was deliberate. By selecting a company at the intersection of emergency care and surgical supply chains, the attackers maximized disruption potential without directly targeting a hospital network. It is an elegant and deeply troubling escalation in strategy. The cybersecurity community has long warned that threat actors would eventually move from targeting hospital IT networks to targeting the medical technology ecosystem that hospitals depend on. That moment is now. EMS systems, hospital security teams, and device manufacturers need to examine the dependencies they have built on cloud-connected platforms – and they need to have tested, documented downtime procedures that do not assume connectivity.
