Image by Kris from PixabayTwo of the world’s largest surgical technology companies disclosed cybersecurity incidents in recent days, underscoring growing digital risks across the health care technology ecosystem, including the robotic platforms and connected operating room tools increasingly used in ambulatory surgery centers (ASCs).
First, Stryker Corp. (NYSE: SYK) revealed that it was responding to a cyberattack that disrupted parts of its internal IT environment.
Shortly after that news broke, Intuitive Surgical (Nasdaq: ISRG), maker of the widely used da Vinci robotic surgery system, reported that an unauthorized third party accessed data from internal business applications following a phishing incident.
Both companies said their surgical systems remain safe to use. They also explained that hospital customers and clinicians had not been affected.
The incidents nevertheless highlight ongoing cybersecurity challenges for medical technology companies whose products and services sit at the center of modern surgical infrastructure.
Stryker network disruption
Stryker first disclosed March 11 that it experienced a cybersecurity attack that caused a global disruption to its Microsoft-based internal network. The company said there is no indication of ransomware or malware and that the incident appears contained to its internal environment.
Importantly for hospitals and outpatient providers, connected products and surgical systems were not impacted, Stryker said.
“All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use,” the company said in a customer update.
The company acknowledged, however, that the disruption affected certain business systems, creating temporary challenges for order processing, manufacturing and shipping while systems are restored.
Stryker’s portfolio includes surgical robotics and orthopedic technologies widely used in outpatient settings. Its Mako robotic platform – used for hip, knee and shoulder procedures – was not affected by the incident, the company said.
Incidents like the one affecting Stryker reflect the increasing attractiveness of health care infrastructure to attackers, experts point out.
In the case of Stryker, some have connected the dots to Iran-linked bad actors. Specifically, the logo of an Iran-linked group appeared on devices during the incident, according to The Wall Street Journal.
Health care technology companies present both financial and operational targets for cyber criminals or geopolitical actors seeking to disrupt critical industries, Mike Kijewski, CEO of medical device cybersecurity firm MedCrypt, told ASC News sister publication MassDevice.
“If you’re a nation-state wanting to do harm to the U.S., you can attack banks, and there’s a financial impact,” Kijewski said. “You can attack the energy sector, and there’s critical infrastructure impacts. Health care has both.”
Intuitive discloses breach
Separately, at Intuitive, a targeted phishing attack allowed an unauthorized third party to access certain information from internal IT business applications, according to the company.
The incident stemmed from a compromised employee account within the company’s administrative network, Intuitive said in a public statement.
The accessed data included some customer contact and business information along with employee corporate data.
Intuitive emphasized that the breach did not affect its robotic surgical platforms or hospital systems.
“Our da Vinci, Ion and digital platforms were not impacted and continue to be safe and operational,” the company said.
The networks supporting Intuitive’s robotic systems and manufacturing operations are segmented from internal business systems, helping prevent the breach from spreading to clinical platforms, the company noted.
Taken together, the incidents illustrate how cyber threats increasingly intersect with surgical technology supply chains.
