Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome back to Status Secure. Today’s briefing is about the new standard of mortality risk in the healthcare ecosystem. 10 years ago, if a healthcare giant got hit, we looked for ransomware. It was linear, encrypt data, demand payment, or store from backup. Today, the game has changed. Your assets aren’t being locked down, they’re being wiped off the digital map, and the threat actor didn’t need exotic malware to do it. They turned your own internal administrative infrastructure
into a kill switch. Are you securing your castle or are you just securing the wrong set of tools? What we need to talk about is the Stryker cyber attack. So if you don’t know about Stryker and who they are, they manufacture surgical equipment, orthopedic implants, neurosurgical, neurovascular devices, emergency medical equipment.
Their products are used by 150 million patients annually across roughly 61 countries. A fortune 500 company often ranked among the top medical device companies worldwide. And they hire approximately 56,000 employees and their revenue is around 25 billion a year. At least that’s what it was for the last fiscal year. So CISO
Why don’t you tell us about what happened to Stryker recently?
The CISO (01:13)
Yeah, so we talk about third party risk, right? That’s an area everyone always has concerns about because it’s a big risk and this was actually, like it was actualized. Striker is a huge third party, right? So part of the supply chain for hospitals, for providers or health care providers.
with them being attacked, it really impacted health services. So, you know, just think about that. People who were scheduled for surgeries, now those surgeries have to be delayed. What’s the impact of that? You know, it could be devastating. So the strike attack, you know, didn’t…
rely on a unpatched zero day exploit. What they did was they were able to compromise an admin account and that admin account was on the Microsoft Intune, which controls. if you know the intention of Microsoft Intune is being able to do your endpoint, right? Where if something happened.
⁓ If something happened, you could remote wipe your devices. That’s to protect the company. But in this case, that account was used by a, you know, by a bad actor. And what happened was they took that and they wiped, they wiped all of the devices. And so you can see that administrative capability.
to protect your organization and your data was used to attack Stryker.
Actual (02:47)
So when you say all their devices, I think there’s some reports that are saying specifically around 200,000 global endpoints were hit in white. And so what, who did this? Like what happened? Cause it wasn’t malware, right? And you just kind of explained that. So why was this done? And sort of what was the intention, like the outcome that these people were looking for?
The CISO (03:04)
Yeah.
So the attackers, this was attributed to the Iran linked group, Handala. And so if you have not been paying attention, which every security person should be, because it’s a global economy now. So anything that’s happening in the world could potentially impact your organization. So if you turn on the news, you’ll see right now there is a
There’s a huge conflict in the Middle East with Iran and the US is involved. as part of this attack, and again, I think we might have talked about this, attacks are no longer just on land, in the sea, and in the air. It’s now in cyberspace. And this was a planned attack.
And so they likely did a phishing, a very sophisticated phishing or an info stealer attack, giving them access to the Microsoft Intune console. Okay, and so again, they just, a functionality that is meant to protect, they utilized it to attack.
They did a remote white command on all of the devices and you said it over 200,000 devices. So, know, what really happened was that the Microsoft environment at Striker was now compromised, right? It was down. And those, so now you’re looking at, you know, the backbone of Striker really.
you know, their ability to do shipment, their ability to pay, their ability to invoice, their ability to, you know, to actually even know what their inventory was. I mean, there was so much crucial processes that were shut down, which then impacted their ability to supply. And this is a global warfare, right, executed by just one
administrative button. because Stryker is a global supplier of medical devices. So it affected not only the US but every every country, every organization that relied on Stryker.
Actual (05:16)
So what’s interesting is I was recently at a conference and I sat down with someone from Striker and then we were just discussing things about their company, you know, who they are, what they do, what their needs are, what they’re looking for specifically at this conference. what, oddly enough, what you just mentioned, we kind of started getting on a rant to start talking about
all of these email phishing things and the person I was talking to was explaining all of these events that kept happening and happening over and over. And it was so exhausting for them of like, you know, internal, you know, training, right? The internal like making sure people know how to do this. And then sometimes it was very sophisticated, like in, you know, man in the middle, like a vendor, you know, pretend to be the vendor to get the billing and the invoicing.
And it’s pretty interesting that this, that you just brought this up of that could have been how they got in. And we’re sitting here talking about how Stryker got hit. And so a question I have for you is, do this sounds less like data protection, more like there was some negligence happening in if the Stryker connected devices, like surgical robots.
or life pack monitors weren’t wiped, why did the hospital supply chain still collapse?
The CISO (06:32)
Well, again, you know, what I mentioned, which was just the, the attack was meant to disrupt the supply chain. So if you already had a medical device and it was, you know, it was not connected to a Stryker, you were fine, right? That was fine. But, you know, hospitals,
and healthcare providers order medical devices all the time because every surgery may be different. So that’s what they were attacking, the ability. And then also to ship new devices, to manufacture devices because it’s not like Stryker doesn’t have an entire
waiting to be manufactured and shipped. And this is a well, you know, a well functioning system, right? Because they’ve been around for a long time. So just imagine, I mean, in your head, I don’t know if you remember what, you know, like, they’re called like lines, like in a manufacturing line.
Right. So in a manufacturing line, everything has to work correctly, or it just stops. So I had an opportunity when I was younger to work in a manufacturing plant. And every single piece on that line, every part of that manufacturing line had to function. Or else they shut the line off and then everything stops.
So that’s what they did. They shut off the manufacturing line.
So the question was, if the medical devices that are already in the hospitals and the healthcare providers, if they were not wiped, why did it impact? Why was the impact so large? And the answer is that Stryker is a manufacturer of medical devices. So if you think about
You know, if you think about a manufacturing line, any part of that line goes down, that entire line gets shut off. And now that manufacturer can’t meet its orders, can’t ship out its product. And so, know, there was a Stryker is huge. They’ve been around for a long time. They were, they were already orders in the pipeline. There was, you know, they, and those lines got turned off.
Right. So nothing was being shipped out. and you know, with, with that much offline, the backbone of Stryker, right. The back office is shut down. Right. So nothing can happen. so they really just turned off the supply to hospitals and healthcare providers. And it’s not like the equipment that you have, especially in hospitals, ⁓ you know, getting shipped.
medical devices all the time. So now if they had a new surgery and they were waiting on something from Stryker that wasn’t coming. So the attack was really to shut off the supply chain and they succeeded.
Actual (09:26)
So, just out of curiosity, for the hospitals that relied on Stryker and getting products from them, if a patient is harmed because of a critical component where the logistics broke down and they couldn’t get that component, however, I guess I’m trying to understand this topic maybe. Is there a…
a situation where because of this or have you seen if there was anything reported where
I don’t know, maybe there was something bad that happened because of the inability to get the equipment from them.
The CISO (09:57)
⁓ Well, yeah, because there’s already news that Stryker is being sued by the victims of this attack, right? Which is like health care providers, hospitals. And we see this really a lot because now the hospitals are liable, right? The hospitals are liable, their patients may be suing them. And so now they’re suing Stryker, right? That’s the chain reaction.
right? The response, the response. So what that tells us is that there were victims that were harmed. So of course, you know, they, you know, sued the hospitals or the healthcare provider and those healthcare providers are now suing Striker for any of the damages that they incurred, right? Which might be, you know, restitution to a patient, right? so
You know, I think that everybody along that, like the healthcare provider, the hospital, they have to really understand who their suppliers are, who their critical suppliers are, and have a, you know, really understand and have an inventory that they can then take and build resiliency plans.
for because Stryker going down, these health care providers should have planned for that. Otherwise, sometimes the courts will see, especially regulators, HHS, CMS, those folks, SEC in the case of Stryker, that’s reasonable care. Did you do everything you could? If you knew they were a critical supplier to you in the case of the health care,
providers, if you knew they were a critical supplier to you, why didn’t you have another supplier available?
Actual (11:36)
Yeah, and that’s a that is an interesting concept I guess I’m not really too in in that world to know the details on that but that is something that I’ve talked about with other people and maybe a different industry is You know some of that backup planning like in the military we have a phrase called an acronym called pace and It’s for emergency planning. So your primary alternate your contingency and in your emergency plan
And that’s in case something like this happens. And I’m sure that these hospitals have something like that. But yeah, that’s just, that’s tough. And I’m trying to look up here, things that may have happened and you have, there’s a note here, five year old patients, custom skull implant surgery was forced into postponement because the implant got stuck in Germany. And I guess, yeah, if you look.
And I’m sure other people can just Google it if they really wanted to. There’s all these, all these other things that happened because of it. ⁓ yeah. And I would say some, I think of that specific example and go, well, that’s pretty unique. Can you have that in backup? Right. Like how many backups of all these expensive, unique things could you possibly have? And that’s, I guess that makes this situation even that much more, difficult.
and that much more ⁓ necessary to not have stuff like this happen.
The CISO (12:51)
I mean, everybody does table tops and they talk about it, right? But you have to really write it down and have a plan. And there are other suppliers. So in an emergency, should, they call it like, there’s contracts that you can put in place, which basically say you’re,
You know, like you’re on retainer. If we have an emergency, we’re going to reach out to you. And if you have it available, then you’re going to provide it to us, right? At this, because you you don’t want somebody to, to gouge you because you’re having an emergency, right? So if you negotiate these contracts ahead of time, then during your emergency, it’s, know, you’re like, okay, our primary is not available. We’ll go to our secondary. We already have a price for this, right? Negotiated with them.
So, and it’s faster because you’re already in their system, right? You’re already in their system. You just do an order and then they ship. Which is now you have to go to contract negotiations, which sometimes can take a long time.
Actual (13:50)
Sure, or if you don’t want it to take a long time, you’re paying a lot more than you were hoping to pay. yeah, so for those who are listening and maybe exist in this kind of realm, you know, we can’t avoid ecosystem dependencies, but we can’t tolerate these vulnerabilities or even what they could lead to like mortality risk. So where do we start?
The CISO (13:55)
Yeah.
Actual (14:14)
What can they take away for this week from this topic and go, I need to pay attention to this, I need to look into this, maybe we can talk about this or this is something I can implement.
The CISO (14:25)
I would say two things. One is what we just mentioned, which is map your tier one, tier two dependencies. And this is for the hospitals and the healthcare providers. Do your tabletops and then follow through. There’s so many times where companies will do a tabletop and then when they’re done, they’re like, we’re done. This is our annual requirement, we completed it. But you need to follow through.
and identify any gaps such as you don’t have a contract with your secondary supplier. Follow through, make sure you retest, right? Do another tabletop exercise to make sure that’s no longer a gap. And then the second thing is, you know, it’s really interesting because these are healthcare providers and in healthcare, there’s a saying, Physician heal thyself. So I would say for the folks securing these healthcare providers,
Security secure thyself, right? Because you you’re always looking out for holes in security. Well, the fact that somebody’s stealing the admin password to Intune, you should have been thinking about that. You should have had some plan in place. That admin account should not be just
Once stolen, easily used. You should do. There are so many things that are available now and that have been talked about. One is just in time. And for those who aren’t familiar with that, what that is is that even though you’re an administrator, you have to check in and check out that administrative account. And your permissions on that system is only, when you check out that account, you have
maybe you check it out for an hour and all the activities you do on that account for an hour are being monitored. And so as soon as something suspicious, alert. Because maybe you couldn’t have stopped it, but if you had seen it early, you could have stopped it when they were trying to do a bad command. And that’s the other thing. Maybe you should have been monitoring and not allowed the ability to wipe all devices.
So those are the things that I think security folks are good at on other systems, but they need to be looking at that on their own, like the things that they can do.
Actual (16:35)
Well, the perimeter is no longer just your network. It’s the embedded software and administrative controls of your entire supply chain. When your resilience is networked, your responsibility is networked. So mission success is about patient outcomes in this case, right? So let’s get out there and execute the standard. We’ll see you guys next week.
