Modern warfare has extended into the digital domain, where cyberattacks against private companies and critical infrastructure are increasingly used as tools in geopolitical conflict. The healthcare sector, which heavily relies on digital systems for storing sensitive patient information, is a particularly vulnerable target. This vulnerability, which can be increased during times of international conflict, was recently illustrated during the cyberattack against Stryker—a major U.S. medical device manufacturer. This event raises broader questions of whether the existing Health Insurance Portability and Accountability Act (HIPAA) Security Rule is sufficient in protecting personal health information (PHI). In an era where cyberwarfare more commonly targets healthcare companies, it raises the question of who will bear the financial responsibility for heightened security measures to safeguard this data.
The Stryker Cyberattack
Stryker, a U.S. medical device company with ties to Israel through its acquisition of OrthoSpace, manufactures products ranging from artificial joints to surgical instruments. This month, Stryker experienced a cyberattack attributed to a pro-Iranian hacking group amid escalating tension between the U.S. and Iran. The hacker group stated the attack was retaliation for recent military actions involving the U.S. and its allies. The cyberattack disrupted Stryker’s global operations—affecting systems used for order processing, manufacturing, and shipment of medical devices—while reports indicate the hackers wiped thousands of systems and claimed to have extracted large quantities of company data.
Although Stryker stated that its medical devices and patient services were not directly compromised, the cyberattack caused widespread operational disruptions and highlights the vulnerability of healthcare companies during geopolitical conflicts. Cybersecurity experts have warned that such attacks may represent a broader escalation in cyberwarfare targeting critical infrastructure, which includes healthcare companies. As a result, private healthcare companies are becoming indirect participants in geopolitical conflicts due to their strategic importance in national infrastructure and the expansive amounts of sensitive information they maintain.
Implications for PHI and HIPAA
The cyberattack against Stryker is not an isolated incident. Healthcare organizations have long been targets of cyberattacks, reflecting persistent vulnerabilities within the sector. The U.S. Department of Health and Human Services (HHS) Breach Reporting Portal has documented thousands of breaches involving PHI, affecting millions of individuals. The healthcare industry is a prime target for cybercriminals because it maintains extensive databases containing highly sensitive information—such as Social Security Numbers, medical histories, insurance information, and billing records—which can be monetized through ransomware, identity theft, and insurance fraud.
Cybersecurity issues are not new, healthcare entities have already faced threats even during times of relative geopolitical calm. However, as cyber-attacks become commonplace in geopolitical conflict, the frequency of attacks may rise, exacerbating existing vulnerabilities and intensifying risks to PHI and patient care.
Under the HIPAA Security Rule, covered entities and business associates must implement administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of electronic protected health information (ePHI). This rule requires security measures that are reasonable and appropriate to reduce risks and vulnerabilities to ePHI, effectively establishing a baseline security standard.
Cyberattacks that breach systems directly undermine these core objectives by exposing patient information for financial exploitation, intelligence gathering, or political purposes. In more severe incidents, such attacks can disrupt access to medical records and clinical systems, directly impacting patient safety and the delivery of care.
The HIPAA Security Rule was developed in the early 2000s, before the emergence of modern cyber warfare used in geopolitical conflict. As cyber threats quickly evolve, health organizations may need to adopt increasingly advanced cybersecurity strategies more commonly used in national defense. However, implementing these advanced security protections often impose significant financial and operational burdens on healthcare entities.
In light of these challenges, enhanced federal support, guidance, and coordination are necessary to assist healthcare organizations in strengthening their defenses. While the HIPAA Security Rule establishes baseline security requirements, it provides limited specificity regarding how organizations should respond to emerging and escalated threats such as those currently arising from geopolitical conflicts.
Recognizing these risks, federal agencies have begun providing some additional resources. For example, HHS has published materials such as the Security Risk Assessment Tool, the Security Rule Risk Analysis Requirement, and the Security Rule Guidance Material—to address the increased cybersecurity occurrences and provide material for entities to assess security vulnerabilities to ePHI. Similarly, the Federal Bureau of Investigation recently launched a Campaign Against Cybersecurity Part 1, this February, providing healthcare entities with recommendations for defending against cyber threats.
Despite these efforts, the financial and operational costs associated with implementing robust cybersecurity protections appear to remain with healthcare entities. As cyberattacks become more prevalent with geopolitical conflict, policymakers may need to consider whether existing regulations adequately address large-scale cyber threats. Federal financial and technical assistance should be considered to ensure that healthcare organizations can effectively protect ePHI during periods of geopolitical instability.
The cyberattack against Stryker underscores the growing intersection between geopolitical conflict and healthcare cybersecurity, demonstrating that healthcare organizations are now potential targets in modern cyber warfare. This incident raises critical questions regarding if the current HIPAA Security Rule provides adequate protection for healthcare entities or if enhanced safeguards are necessary. As healthcare organizations face growing pressure to implement advanced cybersecurity measures to defend against international cyber threats, policymakers must also address the practical and financial burdens of compliance to ensure the protection of ePHI.