Lessons for Medical Technology Companies After Cyber Incident at Medical Device Manufacturer

Recent reports of a cyber incident affecting Stryker, a global medical device manufacturer, highlight the growing cybersecurity risks for companies at the intersection of healthcare delivery, digital infrastructure, and connected medical technologies. The incident has also reportedly prompted a proposed class action lawsuit alleging that security failures led to the compromise of sensitive and personal health information, and seeking damages and injunctive relief, underscoring that breach-related risk may include private litigation as well as regulatory scrutiny.

While there is no indication thus far that medical devices or patient safety systems were compromised in this incident, significant health privacy concerns arise when medical technology companies experience any cyber incident, and meaningful operational disruption may ripple across healthcare supply chains. When attacks target enterprise systems rather than devices, disruptions may affect manufacturing operations, order processing, field service operations, and software updates.

What Does This Mean for Medical Technology Companies?

Cyber incidents involving medical technology companies often prompt broad scrutiny across the sector from regulators, investors, and boards. Particularly as medical devices become more connected and software-enabled, this scrutiny often concentrates on cybersecurity preparedness and operational resilience. Therefore, Food and Drug Administration guidance for cyber devices now emphasizes secure design, vulnerability management, patching, and documentation supporting ongoing resilience, while HIPAA-regulated entities and business associates remain subject to Security Rule safeguards for the confidentiality, integrity, and availability of electronic protected health information (ePHI).  

Therefore, medical technology companies should consider reviewing (at least annually) several areas of preparedness, and taking remedial measures when warranted, including reviewing their:

• Incident response plans, to ensure they are current, tested, and capable of supporting timely investigation, containment, documentation, and escalation of security events, including assessment of whether an incident triggers obligations under HIPAA and other breach notification rules, the Federal Trade Commission Health Breach Notification Rule, FDA expectations for cyber devices, and applicable state breach and medical privacy laws

• Business continuity plans, to ensure critical systems and connected devices can continue operating safely and securely during a cyber event, consistent with HIPAA Security Rule contingency planning requirements such as data backup, disaster recovery, and emergency mode operations, and with patient safety and care continuity expectations for products used in clinical environments

• Cybersecurity governance and board oversight of risks particular to this sector including oversight of legal exposure tied to regulated health information, device security, third-party service providers, and divergent state-law requirements where state health data privacy laws may be broader or more protective than HIPAA

• Sufficiency of security monitoring and vulnerability management for all connected devices that can access sensitive health information, including mechanisms for detection, logging, coordinated vulnerability disclosure, patching, and risk remediation across the device lifecycle, especially where compromise could affect ePHI, consumer health data, or device functionality 

Cyber threats targeting healthcare infrastructure continue to evolve, and companies operating within the medical device ecosystem are increasingly viewed as part of critical healthcare infrastructure. As a result, cybersecurity preparedness, and the ability to maintain operational resilience during an incident, will remain an important focus for industry stakeholders. From a privacy law perspective, preparedness may also reduce risk of noncompliance with overlapping federal and state requirements, including HIPAA, the FTC Health Breach Notification Rule (applicable to certain non-HIPAA health data ecosystems), and state health data privacy and breach notification laws, which may impose separate or more stringent duties.