Meta Lede: Stryker was cyberattacked in March 2026. 22% of hospitals have had attacks impact medical devices directly. IoMT security is now a patient safety issue.
On March 11, 2026, Stryker, one of the world’s largest medical technology companies supplying surgical equipment and devices to hospitals across the globe, was disrupted by a cyberattack affecting operations worldwide.
This was not a data breach. Stryker’s attack disrupted the operational continuity of a company whose devices are used in operating rooms, ICUs, and emergency departments every hour of every day. And Stryker is not an isolated case. By 2026, 22% of healthcare organizations have experienced cyberattacks that directly impacted medical devices, and 75% of those incidents disrupted patient care. In 24% of medical device attack cases, patients required transfer to other facilities.
Former FBI officials have proposed terrorist designations for ransomware hackers targeting hospitals, reflecting the recognized severity: when medical devices go offline, patients can die. The Internet of Medical Things (IoMT) is no longer just an IT problem. It is a critical care problem.
What Is IoMT Security and Why Is It Different from Standard Healthcare IT Security?
IoMT (Internet of Medical Things) security refers to the protection of network-connected medical devices: infusion pumps, patient monitors, imaging systems, surgical robots, ventilators, diagnostic equipment, and the thousands of other connected devices deployed across modern hospital environments.
IoMT security differs fundamentally from standard healthcare IT security in three ways:
- Devices cannot be patched on a normal cycle. Medical device firmware updates require FDA clearance or CE marking in most jurisdictions. A vulnerability disclosed today may not have a patch available for 12 to 18 months.
- Agents cannot be installed. Most medical devices run proprietary operating systems that cannot accept security agent software. Standard EDR deployment is impossible.
- Device failure directly harms patients. Unlike an email server outage, a compromised ventilator or infusion pump creates an immediate clinical risk.
By 2026, smart hospitals deploy more than 7 million IoMT devices globally, double the level from 2021.
What the Stryker Attack Reveals About Medical Technology Vulnerability
The March 11, 2026 attack on Stryker demonstrates that the vulnerability extends beyond individual hospital networks to the medical technology supply chain. A cyberattack that disrupts Stryker’s operations can simultaneously affect:
- Supply chain continuity for hospital procurement teams
- Software update distribution for connected Stryker devices already deployed in hospitals
- Remote monitoring and diagnostics capabilities for equipment under service contracts
- Customer support and technical assistance for clinical staff
The Scale of the IoMT Security Crisis in 2026
By the Numbers
- 7 million+ IoMT devices deployed in smart hospitals globally (double 2021 levels)
- 22% of healthcare organizations experienced cyberattacks directly impacting medical devices
- 75% of medical device attacks disrupted patient care
- 24% of medical device attacks required patient transfers to other facilities
- $10.9 million average cost of a hospital ransomware attack (downtime, recovery, regulatory fines)
- 276 million health records breached in 2024 alone
How Peris.ai Addresses IoMT Cybersecurity
Agentless Medical Device Monitoring with NVM
Because agents cannot be installed on medical devices, the detection layer must be network-based. Peris.ai’s NVM (Network Visibility Monitor) performs passive packet-level inspection of medical device network traffic without requiring any software installation on the devices themselves and without causing any device operational impact.
NVM establishes behavioral baselines for each device type: the normal communication patterns of an infusion pump differ from those of a patient monitor. Deviations from baseline, including unexpected outbound connections, unusual authentication attempts, and command-and-control traffic patterns, trigger alerts without disrupting device function.
Cross-Network Threat Detection with XDR
Peris.ai’s XDR platform correlates signals from NVM (medical device network), EDR (clinical IT endpoints), and cloud environments into a unified detection view.
Automated Clinical Isolation with BrahmaFusion
BrahmaFusion, Peris.ai’s agentic AI and hyperautomation platform, enables automated response playbooks specifically designed to isolate compromised devices without disrupting clinical workflows. When NVM detects anomalous communication from a medical device, a BrahmaFusion playbook can:
- Isolate the affected device’s network access at the switch level without powering down the device
- Alert clinical biomedical engineering and the security team simultaneously
- Trigger a structured incident response workflow via Peris.ai IRP
- Preserve all network traffic captures for forensic investigation
Healthcare-Specific Threat Intelligence with INDRA CTI
INDRA CTI provides healthcare sector-specific threat intelligence: ransomware group tactics targeting medical devices, active campaign IOCs for healthcare-focused threat actors, and vulnerability intelligence for common medical device platforms and operating systems.
Real-World Scenario: A Ransomware Attack on Hospital IoMT
A regional hospital system with 2,400 connected medical devices across three facilities:
- An attacker gains initial access through a phishing email to a hospital IT administrator
- They move laterally through the hospital IT network to reach the medical device VLAN, which lacks proper segmentation
- An infusion pump with a known unpatched CVE is exploited as a pivot point into the medical device network
- Ransomware is deployed targeting the device management server and clinical data systems simultaneously
- 40 infusion pumps require manual operation; two ICU patients require transfer to another facility
- Total incident cost: $12.4 million over 8 weeks of recovery
With Peris.ai: NVM detects the lateral movement into the medical device VLAN. BrahmaFusion isolates the compromised VLAN segment while preserving device function. The infusion pump CVE exploitation is flagged before pivot occurs. INDRA CTI confirms the attacker’s infrastructure matches a known ransomware group’s healthcare campaign.
Healthcare IoMT Security Priorities
| Priority | Action | Peris.ai Capability |
| 1 | Deploy agentless network monitoring for all IoMT | NVM passive packet inspection |
| 2 | Segment medical device network from general IT | NVM-identified boundary enforcement via BrahmaFusion |
| 3 | Inventory all IoMT devices with firmware versions | BimaRed asset discovery |
| 4 | Monitor for healthcare-specific threat actor activity | INDRA CTI |
| 5 | Test network pivot paths into medical device VLANs | Pandava penetration testing |
Conclusion
The Stryker cyberattack and the data from 2026 make one thing clear: IoMT security is no longer a future concern. With 22% of healthcare organizations already experiencing attacks that directly impact medical devices and 24% of those incidents forcing patient transfers, the question is not whether your hospital will face an IoMT security incident, but whether you will detect it before it reaches patients.
Peris.ai’s healthcare security stack, built around agentless NVM monitoring, cross-network XDR detection, and clinically aware BrahmaFusion automated response, provides the coverage that standard IT security tools cannot deliver in medical device environments.
Don’t wait for a breach to take action. Secure your organization today. Stay Secure with Peris.ai.
Frequently Asked Questions
What is IoMT cybersecurity?
IoMT (Internet of Medical Things) cybersecurity refers to the protection of network-connected medical devices including infusion pumps, patient monitors, imaging systems, surgical equipment, and diagnostic devices against cyberattacks that could disrupt clinical operations or compromise patient safety.
What happened in the Stryker cyberattack in 2026?
On March 11, 2026, Stryker, one of the world’s largest medical technology companies, was disrupted by a cyberattack affecting its global operations, including supply chain, software update distribution, and technical support capabilities for its connected medical devices.
Why are medical devices difficult to secure against cyberattacks?
Medical devices are difficult to secure because they typically run proprietary operating systems that cannot accept security agents, require regulatory approval for firmware updates creating long patch cycles, and cannot be taken offline without clinical risk to patients.
How common are cyberattacks on medical devices?
As of 2026, 22% of healthcare organizations have experienced cyberattacks that directly impacted medical devices. Of those, 75% disrupted patient care and 24% required patient transfers to other facilities.
What is the best way to monitor medical device security without disrupting clinical operations?
Passive, agentless network monitoring (such as NVM) is the recommended approach. It inspects medical device network traffic at the packet level without installing any software on devices and without causing any operational impact.
Leave a Reply