When a $25 billion company gets hit, it makes the news. When a three-physician orthopedic practice gets hit, it usually doesn’t. It just closes.
That’s the part of the healthcare cybersecurity story that keeps getting buried under headlines about enterprise breaches. Stryker Corporation — surgical robots, global manufacturing, 50,000 employees — woke up on March 11, 2026, to find that an Iran-linked hacker group had factory-reset devices across 79 countries using Stryker’s own IT management tools. Manufacturing halted. Shipping stopped. A cardiac transmission system used by paramedics in Maryland went offline, forcing EMTs back to radio calls for patient data.
The entry point was one compromised admin account with no multi-factor authentication protecting it.
If that’s what a single exposed account costs a company with the resources of Stryker, consider what it costs a 12-person medical practice with one part-time IT contractor and a firewall that hasn’t been updated since 2021.
What Actually Happened to Stryker
Before drawing lessons, it’s worth understanding the attack itself, because it was unusual in ways that matter for every healthcare organization.
Handala, the threat actor responsible, is an Iran-linked hacktivist group assessed by Palo Alto Networks as operating under Iran’s Ministry of Intelligence and Security. This was not a financially motivated ransomware attack. It was a wiper attack, designed to destroy rather than extort.
The attackers compromised a Global Admin account in Microsoft Entra ID, likely through credential phishing. From there, they accessed Microsoft Intune, Stryker’s Mobile Device Management platform, and issued remote-wipe commands to every enrolled device. Because those commands came from trusted infrastructure, endpoint detection tools had nothing to flag. The attack turned Stryker’s own management systems into weapons.
Stryker had also suffered a separate data breach between May and June 2024, in which an unauthorized third party accessed internal systems and exfiltrated patient data including names, dates of birth, and medical information related to joint replacement procedures. Stryker discovered the intrusion on June 10, 2024, but didn’t begin notifying affected individuals until October 31, nearly five months later.
Whether the 2024 breach provided initial access that was later leveraged in the 2026 attack remains unconfirmed. But the timeline raises a question every healthcare organization should ask: if something was compromised in your environment six months ago, would you know?
Why Small Practices Are More Exposed, Not Less
The instinct in smaller healthcare organizations is to assume that size provides a kind of protection. The thinking goes: why would sophisticated attackers bother with a dermatology group in Fort Lauderdale when they can go after a hospital system?
That instinct is dangerously wrong, for two reasons.
First, small practices aren’t chosen despite their size. They’re chosen because of it. Attackers are rational actors optimizing for return on effort. A small medical practice with aging infrastructure, no dedicated security staff, and a single IT generalist handling everything from printer repair to HIPAA compliance is a far easier target than a health system with a 40-person security team. The FBI counted 444 confirmed healthcare cyber incidents in 2024, the highest total for any U.S. critical infrastructure sector. HHS logged 742 large breaches affecting 276 million Americans. Many of those breaches trace back to organizations that assumed they weren’t worth targeting.
Second, small practices aren’t just targeted directly. They’re increasingly targeted as entry points into larger organizations.
The Supply Chain Problem Nobody Talks About
This is the dynamic that rarely gets adequate attention in healthcare cybersecurity coverage.
Medical practices don’t operate in isolation. They share data connections with hospitals, health systems, insurance networks, billing clearinghouses, labs, and imaging centers. Every one of those connections is a potential attack path in both directions.
Business associates accounted for 67% of all compromised healthcare records in 2024. Professional services compromises rose 162% over five years. When attackers can’t get through the front door of a large health system, they look for a vendor, a referring practice, or a billing partner with weaker defenses and a trusted data connection to the target.
The Change Healthcare breach of February 2024 is the most catastrophic example to date. ALPHV/BlackCat ransomware operators gained access through a Citrix remote-access portal that lacked multi-factor authentication. They spent nine days moving laterally through the network before detonating ransomware that disrupted claims processing for 192.7 million people, the largest healthcare breach in American history.
The downstream effects on small practices were severe and immediate. An American Medical Association survey found 94% of practices reported financial impact. Thirty-three percent saw disruption to more than half their revenue. Practices with thin margins resorted to home equity loans, personal credit cards, and retirement savings to stay operational while their billing infrastructure was dark.
American Vision Partners, a centralized management company serving affiliated ophthalmology practices, was breached and the attackers compromised 2.35 million patients across multiple practices in a single operation. The practices themselves may have had adequate local security. It didn’t matter.
The IBM 2025 Cost of a Data Breach Report now ranks supply chain compromise as the second most common initial access vector in breaches, trailing only phishing.
Your practice is connected to a healthcare ecosystem. Your security posture affects every organization in that ecosystem, and theirs affects yours.
The Resource Gap Is Structural
Understanding why small practices are vulnerable requires looking honestly at the resource constraints they operate under.
The average healthcare organization allocates between 4% and 7% of its IT budget to cybersecurity. At small and rural practices, that percentage is often lower, and the absolute dollar figure is almost always insufficient for the threat environment. Only 14% of healthcare IT security teams report being fully staffed. Fifty-three percent of organizations report lacking in-house cybersecurity expertise entirely.
The global cybersecurity talent shortage exceeds 4 million professionals. Small practices compete for those professionals against banks, defense contractors, and technology companies that can offer two to three times the compensation. The result is that most small practices rely on a generalist, if they have anyone at all.
Legacy systems compound the problem. Medical devices average six known vulnerabilities each, and at least 60% are at end of life with no ongoing vendor security support. Roughly 20% of healthcare organizations still lack multi-factor authentication, the exact control whose absence enabled both the Change Healthcare attack and the Stryker breach.
The consequence is predictable. Healthcare is the industry most susceptible to phishing attacks, according to KnowBe4. Sixty-one percent of healthcare data breaches trace back to employee error. Average detection time in healthcare is 89 days, meaning a breach that starts today may not be discovered until nearly three months from now.
What a Breach Actually Costs a Small Practice
The financial exposure is existential for small organizations.
The average data breach cost for a small medical practice is $2.1 million. Healthcare has been the most expensive industry for data breaches for 14 consecutive years, according to IBM and Ponemon Institute research. The average across all healthcare organizations reached $9.77 million in 2024, declining modestly to $7.42 million in 2025, but still nearly double the cross-industry average.
Forty-one percent of small healthcare organizations carry no cyber insurance. For those that do, coverage limits often fall far short of actual recovery costs. And recovery itself is slow: only 22% of healthcare organizations hit by ransomware fully recover within a week, down from 47% the prior year.
Some practices never recover at all. Alpha Medical Centre and Wellness in Georgia permanently closed following a RansomHub ransomware attack. Pinehurst Radiology in North Carolina closed after a January 2025 cyber incident. Wood Ranch Medical in California shut down entirely after ransomware destroyed patient records that couldn’t be restored.
Beyond the direct financial damage, there are HIPAA enforcement penalties to consider. OCR penalty enforcement increased 340% in 2024 and 2025. Willful neglect violations now account for 67% of all financial penalties, and small organizations represented 55% of HIPAA enforcement actions in recent years.
The medical record itself is part of what makes healthcare such an attractive target. A complete patient record sells for $260 to $310 on the dark web, roughly ten times the value of a stolen credit card. Full packages including insurance information, Social Security numbers, and prescription history can fetch $1,200 per record. Patient data doesn’t expire, can’t be easily cancelled, and can be used to commit insurance fraud, prescription fraud, and identity theft simultaneously.
The Regulatory Environment Is About to Get Harder
On top of the threat landscape, small practices are about to face significantly more demanding compliance requirements.
In December 2024, HHS OCR issued a Notice of Proposed Rulemaking proposing the most significant update to the HIPAA Security Rule since 2013. The proposed changes would:
– Eliminate the distinction between “required” and “addressable” implementation specifications, making all of them mandatory
– Require multi-factor authentication for all systems accessing electronic protected health information
– Mandate encryption of ePHI at rest and in transit
– Require network segmentation, semiannual vulnerability scans, and annual penetration testing
– Require business associates to annually certify compliance with technical safeguards
– Establish a 72-hour disaster recovery capability requirement
HHS estimated first-year compliance costs at $4.655 billion across regulated entities. The comment period closed in March 2025 with over 4,000 responses, many from smaller organizations raising concerns about implementation cost. The final disposition of the rule remains uncertain, but the direction is not: voluntary, self-assessed compliance is being replaced by enforceable mandates. Organizations that aren’t already building toward these standards will find themselves both exposed to attacks and exposed to penalties.
The Threat Landscape Is Fragmenting
One more dimension of the current environment deserves attention.
Following law enforcement operations against LockBit and ALPHV/BlackCat in 2024, the ransomware ecosystem didn’t contract. It fragmented. Affiliates scattered across dozens of newer, less predictable groups. RansomHub, which emerged to fill the vacuum, conducted an estimated 534 attacks in 2024 before abruptly ceasing operations in April 2025. By mid-2025, 85 distinct ransomware groups were active, a record high, with 45 newly observed groups entering the ecosystem within a single year.
The Stryker attack added a new variable: nation-state actors using destructive wiper attacks against healthcare targets for geopolitical rather than financial reasons. Handala’s objective was not to collect a ransom. It was to destroy operational capacity and generate propaganda. That type of threat cannot be mitigated by paying a ransom or negotiating with attackers. It can only be mitigated by building defenses that prevent access in the first place.
What Actually Stops These Attacks
The Stryker breach, the Change Healthcare breach, and the majority of attacks targeting small practices share a common thread: they exploited basic security failures that are well understood and preventable.
Multi-factor authentication. The absence of MFA on a single admin account gave attackers full control of Stryker’s device management infrastructure. MFA on every privileged account is the single highest-return security control available.
Endpoint detection and response. An EDR solution that monitors for behavioral anomalies rather than just known malware signatures would have flagged the mass device-wipe commands originating from Intune before they executed. Basic antivirus doesn’t catch this. EDR does.
Privileged access management. The Stryker attackers needed only one compromised account because that account had global administrative permissions. Least-privilege access policies — where users and service accounts have only the permissions they need for their specific role — dramatically reduce the blast radius of any single compromise.
Regular access reviews. Accounts that accumulate permissions over time, former employees whose access wasn’t fully revoked, service accounts with excessive privileges — these are standard findings in post-breach investigations. Regular access reviews catch them before attackers do.
Network segmentation. Separating clinical systems from administrative systems, and both from internet-facing infrastructure, limits lateral movement after an initial compromise. The Change Healthcare attackers spent nine days moving through the network. Better segmentation would have contained them.
Tested incident response. Knowing what to do in the first hour of a breach dramatically reduces recovery time and total cost. Most small practices have never run a tabletop exercise and have no documented response plan.
None of this is exotic. It’s foundational. The gap between what most small practices have and what these attacks require to succeed is not technical complexity. It’s prioritization.
What WheelHouse IT Does Differently for Healthcare Organizations
Healthcare organizations we work with get the security posture of an enterprise at a cost structure that works for a 20-to-250-person practice.
Our internal Security Operations Center monitors client environments around the clock. We don’t outsource this to an overseas call center. Our NOC and SOC are staffed internally, which means faster response times and institutional knowledge of each client’s environment. Our five-year record of zero ransomware payments reflects what that posture produces in practice.
We deploy CrowdStrike EDR and Huntress across client environments, two complementary layers of endpoint detection that catch behavioral anomalies that signature-based tools miss. We enforce MFA, manage privileged access, and conduct regular access reviews as part of standard service delivery.
For healthcare clients specifically, we hold six HIPAA-certified professionals on staff and bring compliance management into the same conversation as day-to-day IT support, because in a regulated environment, those two things aren’t separate. Our SOC 2 Type I certification documents our own security controls at an independent, audited level.
Our platform gives healthcare administrators real-time visibility into their environment — open tickets, security status, device health, and compliance posture — without requiring them to ask their IT provider for a status update. That visibility matters when an incident is unfolding and decisions need to be made quickly.
We work on a month-to-month basis. No long-term contracts. If we’re not delivering, you’re not locked in. That’s not a marketing claim. It’s how we’ve operated for over a decade, and it’s why clients stay.
The Right Question to Ask
The Stryker breach will be studied in security programs for years. The scale of the operation, the sophistication of the attack vector, the geopolitical dimension all make it unusual.
But the fundamental failure at its center — one unprotected admin account — is ordinary. It happens every day in organizations of every size.
The question for every medical practice, specialty group, and healthcare administrator reading this is not whether you’re a target. The data is clear that you are. The question is whether your current security posture would contain the damage when an attacker gets in.
If you’re not sure of the answer, that’s worth finding out. WheelHouse IT offers network risk assessments that show you exactly where you stand, no commitment required.
The cost of finding out is zero. The cost of finding out after a breach is considerably higher.
WheelHouse IT is a managed IT services provider serving healthcare, legal, financial services, and professional services organizations across South Florida, New York, and Los Angeles. Learn more at wheelhouseit.com.
