On March 11, hackers linked to Iran's intelligence services stole a single administrator password at Stryker Corporation, the $25 billion medical device company. With that one credential, they logged into the software Stryker uses to manage its laptops, phones, and tablets, and hit "erase." Roughly 80,000 devices across dozens of countries went dark. No virus. No ransomware. Just a legitimate "wipe this device" button that any admin could press, used by someone who shouldn't have had access.
The real-world fallout hit fast. Surgeries delayed nationwide. Cardiac monitoring systems disconnected. Five thousand employees in Ireland sent home. Two weeks later, Stryker's still rebuilding.
That's a Fortune 200 company with world-class IT resources. And it got taken down by a stolen password.
On March 18, CISA (the federal government's cybersecurity agency) issued an urgent alert telling every organization to lock down these systems. Here's what you need to understand, even if you're not technical.
The Core Problem, in Plain Terms
Most companies use software to manage employee devices remotely: pushing updates, enforcing security settings, and yes, erasing lost or stolen devices. Microsoft Intune is the most common. Jamf and Workspace ONE are others. Think of it as a master control panel for every laptop and phone in your company.
The Stryker attackers didn't hack the software itself. They stole the password of someone who had the keys to that control panel, and that person's account had permission to do everything, including mass-erase every device at once.
No second person required to approve the command. No safety check. One account, one click, 80,000 bricks.
Five Questions to Ask Your Team Tomorrow
1. "How many people can wipe all our devices right now?" If the answer is more than zero people with unrestricted access, you've got the same gap Stryker had. Admin accounts should only control the specific devices they need to. A regional IT manager shouldn't have a button that erases the entire company.
2. "Do destructive actions require a second person to approve?" This is the single control that would've stopped the Stryker attack. These tools support a setting where erasing devices, running scripts, or changing security policies requires a second administrator to sign off. If yours isn't turned on, turn it on. Today.
3. "What kind of multi-factor authentication are our admins using?" If the answer is text messages or a phone app, it's not enough for accounts this powerful. CISA specifically recommends physical security keys (small USB devices) that can't be phished. An attacker can trick someone into entering a code from a text message. They can't remotely steal a physical key.
4. "If someone wiped all our devices tonight, how long until we're operational?" Stryker, with all its resources, is still recovering two weeks out. And here's a regulatory wrinkle worth knowing: the proposed HIPAA Security Rule update (expected May 2026) will require healthcare organizations to restore critical systems within 72 hours. Can you?
5. "Does our cyber insurance actually cover this?" This is the part that catches most executives off guard. Because these hackers are tied to the Iranian government, many cyber insurance policies won't pay. After the Merck v. Ace American court case, insurers rewrote their "act of war" exclusions to specifically address attacks by nation-state groups. Pull your policy and read the exclusion language before you need it.
Who Should Do What
- CEO/COO: Ask questions 1 through 4 at your next leadership meeting. If your team can't answer them confidently, that tells you everything you need to know. - IT/Security Lead: Audit admin accounts this week. Restrict permissions, turn on multi-admin approval, and upgrade to phishing-resistant authentication for every privileged account. - GC/CFO: Review your cyber insurance policy's war and terrorism exclusions. If you're a public company, note that Stryker filed a mandatory SEC disclosure (Form 8-K) within 36 hours. Your disclosure obligation starts the moment you determine an incident is material.
The controls that would've prevented this aren't expensive or exotic. They're settings inside tools you already own. The question is whether anyone's turned them on.
---
This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before making compliance decisions based on the developments discussed here.
If your company's device management controls haven't been reviewed since they were first set up, that's a conversation worth having with outside counsel who understands both the technical and regulatory exposure.