Thousands of medical devices went dark at once. Not a power failure. Not a software glitch. A deliberate, coordinated cyberattack that remotely wiped Stryker hospital equipment across multiple facilities, exploiting weaknesses in Microsoft’s Intune mobile device management platform — and exposing how dangerously underprepared the healthcare sector remains when it comes to securing the very systems meant to manage its technology.
The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an urgent advisory this week calling on organizations to immediately harden their Microsoft Intune configurations after threat actors used the cloud-based management tool to mass-wipe Stryker devices deployed in clinical settings. The attack didn’t steal patient data, at least not as far as investigators have determined so far. It did something arguably more disruptive: it rendered critical hospital equipment unusable at scale, with implications that rippled through operating rooms, patient monitoring stations, and administrative workflows, as first reported by TechCrunch.
The attack vector was not some exotic zero-day exploit. It was misconfiguration — the kind of mundane, preventable oversight that security professionals have warned about for years. Intune, Microsoft’s endpoint management service, allows IT administrators to remotely manage devices, push software updates, enforce compliance policies, and yes, wipe devices clean. That last capability is a feature, not a bug. Organizations need the ability to remotely erase lost or stolen equipment. But when attackers gain administrative access to an Intune tenant, that same feature becomes a weapon.
And that’s exactly what happened.
According to CISA’s advisory and reporting from TechCrunch, the attackers obtained privileged credentials — likely through phishing, credential stuffing, or exploitation of weak authentication policies — and used those credentials to issue mass wipe commands to enrolled Stryker devices. The devices, which include surgical navigation systems, hospital bed platforms with integrated computing, and patient communication terminals, were effectively bricked. Recovery required hands-on intervention at each affected facility, a process that in some cases took days.
Stryker, the Kalamazoo, Michigan-based medical technology giant, has not publicly disclosed the full scope of the incident. The company’s product portfolio is enormous — it manufactures everything from joint replacement implants to surgical robotics to hospital infrastructure systems. Many of its connected devices run embedded operating systems that are managed through enterprise MDM platforms like Intune. A spokesperson for Stryker declined to comment on the number of facilities affected or the total device count, citing an ongoing investigation.
The healthcare sector’s vulnerability to this kind of attack is not theoretical. It’s historical. Hospitals have been among the most targeted institutions for ransomware operators over the past five years, with attacks on Universal Health Services in 2020, Scripps Health in 2021, and CommonSpirit Health in 2022 causing hundreds of millions of dollars in damages and, in some cases, directly endangering patients. But this incident represents something different. Rather than encrypting data and demanding ransom, the attackers chose destruction — wiping devices with no apparent financial motive, at least none that has surfaced publicly.
That distinction matters.
Ransomware attacks, for all their destructiveness, follow a logic that defenders understand: encrypt, extort, collect. The Stryker device wipes don’t fit that pattern. CISA’s advisory notably avoids attributing the attack to any specific threat group or nation-state, though several cybersecurity researchers tracking the incident on X have speculated about possible links to hacktivist groups or state-sponsored actors testing disruptive capabilities against healthcare infrastructure. None of those claims have been confirmed.
What has been confirmed is the mechanism. Microsoft Intune, part of the broader Microsoft Endpoint Manager platform, is used by tens of thousands of organizations worldwide to manage mobile devices, desktops, and increasingly, IoT and specialized equipment like medical devices. Its cloud-native architecture makes it powerful and flexible. It also means that a compromised administrator account can issue commands to every enrolled device from anywhere in the world, with no need to be on the organization’s local network.
CISA’s guidance is blunt. The agency recommends that all organizations using Intune immediately audit their tenant configurations, enforce multi-factor authentication on all administrative accounts without exception, implement conditional access policies that restrict management actions to known and trusted locations, and enable logging and alerting for bulk device actions — particularly remote wipes. The agency also recommends segmenting device management responsibilities so that no single account has the ability to wipe all enrolled devices simultaneously.
That last recommendation gets at the heart of the problem. In many organizations, especially in healthcare where IT departments are chronically understaffed and underfunded, Intune tenants are configured with a small number of highly privileged accounts that can do essentially anything. There’s no separation of duties. No break-glass procedures. No anomaly detection on administrative actions. It’s the cybersecurity equivalent of giving every janitor in a building a master key and the launch codes.
Microsoft, for its part, has published updated security baselines for Intune and pointed organizations toward its existing documentation on securing administrative roles. A Microsoft spokesperson said the company is “working closely with affected customers and CISA to understand the attack and help organizations strengthen their defenses.” The company emphasized that Intune’s security features, including role-based access control, conditional access, and audit logging, are available to all customers but must be properly configured.
Properly configured. That phrase does a lot of heavy lifting.
The reality is that configuration drift and default-insecure setups plague enterprise IT. A 2025 report from the Cloud Security Alliance found that 63% of organizations using cloud-based device management platforms had at least one critical misconfiguration in their administrative access controls. In healthcare specifically, the problem is compounded by the sheer diversity of devices that need to be managed — from nurses’ tablets to infusion pumps to surgical robots — each with different security requirements and update cycles.
Stryker’s devices are a case in point. The company’s connected hospital beds, for example, run software that integrates with nurse call systems, patient entertainment, and electronic health records. Their surgical navigation platforms are used in real-time during orthopedic and neurosurgical procedures. Wiping these devices doesn’t just create an IT inconvenience. It can halt surgeries. It can force patient transfers. It can, in the worst case, put lives at risk.
Several hospital systems affected by the wipes have begun exploring legal action, according to people familiar with the matter, though it remains unclear whether claims would be directed at the attackers (if identified), at Stryker for potential security shortcomings in its device management approach, or at their own IT service providers for failing to secure the Intune environment. The legal questions are thorny. Responsibility for cloud security is shared between the platform provider, the device manufacturer, and the end-user organization — a model that works well in theory but often creates gaps in practice.
The incident has also reignited debate about the FDA’s role in medical device cybersecurity. The agency’s 2023 guidance, which requires manufacturers to submit cybersecurity plans as part of premarket device submissions, was widely seen as a step forward. But critics argue it doesn’t go far enough in addressing post-market security — the ongoing management and patching of devices after they’ve been deployed in clinical environments. A device can ship with excellent security and still be compromised if the enterprise management infrastructure around it is weak.
“The device is only as secure as the environment it lives in,” said one cybersecurity researcher who has worked with multiple hospital systems on Intune deployments and spoke on condition of anonymity because they were not authorized to discuss specific clients. “You can harden the endpoint all you want. If someone owns your MDM, they own every device enrolled in it.”
So where does this leave hospitals? In the short term, scrambling. CISA’s advisory has triggered a wave of emergency audits across the healthcare sector, with IT teams pulling weekend shifts to review Intune configurations, rotate credentials, and implement the agency’s recommended controls. Several large health systems have temporarily disabled remote wipe capabilities entirely, accepting the risk of not being able to erase lost devices in exchange for eliminating the risk of a mass wipe attack.
In the longer term, the incident is likely to accelerate several trends already underway. Expect more hospitals to adopt zero-trust architectures that treat every access request — even from internal administrators — as potentially hostile. Expect increased demand for third-party monitoring tools that can detect anomalous bulk actions in MDM platforms before they execute. And expect regulators, both at CISA and the FDA, to tighten requirements around the security of device management infrastructure, not just the devices themselves.
The irony of the Stryker wipes is hard to miss. Intune exists to make device management safer and more efficient. Remote wipe is a security feature designed to protect organizations from data breaches when devices fall into the wrong hands. But security features, when poorly governed, become attack surfaces. The tool meant to protect became the tool used to destroy.
That’s not a new lesson. But it’s one the healthcare industry is learning the hard way, again, at a cost measured not just in dollars but in disrupted patient care. The attackers didn’t need to be sophisticated. They just needed one set of credentials and an organization that hadn’t locked its doors.
CISA’s full advisory is available on the agency’s website. Microsoft’s updated Intune security baselines can be found in the Microsoft Learn documentation. For healthcare organizations still running default Intune configurations, the time to act was yesterday. Today will have to do.


WebProNews is an iEntry Publication