Two stories from the past week paint a clear picture of what incident response failures look like at scale — and why preparation isn’t optional.
Stryker: 200,000+ Medical Devices Wiped Across 79 Countries #
The Iran-linked Handala Group claimed responsibility for a devastating wiper attack against Stryker, one of the world’s largest medical device manufacturers. The attack reportedly affected over 200,000 medical devices across 79 countries, disrupting hospital operations globally.
This wasn’t a ransomware campaign where you might negotiate a decryption key. It was a wiper — designed to destroy, not extort. When a wiper hits, there’s no undo button. Your recovery depends entirely on what you prepared before the attack happened.
For healthcare organizations, the implications go beyond data loss. Compromised medical devices affect patient care. Recovery timelines measured in weeks or months translate directly to operational disruptions in clinical settings.
Canada’s 259-Day Breach Reporting Lag #
In a separate but related story, analysis revealed that Canadian companies take an average of 259 days to report data breaches. That’s nearly nine months between discovering a breach and notifying the people affected.
259 days isn’t a notification delay — it’s a compliance failure. In those nine months, affected individuals can’t take protective action. Threat actors have time to exploit stolen data. And by the time notification arrives, the window for meaningful response has closed.
Regulations like PIPEDA, GDPR, and various US state laws exist precisely because timely notification matters. When organizations treat breach reporting as something to get around to eventually, they undermine the entire framework.
The Common Thread #
Both stories share a root cause: organizations that weren’t prepared for the incidents they faced.
Stryker’s wiper attack exposed the consequences of insufficient recovery preparation for destructive attacks. Canada’s reporting delays exposed the consequences of organizations without mature incident response processes.
Neither situation is unusual. They’re just the ones that made headlines.
What Preparedness Actually Looks Like #
Incident response plans that get tested. An IR plan that lives in a SharePoint folder isn’t a plan — it’s a document. Tabletop exercises, walkthrough simulations, and regular reviews are what turn a document into a capability. When did your team last practice responding to a destructive attack?
Backup and recovery that accounts for wipers. If your backup strategy assumes you’ll always have something to restore, you haven’t accounted for destructive attacks. Air-gapped backups, immutable storage, and tested recovery procedures are the minimum for environments where wipers are a realistic threat.
Notification processes built in advance. If you’re figuring out breach notification requirements during an active incident, you’re already behind. Map your regulatory obligations before an incident happens. Know who needs to be notified, in what timeframe, and through what channels.
Compliance as a program, not a project. Frameworks like ISO 27001 and SOC 2 exist to build ongoing security practices — including incident response and breach notification. Organizations that implement these frameworks meaningfully, rather than as audit-year exercises, are the ones that can respond in days rather than months.
The Takeaway #
Incident response isn’t something you build during an incident. The organizations that recover quickly and notify appropriately are the ones that invested in preparation before the bad day arrived. The ones that didn’t make headlines for all the wrong reasons.