Health care cyberattacks expose a critical national security failure

Everything we know about keeping people alive under pressure we learned from war. Triage was invented on a Napoleonic battlefield. Tourniquets, hemostatic dressings, damage control resuscitation, the golden hour itself. Military surgeons figured out how to stop bleeding and move casualties while the ground was still shaking, and civilian medicine inherited every lesson. The emergency department and the battlefield have always been adjacent theaters, running the same protocols under different ceilings. The training pipeline flows in both directions. Military nurses rotate into civilian trauma centers. Civilian nurses deploy to combat support hospitals. They share a workforce, a knowledge base, and a supply chain. Something changed on February 28, 2026. The adjacent theaters converged. The United States went to war with Iran, and within two weeks, an Iranian hacking group attacked a company that supplies cardiac monitors, among other things, to American hospitals from the Bay to the Persian Gulf. The battlefield did not come to the hospital as a metaphor. It arrived as a cyberattack on the equipment we use to keep people alive. If you work in a hospital, you have felt the system cracking. The stretcher in the hallway that used to be an anomaly and is now a permanent fixture. The call light that rings until someone falls because there is no one to answer it. The position that was posted for nine months and never filled, and then just went away. I want to name the thing you have been feeling. This is a national security failure that is now being exploited by our adversaries.

The attack

On March 11, an Iran-linked hacking group called Handala Team conducted a wiper attack against Stryker Corporation. You know Stryker. Lifepak monitors. The cardiac monitors on every ambulance I have ever worked with and in almost every emergency department I have ever staffed. A wiper attack does not encrypt data for ransom. It destroys it. Stryker confirmed a disruption in their global communications network took place. Maryland’s EMS agency notified hospitals statewide that their Lifenet ECG transmission network had gone down. Paramedics could not transmit 12-lead ECGs to STEMI receiving hospitals. The most vital link in the chain of survival severed from the other side of the world. Think about what that means clinically. A STEMI patient in the back of an ambulance, 15 minutes out. The difference between a pre-activated cath lab: reperfusion or death. For residents of Maryland, the Lifenet system they did not know they depended on vanished into thin air. It gets worse.

Stryker holds a $675 million contract with the Defense Logistics Agency to supply patient monitoring equipment to every branch of the U.S. military. The LIFEPAK 15 is certified to MIL-STD-810E specifications for medevac helicopters and military ground ambulances. The same monitors I used in the back of a civilian helicopter are aboard military medevac aircraft right now. When the attack shut down Stryker’s global order processing, manufacturing, and shipping, it did not distinguish between civilian and military customers. The adjacent theaters I described in the opening of this essay share a major supplier, and a perilous trapdoor capable of causing casualties. The Stryker attack was not an isolated incident. It was only the most visible strike: Three of the four nations the FBI has identified as actively targeting U.S. health care hit the sector almost simultaneously in the preamble to our current conflict. North Korea’s Lazarus Group deployed Medusa ransomware against multiple health care organizations. Russian hacktivist groups have declared solidarity with Iran, and claimed responsibility for attacks on American industrial control systems. Each adversary pursued its own interests and arrived at the same target, because health care is our hardest soft target.

The storm clouds of war

This pattern did not emerge overnight. Health care was the most-attacked critical infrastructure sector in the country in 2024. The Change Health Care breach disabled national payment systems and cost over $1 billion to an economy already propped up by the health care industry. The Ascension attack forced 142 hospitals to chart on paper for six weeks. Researchers have estimated that ransomware has already killed between 42 and 67 Medicare patients since 2020. The sector was under siege well before the war started, this is merely an escalation. The energy sector learned this lesson years ago, and enforces 13 mandatory cybersecurity standards with penalties up to $1.29 million per violation. Per day. Health care has no mandatory security standards at all. HIPAA was designed for data privacy in 1996, and was last substantively updated in 2013. It was never built to defend hospitals against nation-state cyberattacks. Meanwhile, the Cybersecurity and Infrastructure Security Agency, the federal agency charged with protecting critical infrastructure from exactly this kind of threat, has lost roughly 30 percent of its workforce since early 2025. CISA entered the Iran war with its own website noting it was “not being actively managed” due to a funding lapse. The agency responsible for defending our hospitals was itself in critical condition.

It is the supply chain

While the cyber front was escalating, the physical supply chain was collapsing via a completely different mechanism. The drugs that stock American hospitals must travel by container ship through two maritime strangle points, the Strait of Hormuz and the Bab el-Mandab, the war has effectively closed both. Tanker traffic through Hormuz has dropped by 90 percent. The Bab el-Mandab has not returned to normal traffic levels since the Houthi disruptions began in late 2023. Every major Western carrier suspended Red Sea transits within days of the war’s start. The shipping lanes and the shooting war occupy the same water, and there are oceans between us and the drugs our patients depend on. Our pharmaceuticals must circle the earth because of a dependency built over decades and never reversed. China supplies the active pharmaceutical ingredients for most American generic medications. India, which finishes and ships those drugs to us, imports more than 70 percent of its own pharmaceutical intermediates from China. Over 90 percent of generic sterile injectables, including most of the antibiotics a hospital runs on, depend on this production chain. And the last American penicillin plant closed in 2004.

We did not lose this capacity. We gave it away. And now the country that controls our supply of life-giving drugs is watching the war, approving only a fraction of pharmaceutical export applications, and discovering exactly how much leverage it holds. You have felt this at the bedside. You have called pharmacy and been told the drug is on shortage, for the next four years. You have substituted, rationed, and improvised. You may not have known that the shortage traces to a factory in Zhejiang Province or a container ship rerouted around the Cape of Good Hope because the strait it was supposed to transit is full of sea mines. But the effect is the same. A patient in need and a system with no redundancies.

The kill switch we handed them

The dependency goes deeper than drugs. It reaches into the devices inside people’s bodies. Approximately 5 million Americans carry implanted pacemakers and defibrillators; the components that make those devices work flow through the same Chinese-dominated supply chain as the pharmaceuticals you are waiting for. China produces 54 percent of the world’s printed circuit boards and controls 90 percent of rare earth processing, it is too late to build them here. We already know that dependency can be exploited. In January 2025, CISA and the FDA discovered that a Chinese-manufactured patient monitor deployed in American hospitals contained a hard-coded backdoor to a Chinese university IP address, enabling remote code execution on a device attached to living patients. There was no patch. The FDA told hospitals to pull the monitors off their networks. The vulnerability of implanted cardiac devices is not theoretical, and it is not new. Researchers first demonstrated in 2008 that a defibrillator could be hacked to induce ventricular fibrillation with less than $1,000 in equipment. The threat was taken seriously enough that Dick Cheney’s cardiologist disabled the wireless function on the vice president’s defibrillator over assassination concerns. The FDA recalled 465,000 pacemakers over hacking vulnerabilities in 2017. We protected the vice president. We have not protected the 5 million other Americans carrying the same technology, devices they trust with their lives.

Now layer in the workforce instability, the workforce is the one resource that cannot be manufactured, stockpiled, or rerouted through an alternate shipping lane. Hundreds of thousands of nurses have left health care since the COVID-19 pandemic, and nearly 1 million more have told researchers they intend to follow suit. The 2024 National Nursing Workforce Survey found that 40 percent of nurses plan to leave within five years, not their jobs, the profession. The ones who stayed are carrying patient loads that would have been unthinkable a decade ago. Doctors and nurses are like Tomahawk missiles and artillery shells. Highly specialized, expertly engineered, and relentlessly finite. You cannot surge-produce an ICU nurse. You cannot stockpile a trauma surgeon. I flew with National Guard pilots who had deployed to Afghanistan. I worked beside Guard medics and nurses who staffed civilian emergency departments between deployments. Our helicopter pilots were largely Army and federal service. The adjacent theaters I described are not an abstraction. They share a workforce. When those Guard members activate for deployment, they leave holes in civilian hospitals that do not get filled. When civilian nurses burn out and leave health care, the military reserve pool shrinks with them.

I watched this happen at the VA during COVID-19. I watched nurses build an ICU response from scratch in a single night shift while leadership was at home and supply chain collapsed around us. Masks that were “on their way” for weeks that never arrived. A $34.5 million contract that went to a mask broker who rented a private jet to locate N95s that never existed. I documented the failures. I escalated to OSHA, to my congressmen, to ProPublica. The director of my medical center emailed the entire Veterans Service Network to call me a liar. The “lies” were confirmable on the VA’s own website. The institution showed us, when our lives were on the line, that we were on our own. And when the nurses who stayed through all of that looked around and saw the same structural failures still in place five years later, they left. Not because they could not handle the work. Because the work was no longer survivable within the systems we were given.

The warnings we dissociated from

None of this is a surprise. Rosemary Gibson told Congress in 2019 that if China shut the door on pharmaceutical exports, American hospitals would cease to function within months, if not days. Joshua Corman told the Senate in 2022 that cyberattacks on hospitals were already killing patients, our adversaries were getting better at evading our defenses; better than us. The 2024 bipartisan Commission on the National Defense Strategy said the United States could be drawn into simultaneous conflicts and lose, our fronts are now spread over Ukraine, Palestine, Venezuela, Cuba, and Iran. Divided we fall. The FBI has named health care the most-attacked critical infrastructure sector three years running. CISA issued 10 joint advisories naming the specific threat actors: Iran, Russia, North Korea, China. The advisories became prophecies.

We did not listen. We never listen. We clapped for health care workers during COVID-19 and then watched as Congress let the Hospital Preparedness Program funding lapse, as CISA was gutted, as the Strategic National Stockpile remained a fraction of what we need. Drug manufacturers continued buying 80 percent of their active pharmaceutical ingredients from China and India. One is arming our adversaries. The other ships its drugs through a war zone. I am not making an argument about coverage or access or whether we should have single-payer. Those are important debates. They are irrelevant here. I am making an argument about national security. The United States designated health care as one of 16 critical infrastructure sectors. In practice, that designation means voluntary guidelines and suggestions. We hardened the power grid after Colonial Pipeline. We hardened aviation after 9/11. We hardened financial services after every major breach. Health care remains the softest target in the country, and every adversary on the planet knows it.

The Iran war did not create these vulnerabilities. It revealed them. The malignancy was already festering undetected. COVID-19 revealed it five years ago and we rebuilt nothing. You cannot run a national security infrastructure on the unpaid ingenuity of people the system has decided are expendable. The vulnerability you feel at the bedside operates at the geopolitical level too. The short staffing that keeps you awake at night is the same gap that makes a hospital an easy target for ransomware. The drug shortage that forces you to substitute is the same dependency a naval blockade can exploit. The monitor that transmits your patient’s ECG to the cath lab is the same system a nation-state just proved it can shut down. Health care is not a line item. It is infrastructure. It is the workforce that keeps every other workforce alive. No one asked the mechanic to also fly the helicopter when census was high. But we have been asking the health care system to function as critical national security infrastructure while funding it, defending it, and staffing it as though it were merely optional.

The next attack will be worse. Stryker was a proof of concept. The pharmaceutical supply chain is stressed but not yet severed. The workforce is depleted but not yet gone. There is still time to treat health care the way we treated every other critical infrastructure sector after it was attacked. Mandatory cybersecurity standards. Pharmaceutical supply chain reshoring. Workforce investment that goes beyond recruitment bonuses and addresses the conditions that drive people out. Federal preparedness funding restored and expanded. A strategic medical reserve that mirrors the Strategic Petroleum Reserve. Or we can do what we have always done. Wait for the next crisis. Clap. And wonder why nobody is left to answer the call.

Kristen Cline is a professional development practitioner for the Emergency Service Line at Stanford Tri-Valley Medical Center and holds an academic affiliation with Stanford University.

With over 15 years of experience in emergency departments, intensive care units, and critical care transport, she brings clinical depth and a commitment to education and advocacy.

Kristen is board-certified in multiple specialties and speaks nationally for organizations such as Paragon Education and Solheim Enterprises, focusing on certification review and emergency nursing practice.

She has authored and co-authored several publications and textbooks, including contributions to the Emergency Nursing Scope and Standards of Practice, 3rd edition.

Her peer-reviewed work includes articles in Annals of Emergency Medicine, on “Optimizing Pediatric Patient Safety in the Emergency Care Setting,” and in Pediatrics, on “Access to Optimal Emergency Care for Children.”

Recognized among ENA Connection’s “20 under 40,” she advocates for nurse wellness and trauma-informed care through speaking engagements, her Medium blog, and social media platforms like Instagram and Facebook.