Two stories from the past week paint a clear picture of what incident response failures look like at scale, and why preparation isn’t optional.
Stryker: 200,000+ Devices Wiped Across 79 Countries #
The Iran-linked Handala Group claimed responsibility for a devastating wiper attack against Stryker, one of the world’s largest medical device manufacturers. The attack reportedly wiped over 200,000 IT systems, servers, workstations, and mobile devices, across 79 countries via remote management tools.
This wasn’t a ransomware campaign where you might negotiate a decryption key. It was a wiper, designed to destroy, not extort. When a wiper hits, there’s no undo button. Your recovery depends entirely on what you prepared before the attack happened.
For healthcare organizations, the implications go beyond data loss. Even when patient-facing medical devices aren’t directly affected, the supporting IT infrastructure, scheduling systems, records access, communications, can bring operations to a halt. Recovery timelines measured in weeks or months translate directly to operational disruptions in clinical settings.
Canada’s Breach Reporting Lag #
In a separate but related story, analysis highlighted persistent delays in Canadian breach reporting, with organizations routinely taking months between discovering a breach and notifying the people affected.
Whether it’s six months or nine, the pattern is the same: extended notification delays are a compliance failure. In those months, affected individuals can’t take protective action. Threat actors have time to exploit stolen data. And by the time notification arrives, the window for meaningful response has closed.
Regulations like PIPEDA, GDPR, and various US state laws exist precisely because timely notification matters. When organizations treat breach reporting as something to get around to eventually, they undermine the entire framework.
The Common Thread #
Both stories share a root cause: organizations that weren’t prepared for the incidents they faced.
Stryker’s wiper attack exposed the consequences of insufficient recovery preparation for destructive attacks. Canada’s reporting delays exposed the consequences of organizations without mature incident response processes.
Neither situation is unusual. They’re just the ones that made headlines.
What Preparedness Actually Looks Like #
Incident response plans that get tested. An IR plan that lives in a SharePoint folder isn’t a plan, it’s a document. Tabletop exercises, walkthrough simulations, and regular reviews are what turn a document into a capability. When did your team last practice responding to a destructive attack?
Backup and recovery that accounts for wipers. If your backup strategy assumes you’ll always have something to restore, you haven’t accounted for destructive attacks. Air-gapped backups, immutable storage, and tested recovery procedures are the minimum for environments where wipers are a realistic threat.
Notification processes built in advance. If you’re figuring out breach notification requirements during an active incident, you’re already behind. Map your regulatory obligations before an incident happens. Know who needs to be notified, in what timeframe, and through what channels.
Compliance as a program, not a project. Frameworks like ISO 27001 and SOC 2 exist to build ongoing security practices, including incident response and breach notification. Organizations that implement these frameworks meaningfully, rather than as audit-year exercises, are the ones that can respond in days rather than months.
The Takeaway #
Incident response isn’t something you build during an incident. The organizations that recover quickly and notify appropriately are the ones that invested in preparation before the bad day arrived. The ones that didn’t make headlines for all the wrong reasons.