Hospitals don’t have to be the target of a cyberattack to feel the impact. Curi Advisory’s Margaret Curtin shares lessons from the Stryker incident and the critical importance of managing enterprise risk in healthcare.
Cybersecurity is one of the top risk issues on the minds of hospital executives and healthcare leaders today—and for good reason. What I’m seeing in my work goes far beyond traditional cyber risk.
Healthcare organizations are now operating in a fundamentally different risk environment than they were even just a year ago. Risk is no longer isolated, predictable, or contained within the traditional domains of risk. The threats are interconnected, fast-moving, and often driven by external forces well outside an organization’s control.
Across the U.S., healthcare systems are functioning within a converging risk landscape where cyber warfare, geopolitical conflict, financial system shifts, workforce instability, and operational dependencies are tightly linked.
That’s why I believe a robust, mature enterprise risk management (ERM) program is no longer optional—it’s essential.
The recent cyberattack on Stryker offers a clear and urgent signal that I’ve been sharing with my clients: healthcare is increasingly part of a broader geopolitical and cyber risk environment—and no organization is immune.
In March 2026, Stryker—one of the largest medical device manufacturers in the U.S.—experienced a cyberattack linked to an Iran-affiliated group.
The attack disrupted manufacturing operations, order processing systems, and internal business infrastructure. Even now, they are still not back to full manufacturing functions.
While no physical damage occurred, the operational disruption alone had cascading implications across the healthcare ecosystem.
To me, this event reflects a broader and more concerning trend: cyberattacks are increasingly linked and targeted at state level-critical infrastructure, including healthcare and its supply chain partners.
One of the most important takeaways is that hospitals were not the direct target, but they were immediately at risk.
I’ve been reminding the healthcare leaders that I work with: your organization doesn’t have to be directly attacked to experience a crisis. Whether it’s a direct hit or collateral damage, your ability to deliver care can be impacted almost instantly.
Healthcare delivery is deeply dependent on third parties. When those partners experience a service disruption, the effects can quickly translate into:
What has fundamentally changed is the speed and interconnectedness of these effects. External events now move rapidly across organizational boundaries, becoming enterprise-wide issues within hours or even minutes.
The most important lesson from Stryker is not the cyberattack itself—it is the interconnectivity of risk.
What I’m seeing across the industry is that risks are no longer isolated. They compound and cascade across domains:
This dynamic is a fundamental shift. A single event can now trigger multi-domain enterprise impacts across clinical, operational, and financial areas.
For healthcare organizations, this means ERM must evolve. It’s no longer about managing discrete risks—it’s about understanding and managing how risks interact. I often describe it like a game of dominos: when one falls, many follow.
The first question I ask organizations is simple: Do you truly have an enterprise risk management program?
If the answer isn’t clear, that’s where to start. And we can help.
If you do have an ERM approach, the next question is whether it’s mature enough for today’s risk environment. In many cases, I find organizations have key pieces in place, but lack the integration needed to respond effectively to interconnected threats.
At Curi Advisory, our Risk Consulting team (powered by ERC Risk Solutions) is currently working with healthcare systems to assess, develop, and strengthen their ERM programs. What consistently stands out is the return on investment (ROI).
While it’s difficult to fully quantify, the value is significant—both in protection from loss and in creation of operational and financial stability.
Based on average litigation costs, loss of revenue from operational risk and/or business interruption, compliance penalties and reputational hits, loss protection and value creation place the ROI numbers in the millions. Example ROI calculations (based on several sources):
For many organizations, the next step is translating ERM concepts into practical application—aligning leadership, evaluating current capabilities, and identifying priority areas for advancement.
Organizations often benefit from structured discussions or facilitated sessions that bring together leadership perspectives, assess current-state ERM maturity, and identify actionable next steps.
At Curi Advisory, we offer services designed to support organizations at various stages of ERM maturity, including:
These offerings are practical and discussion-based, helping organizations move from awareness to implementation—because in today’s environment, insight alone isn’t enough.
If you’re evaluating your ERM program—or wondering whether it’s keeping pace with today’s risk environment—I’d welcome the opportunity to connect. Contact me at margaret.curtin@curi.com.
The content contained herein was generated by Curi Advisory with the assistance of an AI-based system to augment the effort.SHARE THIS POST