If I wrote here that the Iranians had scored a major tactical hit on American soil, I doubt that 1 in 100 people would believe me. But in fact they have. The tactical hit is the hack, on March 11, of Stryker, the medical device company (not to be confused with Stryker the manufacturer of military hardware).

The hack has mostly been covered in industry publications (1, 2, 3, 4), and has been covered here and there in the mass media, but hasn’t been given anything like the attention it deserves. I haven’t seen a single article at The New York Times or The Washington Post, the two bellwethers of mainstream journalistic respectability (though the Wall Street Journal ran one). Either the business writers at these publications are clueless incompetents, or they’re under the power of agenda-driven editors who would rather bury this story. Either way, it’s being buried.

The hack wiped out huge amounts of data, exfiltrated huge amounts of patient information, and adversely affected medical care wherever Stryker devices were sync’d to lost data. The hackers exploited a very common feature of hybrid work, the integration of company computers with personal cell phones. Needless to say, every cell phone connected to a company computer got hacked, too. The hack was clearly Iranian or Iranian-sympathetic in origin. What it proves, to put it simply, is that the Iranians can hack the American medical system at will, and produce adverse consequences across its breadth. Nothing is safe: not your data, not your medical device, not your hospital stay, not your hospital, not you. (Will you still be billed? Yes.) 

If it’s never previously bothered you that your name, address, phone number, email address, Social Security number, insurance information, medical providers, medical conditions, and financial data are all sloshing around on the dark web, now is the time to worry. I work on the data analytic side of medical revenue management myself. Just today, I found myself auditing a bunch of patient accounts and wondering why the patient’s Social Security number had to be so visibly displayed there on the screen. “Patient Social Security Number” serves no clear purpose in our system except to produce a gratuitous loss of privacy and security for the patient. What else was it there for? 

I didn’t really have time to dwell on the question, so I moved on. Thing is, that’s exactly what the IRGC doesn’t do. They don’t just look at your Social Security number, furrow their brow, and move on. They take it. What they do with it, I can only imagine.

If you find it weird that I have access to your Social Security number–and if you’ve been a patient in one of our client hospitals, I do–then imagine how weird it is that the IRGC does. But if you’re a Stryker customer, well, now they do. And how do you know whether you are in fact a Stryker customer? Well, you are if you went to the hospital or the doctor’s office and someone needed to enter your personal data to use a Stryker device while treating you. And how would you know that? I don’t know. I guess you’d have to call IRGC Customer Service to find out.

The Stryker hack is the third consequential hack in the last few years that has been very poorly reported in the mass media. First came the Change hack, originally reported as a Russian state hack, but later demoted by the press to a Russian crime-gang hack. Personally, I don’t see much of a difference: the Russian state is a crime gang (as are most states). It was at any rate a Russian hack in the early phases of the Ukraine invasion, and it compromised 100 million US patients–one third of the population of the United States. An event that monumental, you’d think, would have been given more play in the media, but in fact it got far less than, say, the Luigi Mangione shooting.

Second was the Oracle hack, politically significant because Oracle is Larry Ellison’s company. The Oracle hack proved that Oracle was in fact incompetent at digital security. No sooner was this clearly demonstrated but the Trump Administration handed TikTok to Ellison on a silver platter, precisely so that Ellison et al could secure “our data” against TikTok’s nefarious Chinese owners, who could not be trusted with it. How Ellison or Oracle or Oracle’s spin-offs or mutant variants were to be trusted with it was a question no one seemed keen to ask.

And then, of course, there’s the Stryker hack. Together, these hacks illustrate the wild absurdity of the Republican fixation on voter fraud, the “immigrant invasion,” and even identify theft by undocumented immigrants. I don’t dispute that there is some voter fraud in this country, that there are many undocumented immigrants, and that many of these undocumented immigrants steal identities (principally the Social Security numbers of deceased people) to survive. I don’t even dispute that these things are problems of some sort. 

What I dispute is that the scale of the one set of problems is anywhere in the vicinity of the scale of the other. Take all the voter fraud, all of the immigrant documentation issues, and all of the stolen Social Security numbers, and add them all up. Give that problem a value of x.

Now consider the problem we face with respect to hacking, and restrict the problem simply to the health care system, broadly understood to include both its clinical and financial dimensions. We’re now talking about nearly a fifth of the US economy. We’re talking about providers, payers, patients, and vendors in a gigantic but interconnected series of networks–hospitals, insurance companies, employers, medical device producers, pharma, etc. etc.

If you can find a way to hack one large part of this system–and you’re a state intelligence service–you can probably find a way to launch a complicated assault on several parts at once. Bear in mind that none of the parts are designed to withstand a wholesale military-style attack by a determined state-sponsored attacker. What do you think will happen if or once they do attack? 

After routinizing garden-variety hacking for decades, we are now looking at the prospect of cyberattacks by a country we have bombed, are thinking of invading, are thinking of overthrowing, and are thinking of hitting with nuclear weapons. In other words, from dealing with garden variety criminals interested in money, we graduated to Russian gangsters, but are now facing Shia mullahs and their functionaries in the full grips of an existential civilizational crisis that we created on a whim. If you seriously think that this problem is somehow on par with an “invasion” of Mexican burrito makers, Guatemalan landscapers, and Ecuadoran laborers, it really is time to get your head out of your ass.

What quantity do we assign such a problem? If the “undocumented immigrant invasion” problem had a magnitude of x, what about this one? Is it 2x? 10x? 100x? x²? x³? 100x³? At a certain point, frankly, the problem ceases to be a matter of math, and becomes a matter of doom. We’ve wandered into a problem we can barely conceptualize, much less solve. The only way to “solve” the problem is to make sure you don’t have to. But it’s too late for that.

When I worked in an OR, there were several times where we came close to producing nearly-catastrophic accidents that were averted at the last minute by some combination of belated conscientiousness and good fortune. With every such event, the realization dawned that unless one was vigilant, the odds would get even and have their say. Take the conscientiousness and good luck out of the equation, and they do. That’s where we are right now–in the hands of an administration bereft of conscience that’s squandered whatever good fortune we might ever have had. We might have muddled through if we hadn’t decided to start a fucking war. But there’s no muddling through a war of aggression. 

All I can say at this point is that people should be demanding better coverage of the Stryker hack than we’ve so far gotten. It’s an event of incalculable consequence, and will no doubt lead to more like it, and more worse than it.

As an industry insider, I can tell you with some confidence that we are not prepared. Nor is preparation “imminent,” to use that favorite, abused word. Like COVID, like Trump himself, the Stryker hack is the product of decades of improvidence, recklessness, and neglect. It’s more fun to make money than worry about risk and security. It’s harder to work in a security-constrained environment than one where the firewalls are down, encryption is off, you can use any hardware you want, download any app you want, and pretty much do what you want. But when things are easier for end users, they’re easier for hackers. And as far as hacking is concerned, it doesn’t help that you’re oceans away from your adversary. The oceans add to the illusion of safety, but at the price of concealing the obvious: that your adversary is just a mouseclick away from you. And if your adversary is someone working for the Islamic Republic of Iran, that’s bound to be a little too close for comfort.