In the space of seven days in March 2026, two of the world's most prominent medical technology companies disclosed serious cyber incidents. Stryker, which manufactures orthopaedic implants and surgical equipment used in health systems globally, suffered a destructive attack attributed to an Iran-linked hacktivist group that caused a global network outage, with ordering and shipping systems still offline more than a week later. Days afterwards, Intuitive Surgical, the company behind the da Vinci robotic surgical system, confirmed that a phishing attack had compromised employee credentials and exposed customer business and contact data.
Neither company is a peripheral player. Both operate at the centre of global healthcare supply chains. And while neither incident directly breached NHS infrastructure, the methods used and the regulatory environment NHS suppliers now operate in make these incidents directly relevant to any organisation working with the health service.
The attack on Stryker was claimed by Handala, a hacktivist group assessed by security researchers to be linked to Iran's Ministry of Intelligence and Security (MOIS). It caused a global network outage affecting the company's ordering and shipping systems, representing what analysts described as the first successful, full-scale disruptive cyberattack against a major US corporation since the escalation of conflict in the Middle East.
Analysts at Check Point Research characterised the incident as a clear signal — not only about Iran's capability, but about its intentions and willingness to execute disruptive operations against healthcare-adjacent organisations. Security professionals interviewed by The Register were consistent on one point: the Stryker incident is unlikely to be the last.
Intuitive's disclosure was different in character but equally instructive. An attacker used a phishing email to steal an employee's credentials, then used those credentials to access internal IT business applications. Stolen data included customer business and contact information, along with employee and corporate data.
Intuitive was clear that its clinical systems were unaffected. The company operates network segmentation that keeps its robotic surgical platforms — and the hospital networks connected to them — separate from its internal business infrastructure. That segmentation held, and it materially limited the impact of the breach.
What the incident demonstrates, however, is that even a company of Intuitive's scale and technical sophistication can be compromised through a single phishing email. A security expert quoted in subsequent reporting made the point plainly: identity systems are now the primary gateway into corporate infrastructure, and phishing remains effective because it targets people rather than technology.
The instinct for many NHS suppliers will be to view these incidents as US-specific concerns. That instinct is worth examining carefully.
Stryker has a significant UK commercial presence and supplies equipment across NHS trusts. A global network outage at a supplier of that scale has operational consequences for health systems, regardless of whether the NHS itself is directly targeted.
More broadly, the NCSC issued a formal advisory in early March 2026 advising UK organisations to review their cyber security posture in light of the escalating conflict in the Middle East. The NCSC was measured in its assessment: there is likely no current significant change in the direct cyber threat from Iran to the UK, but the situation is fast-evolving, and there is almost certainly a heightened risk of indirect cyber threat for organisations with supply chains or operations connected to the region.
It is also worth noting that Cisco Talos, in an updated advisory following the Intuitive disclosure, assessed that the healthcare sector is not at any specifically elevated or systematic risk of targeting by Iran-linked actors. These are, in the main, attacks on targets of opportunity. That assessment, far from being reassuring, is precisely the point. Opportunistic attacks succeed when organisations have not addressed foundational security controls. The method used against Intuitive — a phishing email, one compromised credential — is not exotic. It is the everyday currency of cyber intrusion.
These incidents arrive at a moment when NHS supplier assurance requirements are tightening significantly.
In January 2026, NHS England and DHSC issued an open letter to approximately 36,000 NHS suppliers, announcing a new programme of direct engagement to discuss cyber security controls and request evidence of compliance. This programme is already active. NHS England or relevant contracting authorities may now proactively contact suppliers to verify that they meet the expectations set out in the NHS Cyber Security Supply Chain Charter, covering MFA, continuous monitoring and logging, immutable backups, tested recovery plans, and board-level cyber exercising.
The Stryker attack makes the case for Cyber Essentials Plus more plainly than any compliance briefing could. Under Procurement Policy Note 014 (PPN 014), NHS Supply Chain requires all in-scope suppliers, those handling NHS personal data or supplying IT or digital products and services, to hold Cyber Essentials Plus certification, or demonstrate that equivalent controls are in place.
The standard is not incidental to what happened at Stryker. Cyber Essentials Plus requires suppliers to demonstrate a secure internet connection via robust firewalls, apply secure settings across all systems and devices, manage user access to restrict unauthorised entry, protect against viruses and malware, and regularly apply security updates, the exact class of controls that, had they been verified and tested, would have reduced the attack surface exploited in both the Stryker and Intuitive incidents.
Critically, ISO 27001 cannot be offered as an alternative to Cyber Essentials Plus under PPN 014, precisely because Cyber Essentials is based on baseline technical controls being demonstrably in place, whereas ISO 27001 takes a risk-based approach.
For suppliers who have relied on ISO 27001 as their primary assurance credential, this is a material gap that NHS Supply Chain is actively identifying.
DSPT remains a separate and parallel obligation. For suppliers handling NHS patient data, "Standards Met" is a contractual requirement under the NHS Standard Contract, and the DSPT 2025–26 submission deadline is 30 June 2026. For Category 2 IT suppliers, that submission requires a mandatory independent audit.
But DSPT and Cyber Essentials Plus address different things: DSPT covers data security governance and organisational standards; Cyber Essentials Plus verifies that the underlying technical controls are real and tested. Both are required. Neither substitutes for the other.
The Cyber Security and Resilience Bill, now progressing through Parliament following its second Commons reading in January 2026, will extend statutory security obligations across critical supply chains with enforcement powers that go well beyond current ICO fines.
The regulatory trajectory is clear. NHS England is already acting on it.
There is something useful in how Intuitive handled the aftermath of its breach, beyond the incident itself.
Network segmentation worked as intended. The separation of internal business systems from clinical platforms and hospital customer networks meant that the breach had no operational impact on robotic surgical procedures or hospital IT. That is not the default posture for all NHS suppliers — particularly smaller digital health companies or IT service providers whose internal systems and NHS-facing systems may not be meaningfully separated.
Rapid containment, notification to data privacy regulators, and transparent public disclosure were also handled promptly. Contrast this with the extended outage Stryker continued to manage more than a week after its incident was disclosed. The difference in operational resilience is, at least in part, a function of the architectural and procedural controls each company had in place before the attack occurred.
MFA across all systems, staff awareness training, and anti-phishing technical controls are the first line of defence. The Intuitive incident demonstrates that none of that is optional for organisations handling NHS data or supporting NHS systems.
Can a compromise of your internal business systems reach your NHS-facing systems or patient data? If the answer is unclear, that is itself a risk that warrants investigation before your next DSPT submission — or before NHS England makes contact as part of its supplier engagement programme.
The 30 June 2026 deadline for DSPT Version 8 is not distant. Category 2 suppliers who have not begun their independent audit process should treat the current environment as a prompt to move.
When direct engagement comes — and the open letter makes clear it will — suppliers will be asked about MFA, monitoring and logging, backup and recovery, and board-level exercising. If your answers to those questions are currently weak, you have a clear window to address them.
Two incidents in one week does not constitute an epidemic. What it does constitute is a pattern. The medical device sector has been tested twice in a single week using methods such as phishing, credential theft, and opportunistic targeting of supply chain links, which are not sophisticated and are not new.
For organisations supplying the NHS, the question these incidents raise is straightforward: is your security posture resilient enough to meet both the current threat landscape and the rapidly tightening expectations of NHS England, the ICO, and the incoming Cyber Security and Resilience Bill?
The time to answer that question honestly is now, before a breach forces the answer.