Federal agency calls on healthcare and medical technology organizations to tighten endpoint management controls following attack on Stryker’s Microsoft environment.
The Cybersecurity and Infrastructure Security Agency (CISA) is urging US organizations to harden their endpoint management system configurations following a March 11, 2026, cyberattack against medical technology firm Stryker that affected the company’s Microsoft environment.
In an alert, CISA says it is aware of malicious cyber activity targeting endpoint management systems of US-based organizations and is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions.
According to the CISA alert, the cyberattack against Stryker misused legitimate endpoint management software—a tactic that poses a particular risk to healthcare environments where such software is widely deployed to manage connected instruments, workstations, and devices across facilities.
Recommended Security Measures
To defend against similar activity, CISA is urging organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune, a widely used endpoint management platform. The agency notes that the principles of these recommendations can be applied broadly to other endpoint management software as well.
CISA’s key recommendations include:
- Apply least-privilege principles to administrative roles. Organizations should use role-based access control to assign the minimum permissions necessary to each role, covering both what actions a role can perform and which users and devices it can affect.
- Enforce phishing-resistant multifactor authentication and privileged access hygiene. CISA recommends leveraging Microsoft Entra ID capabilities—including Conditional Access, MFA, risk signals, and privileged access controls—to block unauthorized access to privileged actions.
- Require multi-admin approval for sensitive actions. Organizations should configure access policies to require a second administrative account’s approval before allowing high-impact changes, such as device wiping, application deployments, script execution, RBAC modifications, and configuration changes.
Additional Guidance Resources
Beyond its core recommendations, CISA points organizations to a range of resources to further strengthen their defenses. Microsoft-published guidance covers securing Microsoft Intune, implementing multi-admin approval policies, configuring Intune using zero-trust principles, deploying RBAC policies, and planning a Privileged Identity Management (PIM) deployment across Microsoft Intune, Entra ID, and related software.
CISA also directs organizations to its own resource on implementing phishing-resistant MFA.
CISA notes that both Microsoft and Stryker contributed to the alert.
ID 434479108 © Andrei Dodonov | Dreamstime.com
