When a cyberattack disrupted systems at Stryker last month, many healthcare organizations were forced to confront an uncomfortable reality: what happens when a deeply embedded vendor suddenly goes dark?

At Boston Children’s Hospital (BCH), the answer unfolded in real time.

During a recent Harvard Clinical Informatics Lecture Series session, hospital leaders from BCH described how they rapidly severed ties with Stryker’s Vocera platform, which was being used for secure messaging, voice communication, and alert routing, and quickly set up a new, Epic-based communication system within hours, all while maintaining clinical operations.

“It was a pretty immediate and rapid response,” said Brian Venditelli, Director of Cybersecurity. “Within about 30 minutes of the alert being called, we had blocked emails, blocked the website. We had turned down the wholesale services and we had shut down any associated servers and network connections.”

A Platform at the Center of Clinical Communication

By early 2026, BCH’s reliance on Stryker’s Vocera platform was extensive. The system supported secure clinical texting, voice over IP (VoIP), and the routing of alerts and alarms from bedside devices. That infrastructure had taken years to build.

“With our transition to Epic in 2024, we also made the transition to Stryker Vocera’s text and voice over IP calling,” said Jonathan Hron, M.D., Associate CMIO. “We replaced all those Spectralink phones with iPhones and basically rebuilt all of the teams and roles and units … I think we have over 1,200 role-team-unit relationships that are built out in that system.”

The system enabled highly granular communication. “You could be the physician on the hospital medicine team on the 9 East unit, or you could be the charge nurse on the 9 East unit — that’s a massive amount of build,” Hron said.

Crucially, Vocera also served as middleware for clinical alerts. “If a patient has an alert or alarm at the bedside … there’s a middleware that we use from Stryker Vocera that routes those alerts and alarms … to the end users,” said Chase Parsons, D.O., Chief Medical Officer. “It pulled the nurse’s assignment to a patient from Epic … and then pushed it out to the endpoints.”

When that system went down, the impact extended far beyond messaging.

A Different Kind of Cyberattack

According to Venditelli, the Stryker incident stood out because it did not follow the familiar ransomware playbook. “This Stryker incident is actually one of the more interesting cybersecurity incidents … for the simple fact that it was not actually ransomware,” he said. “What this was is what we call a wiper attack.”

Rather than deploying malware, attackers compromised administrative credentials. “They actually compromised administrative credentials that essentially gave them keys to the kingdom,” Venditelli said.

From there, they executed large-scale destruction. They were able to send a wipe command to over 200,000 endpoints, including laptops, desktops and mobile devices, and reset them to factory settings or simply delete everything, according to Venditelli. “They were also able to wipe out the majority of their servers and their backup infrastructure.”

The downstream effects were immediate and widespread, and had significant impacts to many healthcare organizations. “All of these organizations had to switch to potentially manual processes, seemingly within hours of the disruption,” he said.

An Immediate Response

BCH’s first indication came via a vendor notification. Within minutes, the hospital activated its incident response structure. “One of the things that we did proactively as a team was we called an alert almost immediately,” Venditelli said. “We brought everyone together as soon as we found out … having a vendor like Stryker heavily embedded within our infrastructure required multiple teams to get engaged all at once.”

The response spanned IT, cybersecurity, clinical informatics and hospital operations, with parallel coordination calls across technical and clinical leadership. At the same time, the organization moved quickly to isolate the threat. “We removed our connections with Stryker,” Parsons said, which meant even its email communication between Vocera and BCH.

Within roughly 30 minutes, access was fully cut off, and the hospital began removing the Vocera application from managed devices.

By late morning, BCH had effectively lost its primary enterprise communication platform.

A Fragmented Stopgap

In the immediate aftermath, clinicians improvised. Microsoft Teams, Zoom chat, personal cell phones, and pagers all filled gaps, but none offered a unified, enterprise-wide solution.

“Our clinicians are pretty resourceful,” Hron said. “Some people were handing out cell phone numbers … some people were going right to Teams or Zoom. But the challenge really becomes across the enterprise. If each area comes up with their own solution, then it doesn’t necessarily work across units and departments.”

Leadership also had to weigh compliance concerns. The result was functional, but fragile, communication.

A Critical Decision: Turning on Epic Secure Chat

Even as stopgap measures took hold, informatics leaders began considering a more ambitious move: accelerating a planned rollout of Epic Secure Chat. “I just said, ‘Hey, should we turn on secure chat?’” Hron recalled. The system had been scheduled for implementation months later.

At first, the idea seemed unrealistic. “That was a project … that takes six to nine months to install,” Parsons explained. “So that seemed kind of far-fetched for us to do as a next step.”

But one key factor shifted the calculus: the expected duration of the outage. “A typical turnaround time for restoring services is about 47 days,” Venditelli said. “And again, this wasn’t ransomware … this is all rebuilding from scratch. So, 47 days might be on the light side.”

That timeline made waiting untenable. By late afternoon, leadership aligned around a bold approach: turn it on.

“We pushed out secure chat around 5:30 pm,” Parsons said, adding that evening, there were about 4,070 messages sent from 5:30 pm to midnight. Within hours, Boston Children’s had re-established secure clinical messaging.

From Basic Messaging to Full Workflow Integration

The initial rollout was minimal — person-to-person messaging only. But by the next day, teams began rebuilding the more complex, role-based communication structure that Vocera had supported.

“We replicated those [care teams] as groups within secure chat,” Parsons said. “And then you could message that team that was already assigned to that patient in Epic.”

Because clinicians were already using Epic sign-in workflows, the transition was faster than expected. “We do typically use that so that we can identify the nurse and the primary team … it’s already kind of baked into our workflow,” Parsons explained.

Hron noted that prior investments paid off. “We went down Wednesday, and we got secure chat up Wednesday night,” he said. “The next morning was really when we started working on those groups — and that was really critical.”

Strong Adoption, Mixed Results for Voice

Secure Chat adoption was rapid and widespread. “During the week, it’s around 40,000 messages, compared to about 14,000 or 15,000 messages a day” in the prior system, Rowland said.

User feedback was overwhelmingly positive. “Our medical students and residents loved secure chat,” Parsons said. “People kept saying, ‘Please, we don’t want to go back … it’s just so well integrated.’”

Voice capabilities, however, lagged behind. While Epic-to-Epic calling was enabled within a day, it lacked full integration with existing telephony systems.

“If our ED gets a call from the transfer center … we can’t transfer that call to an Epic phone,” Parsons said. “They have to sit by a landline, or use disaster phones.” As a result, call volumes remained far below pre-incident levels.

Ongoing Gaps

Despite the success of secure messaging, the loss of Vocera’s middleware created persistent challenges. “The alerts and alarms we lost … that middleware was the key to getting a message from the bedside, to the end users,” Rowland said. “Epic does not have that middleware, so that was completely lost.”

In its absence, staff reverted to manual processes, which included overhead paging, phone calls, and human intermediaries. The incident also prompted broader discussions around resilience.

A Shift in Cybersecurity Thinking

For Venditelli, the attack underscored a critical shift in cybersecurity risk — from perimeter defenses to identity-based threats. “It was actually no firewall failure,” he said. “It was really a failure to implement controls at the identity level.”

In cloud environments, he noted, traditional defenses give way to access policies and identity controls, all areas that may not receive the same level of scrutiny.

From Crisis to Capability

The Stryker cyberattack exposed a fundamental vulnerability in modern healthcare: deep reliance on third-party platforms for core clinical operations.

But at Boston Children’s Hospital, it also revealed something else — organizational resilience. In less than 24 hours, the hospital:

• Shut down a critical vendor platform
• Re-established secure clinical messaging
• Began rebuilding complex communication workflows
• Maintained continuity of care 

The experience reinforced a dual lesson. “I think it’s both,” Hron said, when asked whether the incident highlighted improvisation or preparation. “A great response to a crisis, as well as a reminder … to think about where safeguards and backups are needed.”

As cyber threats evolve and increasingly target the broader healthcare ecosystem rather than individual organizations, those lessons are likely to resonate far beyond a single incident.

Related content:

Customer Updates: Stryker Network Disruption | Stryker

Stryker Hit By Cyberattack | HCI Innovation Group