TL;DR: Change Healthcare’s ransomware incident underscores how a missing MFA control on remote access can let stolen employee credentials become prolonged network access, enabling attackers to linger for nine days before disruption, according to 1Kosmos. The lesson is that identity assurance and remote access governance remain operational controls, not checkbox protections.
At a glance
What this is: This is an analysis of the Change Healthcare ransomware incident and the role that missing multi-factor authentication played in enabling credential compromise and prolonged attacker access.
Why it matters: It matters because remote access identity controls, authentication assurance, and account governance are shared concerns across human IAM, NHI protection, and autonomous access paths.
👉 Read 1Kosmos's analysis of the Change Healthcare ransomware attack and MFA failure
Context
Change Healthcare’s ransomware incident is a reminder that a remote access path without strong authentication can become a full network entry point. In this case, the preliminary investigation pointed to missing multi-factor authentication on a staff-facing remote access application, which allowed stolen credentials to be used for unauthorised access.
For IAM and security teams, the issue is not only whether MFA exists, but whether access paths are hardened enough to resist credential theft, social engineering, and session abuse. That makes the incident relevant to human identity controls first, but it also reinforces the broader governance lesson for NHI and autonomous programmes: access that can be impersonated or hijacked becomes an operational exposure, not just an authentication problem.
Key questions
Q: How should organisations protect remote access against credential theft?
A: Organisations should enforce multi-factor authentication on every remote access route, remove legacy password-only exceptions, and validate that factor prompts cannot be bypassed through alternate entry points. They should also pair authentication with conditional access and session monitoring so a stolen password does not translate directly into trusted network access.
Q: Why do compromised user credentials often lead to ransomware?
A: Compromised credentials give attackers a legitimate identity that can blend into normal traffic, making it easier to explore systems, escalate access, and prepare encryption or extortion actions. Ransomware is usually a second-stage outcome that depends on the attacker surviving long enough inside the environment to stage impact.
Q: What do security teams get wrong about MFA on remote access?
A: Teams often treat MFA as a box to tick rather than a control that must be enforced across every access path. If any remote login route remains password-only, attackers can target the weakest path, making the control ineffective in practice even if the policy appears complete.
Q: Who is accountable when remote access authentication fails?
A: Accountability sits with the identity, access, and system owners jointly, because the failure spans authentication design, access path governance, and detection coverage. In regulated environments, leaders should be able to show who approved exceptions, who reviewed risk, and who owns the control outcome.
Technical breakdown
Remote access without MFA creates an identity bypass path
Remote access applications are high-value control points because they often sit directly in front of internal systems. When MFA is absent, a stolen password can be enough to impersonate a legitimate user, especially if the attack also uses phishing, OTP theft, or SIM swap tactics. The control failure is not just weak login security. It is the absence of a second verification factor on an access path that was assumed to be trusted enough for staff use.
Practical implication: remote access must be treated as a privileged entry surface, with MFA enforced on every externally reachable path.
Credential compromise turns authentication weakness into lateral access
Once an attacker authenticates as a valid user, the identity layer stops being a front-door problem and becomes a lateral movement problem. The attacker can search for shared drives, administrative tools, service portals, and patient or operational systems that sit behind the compromised account. In incidents like this, the key failure is that identity proof at login does not equal session trust throughout the environment. Controls need to assume the credential will be abused, not merely stolen.
Practical implication: pair strong authentication with least privilege, segmentation, and access monitoring to limit what a compromised account can reach.
Delayed detection gives ransomware crews time to stage impact
The nine-day dwell time matters because ransomware is rarely a single-step event. Attackers typically use the interval after initial access to map the environment, identify high-value assets, disable recovery paths, and prepare encryption or extortion actions. A long dwell time usually signals weak identity telemetry, insufficient session monitoring, or gaps in alert response for abnormal access patterns. The business damage comes from this quiet preparation phase, not only from the final encryption event.
Practical implication: monitor for unusual logins, off-hours access, and repeated authentication anomalies before attackers can convert access into impact.
Threat narrative
Attacker objective: The attacker objective was to convert stolen user access into ransomware disruption against a major healthcare technology environment.
- Entry occurred through a remote access application that did not require multi-factor authentication, allowing stolen employee credentials to be used for initial access.
- Escalation followed as the attackers remained inside the environment for nine days, using the valid session to explore systems and prepare their ransomware operation.
- Impact came when the attackers launched ransomware and disrupted critical healthcare services across the United States.
Breaches seen in the wild
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Remote access MFA gaps remain a human identity failure with systemic consequences: When a staff-facing access path accepts only a password, the organisation is effectively treating credential theft as a tolerable risk. That assumption no longer holds in an environment where phishing, SIM swapping, and stolen OTPs are routine attacker playbooks. The lesson is not simply that MFA is missing, but that remote access has been allowed to behave like a low-friction trust channel. Practitioners should treat that as a governance defect, not a tooling detail.
Standing trust in authenticated sessions is the real risk multiplier: The breach shows how one successful login can turn into broad environmental exposure when session scope is too loose and monitoring is too shallow. That is why identity assurance has to extend beyond authentication events and into privilege containment, segmentation, and behavioral detection. The practitioner conclusion is clear: access success should never be interpreted as access safety.
Named concept: authentication assurance debt: This breach illustrates the accumulated risk created when organisations postpone MFA and over-rely on password-only remote access. That debt compounds until one compromised credential becomes an enterprise-scale incident. The implication is that identity programmes need to recognise deferred authentication controls as a form of operational exposure, not a future hardening task.
Healthcare disruption exposes identity control fragility as a resilience issue: Ransomware is often discussed as malware, but in practice it is a failure of access governance that allowed malware operators to stay long enough to matter. In regulated and operationally critical environments, weak identity controls directly threaten continuity of service. Practitioners should read this as a reminder that identity assurance is part of service resilience, not just account security.
Authentication controls must be evaluated by attacker economics, not policy intent: A control that looks adequate on paper can still fail if a real attacker can bypass or neutralise it through credential theft and social engineering. The relevant question is not whether MFA exists somewhere in the architecture, but whether it closes the specific access paths attackers actually use. The practitioner takeaway is to test controls against lived attack behaviour, not policy language.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Credential overexposure is a lifecycle problem, so review 52 NHI Breaches Analysis for the recurring failure patterns that let access persist.
What this signals
Authentication assurance debt: the long tail of password-only access and weak exception handling is now a measurable governance liability. As organisations add cloud, remote work, and machine-to-machine access, the same weak trust assumptions can surface across human identity, NHI, and autonomous programmes.
Teams should expect audit pressure to move from policy existence to control effectiveness, especially where remote access, third-party connectivity, and privileged sessions are involved. A control that cannot survive realistic credential theft scenarios is not a mature control, regardless of how well documented it appears.
The practical signal is to treat authentication, session scope, and post-login visibility as one programme. Where those three are managed separately, attackers can still turn a single valid login into multi-day dwell time and operational disruption.
For practitioners
- Enforce MFA on every remote access path Require multi-factor authentication for all staff remote access applications, including VPNs, portals, and third-party access routes. Verify that the control cannot be bypassed through alternate logon methods or legacy exceptions.
- Review compensating controls for credential theft Assume passwords will be stolen and test whether phishing, SIM swap, and OTP interception can still produce a valid session. Where they can, add stronger factor binding and tighter conditional access rules.
- Constrain what authenticated users can reach Use least privilege, segmentation, and step-up checks so that a compromised staff account cannot move freely into critical systems. Limit access paths to only the systems each role genuinely requires.
- Shorten the dwell time between login and detection Monitor for anomalous login patterns, unusual device behavior, off-hours access, and repeated authentication failures so that attacker presence is surfaced before ransomware staging is complete.
Key takeaways
- The breach shows that password-only remote access can turn a single credential compromise into enterprise-scale ransomware exposure.
- The impact was not just malware execution but nine days of attacker dwell time, which allowed staging and widened disruption.
- The control most directly tied to prevention is enforced MFA on every remote access path, combined with tighter session containment and monitoring.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Identity proofing and authentication assurance are central to the remote access failure described. | |
| NIST CSF 2.0 | PR.AC-1 | Access control failed at the remote entry point, enabling credential abuse. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | The incident shows why authenticated access must still be continuously constrained and verified. |
Require phishing-resistant authentication on all external access paths and remove password-only exceptions.
Key terms
- Remote Access Application: A remote access application is a system that lets users connect to internal services from outside the network perimeter. In identity governance terms, it is a high-risk authentication choke point because it can turn one compromised credential into broad internal access if assurance is weak.
- Multi-Factor Authentication: Multi-factor authentication requires more than one proof of identity before access is granted. It reduces the value of stolen passwords, but only when it is enforced consistently across all access paths and is resistant to common bypass techniques such as phishing, OTP theft, and social engineering.
- Dwell Time: Dwell time is the period between an attacker’s initial access and the moment they are detected or expelled. Longer dwell time usually means the attacker had enough room to explore, escalate, and prepare impact, which makes identity telemetry and session monitoring crucial.
- Session Containment: Session containment is the practice of limiting what an authenticated user can do after login. It combines least privilege, segmentation, and behavioral monitoring so that a valid session does not become unrestricted internal movement if the account is abused.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by 1Kosmos covering the Change Healthcare ransomware attack: identity verification and authentication gaps in remote access. Read the original.
Published by the NHIMG editorial team on 2024-04-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
