Medical tech’s identity security agenda is shifting to verified access

At a glance

What this is: This is an identity-security analysis of two MedTech incidents that show how phishing and stolen admin credentials can disrupt operations through valid access rather than device exploitation.

Why it matters: It matters because MedTech, IAM, and security teams must govern workforce, vendor, and privileged access as the primary attack surface, not a secondary control layer.

By the numbers:

• Medical device cybersecurity spending is projected to reach $1.2 billion by 2027, up from $631 million in 2022.
• Phishing accounted for the initial access vector in a majority of healthcare breaches in 2024.
• More than 70% of healthcare organizations reported moderate to severe financial effects from a cyber incident in the past two years.
• 27 days.

👉 Read 1Kosmos' analysis of identity security risks in MedTech

Context

Medical tech identity security is the control problem that sits in front of every clinical and operational workflow. When attackers enter through phishing or stolen credentials, they do not need to break devices to cause damage, because access to business systems and admin consoles is often enough to disrupt orders, data, and downstream operations.

That is why the question for MedTech is not whether perimeter defenses still matter, but whether identity verification is strong enough to make those defenses meaningful. Verified identity, privileged access governance, and session-level assurance now determine whether a trusted login becomes a contained event or an enterprise incident.

The two incidents in the article are typical of a broader pattern: the attacker uses legitimate access, native tools, and weak identity assurance to turn business continuity into a target. That makes the identity layer the true risk boundary for healthcare technology environments.

Key questions

Q: How should MedTech organisations stop phishing from leading to privileged access abuse?

A: They should use phishing-resistant authentication, bind access to a specific device and verified identity, and remove SMS-based fallback paths wherever privileged systems are reachable. The goal is to make captured credentials unusable for administrative access and to ensure that a stolen login cannot be replayed into sensitive business or device-management systems.

Q: Why do stolen admin credentials create outsized risk in medical technology environments?

A: Because admin roles often span ordering systems, device management, and internal business applications, one compromised account can affect both operations and data. In MedTech, the risk is amplified when privileged access is broad, long-lived, and not separated by action type, allowing legitimate tools to be used for destructive tasks.

Q: What do security teams get wrong about verifying identity once at login?

A: They assume the risk ends when the session begins, but in practice trust can decay over time or shift when the user moves from routine work to a sensitive task. Security teams need session-level checks that revalidate identity before high-impact actions, especially in environments with distributed users and third-party access.

Q: Who is accountable when a valid admin session is used to disrupt operations?

A: Accountability sits with the organisation that granted the privilege, defined the approval path, and failed to constrain the scope of the session. Frameworks such as NIST CSF and Zero Trust push teams to treat privileged access as continuously governed, not assumed safe after initial authentication.

Technical breakdown

Why phishing still succeeds against MedTech identity controls

Phishing remains effective because many organisations still treat login as a one-time checkpoint rather than a trusted session problem. If the credential can be captured, replayed, or paired with a weak second factor, the attacker inherits whatever the identity is entitled to do. In MedTech, that often includes access to business systems, vendor portals, and administrative consoles that can affect clinical operations indirectly. The attack does not need malware if the identity itself provides the path in.

Practical implication: move phishing resistance into the authentication layer and bind access to stronger identity proofing, not just a password plus OTP pattern.

How legitimate admin tools become attack infrastructure

The second incident shows a classic living-off-the-land pattern. Once the attacker obtained Global Admin privileges, Microsoft Intune became the delivery mechanism for destructive action, because the platform itself was permitted to execute remote device operations. This is an identity failure, not a tooling failure. The control gap is not visibility into malware, but governance over who can perform high-impact admin actions and under what conditions. Native tooling becomes dangerous when privileged sessions are not strongly constrained.

Practical implication: separate everyday administrative access from high-impact actions and require stronger verification before device-wipe or mass-change commands can execute.

Why session assurance matters more than login alone

A single authentication event cannot protect a session that lasts long enough to be repurposed after compromise. Continuous assurance looks for changes in risk, device context, and user confidence during the session, then forces step-up verification before sensitive operations. In MedTech, that matters because long-lived sessions often bridge engineering, vendor, and operational workflows. The core issue is not just who logged in, but whether the same identity should still be trusted when the action is about to happen.

Practical implication: add step-up checks for sensitive actions such as admin commands, device configuration changes, and access to protected health information.

Threat narrative

Attacker objective: The attacker objective was to turn legitimate identity access into operational disruption, data exposure, and loss of control over devices and business systems.

1. Entry occurred through phishing that led to unauthorized access to internal business systems in one incident, while the other began with stolen admin credentials.
2. Escalation followed when attackers used legitimate admin privileges and native tooling, including Microsoft Intune, to execute high-impact actions without malware.
3. Impact included disruption to ordering systems, remote wiping of tens of thousands of devices, and exposure of sensitive internal data in both cases.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Verified identity has become the decisive control plane in MedTech. Perimeter security still matters, but it no longer determines whether an incident is containable when attackers arrive with valid credentials. The article’s two incidents show that the real boundary is whether the identity behind a session is trustworthy enough to be allowed to act. For security leaders, that means identity governance now sits alongside operational resilience, not below it.

Phishing-resistant authentication is now a business-continuity control, not just a login preference. The first incident shows that a single successful phish can still open internal systems that matter to patient-adjacent operations. When access paths remain vulnerable to credential capture and replay, the organisation is relying on user behaviour to compensate for weak assurance. Practitioners should treat verified authentication as a resilience requirement across employees, contractors, and vendors.

Native admin tooling creates a false sense of safety when privilege governance is weak. The Intune wipe attack is a textbook example of legitimate access being turned into destructive action. The governance gap is not the tool itself, but the assumption that an authenticated admin session is safe by default. For IAM and PAM teams, that means high-impact actions need separate trust thresholds and tighter approval logic than routine administration.

Identity verification must now extend beyond login into the full session lifecycle. MedTech environments have long-lived access paths, distributed workforces, and third-party administrators, which makes trust decay a practical risk. The article reinforces a named concept we call verified-session drift: the gap between initial authentication and the later point where a privileged action is executed. The implication is that access governance has to follow the session, not just issue it.

Medical tech programmes should reframe third-party and field access as privileged operational risk. The industry’s mix of vendors, engineers, and clinicians means broad access often accumulates faster than accountability does. That creates an identity blast radius problem when a single compromised account can touch device fleets, ordering systems, or sensitive internal data. MedTech teams should treat access scope as an operational safety issue, not only an IAM metric.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.
• For a broader view of how identity failures accumulate across real incidents, see 52 NHI Breaches Analysis, which breaks down recurring exposure patterns and root causes.

What this signals

Verified-session drift: MedTech security programmes need to account for the gap between initial authentication and later privileged action, because that is where valid access turns into operational harm. Teams that still treat login as the end of assurance will miss the moment when an admin session becomes dangerous, especially across vendors, field service, and engineering workflows.

The control priority is shifting toward device-bound authentication, privileged action gating, and lifecycle ownership for every account that can touch operational systems. As 52 NHI Breaches Analysis shows, the same access patterns repeat when governance is not tied to use and offboarding.

MedTech teams should prepare for more scrutiny of post-authentication controls under resilience and healthcare security frameworks, because identity verification is now part of operational continuity. The practical signal is simple: if a session can still execute destructive actions after compromise, the programme has not closed the trust gap.

For practitioners

• Upgrade workforce authentication to phishing-resistant methods Replace password and SMS-based login paths with device-bound, phishing-resistant authentication for employees, contractors, and vendors who can reach business or admin systems. Prioritise access paths that, if compromised, can influence ordering, device management, or internal data.
• Separate high-impact admin actions from routine administration Require stronger verification, tighter approvals, and dedicated privileged workflows for actions such as remote wipes, mass configuration changes, and privilege grants. Use role scoping so a compromised admin session cannot automatically reach destructive actions.
• Map every third-party access path to an owner and offboarding trigger Inventory vendor, field-service, and contractor access across business systems and device platforms, then tie each account to a named lifecycle owner and revocation condition. Access that outlives the business relationship expands the breach window.
• Add session-level step-up for sensitive operations Trigger additional identity checks when a session moves from routine use to sensitive actions such as patient-data access, device policy changes, or admin commands. Session trust should decay unless the user can re-establish it at the point of action.

Key takeaways

• MedTech breaches increasingly start with identity abuse, not device compromise, which makes verified access the first line of defence.
• The evidence is clear: phishing, stolen admin credentials, and native admin tools can create major operational disruption without malware.
• Security teams need to govern privileged sessions, not just logins, by tightening authentication, action gating, and lifecycle ownership.

Key terms

• Verified identity: Verified identity is an access model where the person or account behind a session is strongly proven before permission is granted. In MedTech, that usually means binding authentication to a specific device and trusted credential source so login can support operational risk decisions.
• Privileged session: A privileged session is an active login that can perform high-impact administrative actions. These sessions matter more than ordinary logins because the damage from compromise is larger, the audit burden is higher, and the trust threshold must be stricter at the point of action.
• Phishing-resistant authentication: Phishing-resistant authentication uses methods that cannot be easily copied, replayed, or tricked through a fake login page. It reduces credential theft risk by tying access to cryptographic proof or hardware-backed identity signals rather than reusable secrets.
• Session-level assurance: Session-level assurance is the practice of re-evaluating trust while a session is active, not only at sign-in. It is especially important in environments where access can last for hours and sensitive actions may occur long after the original authentication event.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: How two high-profile incidents are reshaping the identity security agenda across the medical tech industry. Read the original.