Why MFA gaps still break healthcare identity security

At a glance

What this is: This is an editorial analysis of why missing MFA remains a systemic healthcare security weakness, with Change Healthcare used as the central example.

Why it matters: It matters because healthcare IAM teams need to treat MFA as baseline access control across human and non-human identities, not as a narrow login feature.

By the numbers:

• The Change Healthcare ransomware attack led to a $22 million ransom payment and is expected to cost over $1.6 billion in recovery efforts.
• According to the 2023 ForgeRock Breach Report, healthcare is the number one targeted industry by cybercriminals.

👉 Read the source article on MFA cybersecurity in healthcare

Context

Healthcare identity security fails when access controls are partial, inconsistent, or only applied to some users and some systems. In this case, the central gap is missing MFA on a server that attackers were able to abuse, showing how one weak entry point can disrupt a highly digitised environment.

For IAM and NHI practitioners, the lesson is broader than one breach. Healthcare environments mix staff accounts, patients, vendors, APIs, and machine-driven workflows, so authentication policy has to cover every access path rather than only the most visible ones. That is typical of the sector, not an isolated governance mistake.

Key questions

Q: How should healthcare organisations apply MFA across mixed identity environments?

A: They should apply MFA wherever an identity can reach patient data, operational systems, or administrative functions, including workforce accounts, vendors, and service identities. Coverage matters more than a single login standard. If any access path remains outside policy, attackers will target the weakest route into the environment.

Q: What is the difference between two-factor authentication and MFA in practice?

A: Two-factor authentication uses exactly two verification factors, while MFA can use two or more and may be combined with device context or risk-based step-up. In practice, the difference matters when organisations need stronger control for privileged, remote, or high-impact actions rather than one fixed login pattern.

Q: When does MFA stop being enough on its own?

A: MFA is not enough when access is overprivileged, revocation is slow, or service accounts and integrations are left outside governance. It reduces unauthorised logins, but it does not solve blast radius, poor lifecycle control, or weak segmentation. Effective programmes pair MFA with least privilege and rapid offboarding.

Q: Why do healthcare identity controls need to cover non-human identities too?

A: Because APIs, service accounts, and automation paths often have access to the same systems as staff users, but they are easier to miss in policy design. If non-human identities are not governed, attackers can use them to move through the environment even when workforce MFA is strong.

Technical breakdown

Why missing MFA still creates a high-impact entry point

MFA reduces the chance that a stolen password alone will unlock a system, but it does not eliminate weak configuration, exposed services, or poor access segmentation. In healthcare, attackers often need only one neglected server, remote access path, or legacy application to find a route into a broader environment. If MFA is absent at that entry point, the control that should have absorbed the credential theft never activates. The result is not just authentication failure, but a failure of containment across connected clinical and business systems.

Practical implication: inventory every externally reachable login path and enforce MFA where access risk is highest first.

Two-factor authentication versus MFA in operational terms

Two-factor authentication uses exactly two verification factors, while MFA can require two or more factors and may be paired with device checks, step-up policies, or risk scoring. For healthcare, the distinction matters because some systems need stronger controls than a fixed password-plus-code pattern. A remote clinician, a payer administrator, and an automation account do not carry the same risk profile. The control should adapt to context, not assume one authentication recipe fits all identities.

Practical implication: design authentication policies by identity type and session risk, not by one universal login flow.

Why healthcare identity security must include all user types

Healthcare IAM frequently breaks when organisations protect workforce users but leave gaps around patient portals, partner access, and service-facing accounts. Those identities may not look the same, but they all represent trust relationships that can be abused if authentication is weak or inconsistent. The core architectural issue is coverage. If policy stops at employees, attackers will seek the weaker path through vendors, delegated access, or unmanaged machine accounts tied to clinical workflows.

Practical implication: apply MFA policy and access review across workforce, patient, vendor, and service identities together.

Threat narrative

Attacker objective: The attacker objective was to gain operational leverage over healthcare systems while maximizing disruption and ransom pressure.

1. Entry occurred when attackers exploited a server that lacked MFA protection, giving them a weaker authentication path into the environment.
2. Escalation followed as the access point allowed disruption of systems tied to healthcare operations and sensitive data handling.
3. Impact was large-scale service paralysis, ransomware payment, and major recovery cost across the organisation and its healthcare ecosystem.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Missing MFA is rarely the root cause, but it is often the control failure that turns exposure into breach. In healthcare, the real problem is usually broader identity sprawl, incomplete access coverage, and legacy systems that sit outside modern policy enforcement. MFA helps only when it is applied consistently across the actual attack surface, including third-party and machine-mediated access. Practitioners should treat missing MFA as a governance defect, not a simple configuration oversight.

Healthcare is a strong example of identity blast radius. One weak server or account can cascade into patient care disruption, billing interruption, and recovery cost that far exceeds the original access failure. That makes authentication a resilience control, not just an account-login control. Security teams should measure how far a single compromised identity can travel across clinical, administrative, and integration layers.

Two-factor authentication is not the same as defensible identity policy. A narrow 2FA deployment can leave gaps if it excludes remote systems, service accounts, or step-up verification for privileged actions. MFA should be part of a broader access model that includes least privilege, session context, and review of privileged pathways. The practical conclusion is simple: authentication strength must match operational risk.

Healthcare IAM programmes need to govern both human and non-human identities together. Clinical workflows increasingly rely on APIs, integrations, and service identities that can be just as disruptive as a stolen workforce login. If those identities are not folded into MFA-adjacent policy, the organisation protects the front door while leaving side entrances open. Teams should unify identity governance across all access types.

Identity resilience in healthcare depends on reducing persistence, not just adding verification. MFA can slow an attacker, but it does not fix overbroad entitlements, long-lived sessions, or weak revocation processes. The field should move toward tighter lifecycle control, stronger access review, and smaller blast radius per identity. Practitioners should focus on removal of standing trust, not only stronger prompts.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For deeper context, see 52 NHI Breaches Analysis for root cause patterns across real-world identity incidents.

What this signals

Healthcare teams should read this as a warning about identity control coverage, not just authentication strength. The practical risk is that a narrow MFA rollout can still leave service accounts, delegated workflows, and remote support paths exposed. With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the real challenge is shrinking the attack surface around every identity, not only the login screen.

Identity blast radius: when one compromised account can reach clinical, administrative, and integration systems, access policy becomes a resilience issue. Healthcare security programmes should expect auditors and incident responders to ask how far a single identity can travel before it is stopped. Aligning authentication with least privilege and lifecycle controls will matter more than adding another verification prompt.

For practitioners

• Map every authentication path in clinical and administrative systems Identify where MFA is missing across patient portals, remote access, vendor entry points, legacy applications, and service-facing workflows. Prioritise internet-exposed systems and accounts that can reach sensitive records or operational tooling.
• Require MFA for all privileged and remote access Apply strong authentication to administrators, help desk accounts, remote support channels, and delegated access flows. Use step-up verification for high-risk actions such as exports, privilege elevation, and changes to identity policy.
• Include non-human identities in access governance Bring APIs, service accounts, automation jobs, and integration users into the same review cycle as human identities. Pair MFA-adjacent controls with secrets rotation, scoped permissions, and revocation procedures for machine identities.
• Reduce blast radius with least privilege and session limits Limit what any single identity can reach, shorten session lifetime where possible, and remove standing access from accounts that only need occasional elevation. In healthcare, containment matters because one weak path can affect both care delivery and back-office systems.

Key takeaways

• Missing MFA in healthcare remains dangerous because one weak access path can still trigger broad operational disruption.
• The scale of identity exposure is amplified when workforce, vendor, and non-human accounts are not governed together.
• Healthcare teams should pair MFA with least privilege, revocation discipline, and service-account oversight to reduce blast radius.

Key terms

• Multi-Factor Authentication: Multi-factor authentication requires two or more independent verification factors before access is granted. In practice, it reduces the chance that a stolen password alone will open a system, but it only works well when applied consistently across all high-risk access paths and identity types.
• Identity Blast Radius: Identity blast radius is the amount of damage a single compromised account or credential can cause across connected systems. It reflects privilege scope, session duration, and how widely the identity can move before security controls or revocation stop it.
• Non-Human Identity: A non-human identity is any machine-operated identity used by software, services, or automation to authenticate and access resources. Examples include service accounts, API keys, tokens, certificates, and AI agents, all of which require governance because they can carry persistent access and broad privileges.

Deepen your knowledge

MFA governance for healthcare identities is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your environment combines clinical, administrative, and machine identities, it is worth exploring.

This post draws on content published by the source article on MFA cybersecurity in healthcare. Read the original.