TL;DR: Change Healthcare’s ransomware incident underscores how a missing MFA control on remote access can let stolen employee credentials become prolonged network access, enabling attackers to linger for nine days before disruption, according to 1Kosmos. The lesson is that identity assurance and remote access governance remain operational controls, not checkbox protections.
NHIMG editorial — based on content published by 1Kosmos covering the Change Healthcare ransomware attack: identity verification and authentication gaps in remote access
Questions worth separating out
Q: How should organisations protect remote access against credential theft?
A: Organisations should enforce multi-factor authentication on every remote access route, remove legacy password-only exceptions, and validate that factor prompts cannot be bypassed through alternate entry points.
Q: Why do compromised user credentials often lead to ransomware?
A: Compromised credentials give attackers a legitimate identity that can blend into normal traffic, making it easier to explore systems, escalate access, and prepare encryption or extortion actions.
Q: What do security teams get wrong about MFA on remote access?
A: Teams often treat MFA as a box to tick rather than a control that must be enforced across every access path.
Practitioner guidance
- Enforce MFA on every remote access path Require multi-factor authentication for all staff remote access applications, including VPNs, portals, and third-party access routes.
- Review compensating controls for credential theft Assume passwords will be stolen and test whether phishing, SIM swap, and OTP interception can still produce a valid session.
- Constrain what authenticated users can reach Use least privilege, segmentation, and step-up checks so that a compromised staff account cannot move freely into critical systems.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- The Change Healthcare attack narrative and how the remote access failure was discovered.
- The vendor's discussion of passwordless multi-factor authentication methods, including biometrics, push notifications, and hardware tokens.
- The identity proofing and audit-trail capabilities described as part of the platform context.
- The compliance framing tied to NIST 800-63-3 and related identity assurance standards.
👉 Read 1Kosmos's analysis of the Change Healthcare ransomware attack and MFA failure →
MFA gaps in remote access: what healthcare IAM teams missed?
Explore further
Remote access MFA gaps remain a human identity failure with systemic consequences: When a staff-facing access path accepts only a password, the organisation is effectively treating credential theft as a tolerable risk. That assumption no longer holds in an environment where phishing, SIM swapping, and stolen OTPs are routine attacker playbooks. The lesson is not simply that MFA is missing, but that remote access has been allowed to behave like a low-friction trust channel. Practitioners should treat that as a governance defect, not a tooling detail.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when remote access authentication fails?
A: Accountability sits with the identity, access, and system owners jointly, because the failure spans authentication design, access path governance, and detection coverage. In regulated environments, leaders should be able to show who approved exceptions, who reviewed risk, and who owns the control outcome.
👉 Read our full editorial: Change Healthcare shows how MFA gaps become ransomware exposure