MFA gaps in remote access: what healthcare IAM teams missed

TL;DR: Change Healthcare’s ransomware incident underscores how a missing MFA control on remote access can let stolen employee credentials become prolonged network access, enabling attackers to linger for nine days before disruption, according to 1Kosmos. The lesson is that identity assurance and remote access governance remain operational controls, not checkbox protections.

NHIMG editorial — based on content published by 1Kosmos covering the Change Healthcare ransomware attack: identity verification and authentication gaps in remote access

Questions worth separating out

Q: How should organisations protect remote access against credential theft?

A: Organisations should enforce multi-factor authentication on every remote access route, remove legacy password-only exceptions, and validate that factor prompts cannot be bypassed through alternate entry points.

Q: Why do compromised user credentials often lead to ransomware?

A: Compromised credentials give attackers a legitimate identity that can blend into normal traffic, making it easier to explore systems, escalate access, and prepare encryption or extortion actions.

Q: What do security teams get wrong about MFA on remote access?

A: Teams often treat MFA as a box to tick rather than a control that must be enforced across every access path.

Practitioner guidance

• Enforce MFA on every remote access path Require multi-factor authentication for all staff remote access applications, including VPNs, portals, and third-party access routes.
• Review compensating controls for credential theft Assume passwords will be stolen and test whether phishing, SIM swap, and OTP interception can still produce a valid session.
• Constrain what authenticated users can reach Use least privilege, segmentation, and step-up checks so that a compromised staff account cannot move freely into critical systems.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The Change Healthcare attack narrative and how the remote access failure was discovered.
• The vendor's discussion of passwordless multi-factor authentication methods, including biometrics, push notifications, and hardware tokens.
• The identity proofing and audit-trail capabilities described as part of the platform context.
• The compliance framing tied to NIST 800-63-3 and related identity assurance standards.

👉 Read 1Kosmos's analysis of the Change Healthcare ransomware attack and MFA failure →

MFA gaps in remote access: what healthcare IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →