Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MFA gaps in remote access: what healthcare IAM teams missed


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Change Healthcare’s ransomware incident underscores how a missing MFA control on remote access can let stolen employee credentials become prolonged network access, enabling attackers to linger for nine days before disruption, according to 1Kosmos. The lesson is that identity assurance and remote access governance remain operational controls, not checkbox protections.

NHIMG editorial — based on content published by 1Kosmos covering the Change Healthcare ransomware attack: identity verification and authentication gaps in remote access

Questions worth separating out

Q: How should organisations protect remote access against credential theft?

A: Organisations should enforce multi-factor authentication on every remote access route, remove legacy password-only exceptions, and validate that factor prompts cannot be bypassed through alternate entry points.

Q: Why do compromised user credentials often lead to ransomware?

A: Compromised credentials give attackers a legitimate identity that can blend into normal traffic, making it easier to explore systems, escalate access, and prepare encryption or extortion actions.

Q: What do security teams get wrong about MFA on remote access?

A: Teams often treat MFA as a box to tick rather than a control that must be enforced across every access path.

Practitioner guidance

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

  • The Change Healthcare attack narrative and how the remote access failure was discovered.
  • The vendor's discussion of passwordless multi-factor authentication methods, including biometrics, push notifications, and hardware tokens.
  • The identity proofing and audit-trail capabilities described as part of the platform context.
  • The compliance framing tied to NIST 800-63-3 and related identity assurance standards.

👉 Read 1Kosmos's analysis of the Change Healthcare ransomware attack and MFA failure →

MFA gaps in remote access: what healthcare IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Remote access MFA gaps remain a human identity failure with systemic consequences: When a staff-facing access path accepts only a password, the organisation is effectively treating credential theft as a tolerable risk. That assumption no longer holds in an environment where phishing, SIM swapping, and stolen OTPs are routine attacker playbooks. The lesson is not simply that MFA is missing, but that remote access has been allowed to behave like a low-friction trust channel. Practitioners should treat that as a governance defect, not a tooling detail.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who is accountable when remote access authentication fails?

A: Accountability sits with the identity, access, and system owners jointly, because the failure spans authentication design, access path governance, and detection coverage. In regulated environments, leaders should be able to show who approved exceptions, who reviewed risk, and who owns the control outcome.

👉 Read our full editorial: Change Healthcare shows how MFA gaps become ransomware exposure



   
ReplyQuote
Share: