Lessons from the Change Healthcare Breach

Read full article here: https://www.oasis.security/blog/the-future-of-identity-security-lessons-from-the-change-health-breach/?utm_source=nhimg

The Change Healthcare ransomware attack is a defining case study in how identity failures can cripple even the largest organizations. In February 2024, UnitedHealth Group confirmed that the BlackCat/ALPHV ransomware group breached Change Healthcare through compromised credentials on a Citrix remote access portal that lacked Multi-Factor Authentication (MFA). Once inside, attackers moved laterally, exfiltrated sensitive data, and deployed ransomware nine days later—leading to a $22 million ransom payment.

This breach illustrates a harsh reality: the next generation of cyberattacks will exploit identity weaknesses—not just missing MFA for humans, but also the invisible vulnerabilities tied to machine and service identities that operate across digital infrastructure.

The Role of MFA in Identity Security

MFA remains a cornerstone of identity protection for human users. By requiring multiple verification factors, it dramatically reduces the risk of unauthorized access from stolen credentials.

Key benefits of MFA:

• Enhanced Security: Adds a critical layer beyond passwords, making breaches significantly harder.
• Compliance Assurance: Aligns with regulatory mandates for identity and access control.
• Trust and Transparency: Strengthens confidence among customers, partners, and regulators.

However, the Change Health incident proves that MFA alone isn’t enough. It secures human identities—but today’s digital ecosystems are dominated by non-human identities (NHIs) that cannot use MFA.

Beyond MFA: The Rise of Non-Human Identity Risks

In modern organizations, non-human identities outnumber human ones by 10x to 50x. These include APIs, service accounts, bots, microservices, containers, and workloads—all communicating automatically across systems.

These NHIs often hold privileged access to databases, critical infrastructure, and cloud workloads, making them ideal targets for attackers. Once compromised, they enable undetected lateral movement, data exfiltration, and persistence within networks.

Key challenges in securing NHIs include:

• Massive Scale: Thousands to millions of machine identities across hybrid and multi-cloud environments.
• No MFA Capability: NHIs authenticate using keys, tokens, and certificates—none of which support traditional MFA mechanisms.
• Decentralized Creation: Developers, CI/CD pipelines, and third-party integrations create NHIs independently, leaving no single source of truth.
• Ownership Ambiguity: Lack of clear accountability makes credential rotation or decommissioning complex and risky.
• High Velocity and Dynamism: NHIs are created and destroyed continuously, making manual tracking impossible.

The Paradigm Shift: Securing the Entire Identity Fabric

Organizations must shift from protecting only human accounts to securing the full identity fabric—both human and non-human. This requires a new strategy rooted in visibility, automation, and Zero Trust principles.

Core pillars of this new paradigm:

• Recognize NHIs as Primary Attack Vectors
  Attackers increasingly view machine identities as the easiest way to infiltrate environments. Identity teams must treat NHIs with the same importance as human accounts.
• Adopt Purpose-Built Non-Human Identity Management (NHIM) Solutions
  Traditional IAM tools were never designed to manage machine credentials, secrets, and service accounts. NHIM platforms must include:
  • Automated discovery of machine identities.
  • Contextual visibility into usage and ownership.
  • Lifecycle controls for creation, rotation, and decommissioning.
  • Policy-based governance and risk scoring.
• Automate at Scale
  Given the dynamic and large-scale nature of NHIs, automation is not optional. Credential management, rotation, and offboarding must be continuous and autonomous to reduce human error and ensure compliance.

The Lesson from Change Health

The Change Health breach serves as a wake-up call to all sectors—especially healthcare, finance, and government—that identity is now the first line of defense. Securing human credentials with MFA is vital, but the next breach may originate from an unmonitored service account, API token, or expired certificate.

Organizations that fail to protect non-human identities will continue to face invisible risks that traditional IAM tools cannot mitigate.

The Role of Oasis in Identity Fabric Security

Oasis helps enterprises bridge this gap by offering an integrated platform to manage both human and non-human identities. It extends identity governance beyond MFA and password protection, introducing automation, contextual awareness, and compensating controls for NHIs.

With Oasis, organizations can:

• Discover and classify every human and machine identity.
• Apply lifecycle automation across secrets, tokens, and certificates.
• Establish visibility into ownership, usage, and risk exposure.
• Enforce least privilege and continuous compliance across the identity fabric.

Final Takeaway

The future of identity security depends on an organization’s ability to secure every entity that interacts within its ecosystem—human or not. The Change Healthcare breach demonstrates that neglecting even one access vector can lead to catastrophic consequences.

Identity is the new perimeter, and securing non-human identities is no longer optional—it’s essential for resilience in a Zero Trust world.