In the wake of the Change Healthcare breach – caused by compromised credentials and no multifactor authentication (MFA) on a remote access server – is it time for government to mandate MFA for critical infrastructure organizations?

UnitedHealth CEO Andrew Witty testified in front of the Senate Finance Committee about the breach that crippled parts of the U.S. prescription market. UnitedHealth said last week the attack has so far cost it $870 million and the company made a $22 million ransom payment. Not all stolen data, which may have included sensitive health information on U.S. military personnel, has been recovered. Ultimately, the breach could affect up to one-third of U.S. residents.

Compromised credentials are linked to 86% of breaches. MFA – even the weakest legacy-based technologies – would be an obstacle to prevent many of these incidents. Sen. Ron Wyden’s (D-Ore.) first question at the hearing asked Witty why MFA was not enabled and called it a “cybersecurity failure.” He also alluded to requiring the U.S. Department of Health and Human Services to create tougher cybersecurity requirements for critical healthcare organizations.

Which leads me back to my earlier point: should MFA be mandatory for critical infrastructure organizations and if the security technology is not being used appropriately, should fines be levied? This administration is heavily pushing MFA, from the Secure by Design Pledge from the Cybersecurity and Infrastructure Security Agency, the Federal Trade Commission (FTC), and Consumer Financial Protection Board (CFPB) all advocating for MFA.

The latter two agencies have started requiring phishing-resistant MFA for companies that have been found to have lax policies and procedures around data protection, particularly when MFA was not in use. CFPB noted that financial services firms that are not using MFA might be found to have “violated the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA).” 

“If a covered person or service provider does not require MFA for its employees or offer multifactor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent, it is unlikely that the entity could demonstrate that countervailing benefits to consumers or competition outweigh the potential harms, thus triggering liability,” stated the CFPB circular.

In healthcare MFA can be a challenge. Patient care should not be impeded by a caregiver having to use MFA. That said, there are compensating controls and other technologies that can be used for caregivers that look at the device, network, and other factors to determine whether access should be granted.

That said, strong authentication should be a priority for healthcare organizations, according to a June 2023 U.S. Department of Health and Human Services Office of Civil Rights (OCR) Cybersecurity Newsletter. While the HIPAA Security Rule requires covered entities “to verify that a person or entity seeking access to electronic protected health information is the one claimed” it does not mandate MFA. But the OCR states that HIPAA regulated organizations should look at MFA, even phishing-resistant technologies, by conducting a risk analysis.

“A regulated entity’s risk analysis should guide its implementation of authentication solutions to ensure that ePHI is appropriately protected. As a best practice, regulated entities should consider implementing multi-factor authentication solutions, including phishing-resistant multi-factor authentication, where appropriate to improve the security of ePHI and to best protect their information systems from cyber-attacks,” OCR states.

Cybersecurity risk management is rarely as easy as saying “if you implement X, you can reduce breaches by Y.” Any investment is a business decision that must be made in the context of the overall goals and risk of the organizations, and Change Healthcare is certainly no different in that regard. The full history on why MFA wasn’t enabled on the compromised system may never be fully known. And yet, as the overwhelming evidence demonstrates, MFA has proven to be a method that dramatically increases the cost to attackers.

Whether or not this means MFA should be “mandatory” in regulation is mired in a number of factors, but if we look at the direction of CISA, the FTC, CFPB, and others it may be a matter of time. Organizations should assess their infrastructure to ensure that systems have the appropriate security in place or risk ending up in the headlines with those who have not enabled MFA. 

Jeremy Grant and John Banghart contributing.