Change Healthcare is having the kind of week that makes everyone in healthcare technology sit up a little straighter.
This is not just another ransomware headline in a long, depressing line of ransomware headlines. Change Healthcare sits in the middle of the U.S. claims and payments ecosystem. When it stumbles, a lot of other people stop getting paid, prescriptions get delayed, and providers spend their time doing the least productive thing possible: workarounds.
And the reported root cause is almost insultingly simple: a Citrix portal without MFA.
That is the part that should bother everyone. Not because the attack is novel, but because it is not. The attacker did not need to crack modern encryption like a movie villain. They needed a gap in a routine control that most security programs claim to treat as table stakes. That is not sophistication. That is negligence with better branding.
The Door Was The Problem
On February 21, 2024, UnitedHealth said it detected a cybersecurity issue affecting some Change Healthcare systems and took those systems offline. That is the right move once an intrusion is underway, but it also tells you something important: the blast radius was large enough that the company could not just patch and pray.
Why? Because Change Healthcare is not a side business. It is infrastructure. It processes claims, supports payment flows, and touches the mundane plumbing that keeps healthcare finance moving. When a company like that gets hit, the damage is not abstract. It is not limited to a server room or a security team dashboard. It lands in physician offices, pharmacies, billing departments, and patient experiences.
That is why this attack matters. The operational layer of healthcare is now a cyber target. Not just the records. Not just the PHI. The payment rails themselves.
And once those rails go down, the rest of the system starts improvising. Which is a polite way of saying “doing business on fire.”
Missing MFA Is Not A Small Mistake
Let’s be honest about the control failure here. A Citrix portal is remote access. Remote access is a privileged path. Privileged paths need strong identity controls. That means MFA, not “strong password and a sincere hope.”
If a remote access portal is exposed to the internet and does not require MFA, then you have effectively told the attacker, “Please use the front door. We left the key under the mat.”
That sounds harsh because it is harsh. But it is also accurate. MFA is not a magical incantation. It is a baseline control that forces an attacker to do more than steal or guess a password. Without it, the security model depends on secrecy, luck, and everyone behaving perfectly forever. That is not security. That is a bedtime story.
And to be clear, MFA alone is not enough. You can still fail in recovery workflows, admin exceptions, vendor access, and help desk processes. But if you do not even have MFA on a remote access portal, you are not starting from a strong position. You are starting from “please don’t notice.”
Why Healthcare Felt It So Fast
Healthcare is uniquely bad at absorbing outages because it has all the usual enterprise complexity plus a special level of urgency.
Claims do not wait. Pharmacies do not wait. Providers do not wait. Patients definitely do not wait.
A single disruption in clearinghouse infrastructure can ripple into:
- delayed claims submission
- interrupted payment processing
- pharmacy verification problems
- manual workarounds at provider offices
- downstream cash-flow pressure for hospitals and clinics
That is the ugly truth. Security incidents do not stay in the cyber lane. They become finance problems, operations problems, patient access problems, and eventually governance problems.
So when people ask, “Was this a cybersecurity issue or a business issue?” the answer is yes.
This is also why healthcare companies cannot treat HIPAA as a paperwork exercise. HIPAA risk analysis and security rule compliance are not just about protecting confidential data from disclosure. They are about understanding how the environment fails under pressure. If a single external portal can take a core workflow offline, then the real weakness is not just technical. It is architectural.
The Bigger Lesson: Convenience Is Not A Control
Every organization has some version of this problem.
A legacy portal stays alive because a workflow depends on it. A vendor integration persists because replacing it is annoying. A remote-access exception exists because someone important needs access “just for now.” Then “just for now” becomes permanent, and permanent becomes the attack surface.
That is why security posture assessments matter. Not because they produce a pretty score. Because they force the uncomfortable questions:
- Which internet-facing systems still rely on weak or inconsistent identity controls?
- Where are MFA exceptions hiding?
- Which third-party access paths have not been reviewed in years?
- Which systems are business-critical but treated as administrative conveniences?
- If this portal died tomorrow, who would feel it first?
If you run a proper assessment, the answers can be uncomfortable. That is the point. If the answers are comfortable, you probably did not look hard enough.
The same goes for SOC 2 readiness and HIPAA compliance work. The value is not the certificate on the wall. The value is the discipline of looking at access control, logging, incident response, vendor risk, and business continuity before the crisis arrives. Because once the crisis arrives, everyone suddenly discovers they are in favor of controls that were “too expensive” last quarter.
What Should Change Now?
At a minimum, healthcare operators should be doing a few boring, necessary things:
- Require MFA on every external-facing access path, with no grandfathered exceptions
- Inventory remote access portals, vendor connections, and administrative back doors
- Treat claims and payment infrastructure as critical business systems, not just IT tools
- Test incident response plans against real outage scenarios, not just theoretical malware
- Review business continuity planning for payment and claims processing specifically
- Run security and privacy assessments that connect technical controls to operational impact
This is not glamorous work. It will not make for a flashy board slide. But it is the work that keeps a single bad login from becoming a national nuisance.
And yes, a good security posture review should cover the obvious question that seems to get skipped far too often: why is this thing internet-facing without MFA? If nobody can answer that in one sentence, you probably have a governance problem hiding inside a technology problem.
That is the sort of thing licens.io spends time on in Privacy, Security & Compliance work: security posture assessments, SOC 2 readiness, and HIPAA-aligned control reviews that look at how the system actually behaves, not how the policy manual wishes it behaved.
The Bottom Line
The Change Healthcare incident is a reminder that the easiest path into a hardened environment is often not a zero-day or some cinematic exploit. It is a portal. A portal with weak identity controls. A portal somebody left exposed because it was “working fine.”
Until it was not.
The uncomfortable lesson is simple: if your remote access story depends on passwords alone, you do not have a strong perimeter. You have a quiet liability.
And in healthcare, quiet liabilities eventually get loud.
Sources Used
- UnitedHealth Group cyber response page
- AP News: Change Healthcare cyberattack was due to a lack of multifactor authentication, UnitedHealth CEO says
Related posts
Delve and the 494 Fake SOC 2 Reports: What the Compliance Industry Should Learn
A Y Combinator-backed compliance startup allegedly fabricated 494 SOC 2 reports with auditor conclusions pre-written before clients submitted any evidence.
Read moreFive Supply Chain Attacks in Twelve Days: March 2026 Broke Open Source Trust
In twelve days, attackers compromised Trivy, Checkmarx, LiteLLM, Telnyx, and Axios — and the supply chain security model most organizations rely on did not survive.
Read moreThree More States, Three More Privacy Laws: 2026 Compliance Starts Now
Indiana, Kentucky, and Rhode Island all went live on January 1, 2026, which means privacy compliance just got a little less optional.
Read more