I was a Victim of the Change Healthcare Breach

-By Herbert Spencer – TraitWare

Sometimes it’s frustrating being an innovator in cybersecurity.

A few days ago, I received a letter from Change Healthcare, notifying me that my personal information had likely been compromised in a recent data breach – the one that affected millions of people and essentially shut down health systems across the nation. That was in February. 

I understand things happen. That’s part of being human. But today, I want to scream at the world with the same message our company has put out there over and over and over again. … But that’s the definition of insanity.

Despite cutting-edge technology and modern cybersecurity solutions available, the majority of us are stuck dangerously behind the times. And it seems cyberattacks – even colossal, globally damaging ones – are the norm today. Most have come to accept the same old woeful song and dance.

But today, it’s personal. 

Today I am not only one of the ‘victims’ but also a frustrated innovator, with a solution that could have helped prevent my current predicament, and more importantly, could have saved millions of others from frustration and devastating loss.

What Happened?

In late February of 2024, Change Healthcare suffered a ransomware attack which led to disruptions to their platform, costing the company an estimated $872,000,000, on top of a $22,000,000 ransom payment to the BlackCat ransomware group.

The root cause? ONE stolen Citrix credential on an account that had NO MFA in place. Change Healthcare CEO Andrew Witty testified before Congress that hackers used the information to remotely access a Change Healthcare Citrix portal. Because there was no MFA, attackers were able to move laterally within the system and exfiltrate data. 

Things could have been different. Citrix has the solution. It’s there. TraitWare, the company I helped found, created integrations into the Citrix platform years ago. In fact, in 2020, TraitWare won the Spotlight video contest for the Citrix integration. TraitWare’s phishing-resistant (no shareable secrets) Passwordless MFA+SSO is available. Citrix has done the work. But, perhaps unfortunately, it is up to the end user to put it to use.

Experts have struggled with how to Cross the Chasm between Availability and Adoption since time began. MFA is no exception, with adoption rates worldwide still pitifully low. 

Why the reluctance to deploy MFA?

Three Things:

  1. Much, if not most, of the reluctance to adopt MFA is around the perception that it creates too much-added friction for the user
  2. Then, there’s the idea that there is a high cost to businesses in making the switch to modern technology. 
  3. And finally, there’s the notion that “It doesn’t really work.” Indeed MFA Bypass is a common attack method today.

So, we can debunk every one of those myths about MFA [But it has to be Phishing-Resistant].*

  1. It adds friction. – No, it doesn’t if you eliminate the password or other shareable secrets and replace them with secure integrated factors that will REMOVE steps and therefore friction.
  2. It costs too much. – Strong Passwordless Phishing-Resistant MFA can save you money. No password reset or support costs, no expensive hardware to buy, and best of all, your chances of getting hit with the average 4.5 million in ransomware payment just got cut by 90+ percent. If you’re worried about the cost of strong security, consider the cost of staying behind.
  3. It doesn’t really work. Or, MFA can be bypassed. Actually, Passwordless Phishing Resistant MFA that is native in the solution is by far your best defense today.

(Read On for More)

* Why Phishing Resistant MFA. 

Not All MFA is the same. You can read more here about the important difference between Phishing-Resistant MFA and Phishable MFA. It is critical to know the difference because Phishable MFA – like layering a Push Notification on top of a Password or additional knowledge factors or shareable secrets will not only add friction but will also be inadequate for security. 

What Will It Take to Make a Positive Change?

Like any good change or pivotal moment in history, mandating and deploying Strong MFA requires a slight shift – a mindset adjustment. Mostly, it requires us to let go of bad habits. (Bad CyberSecurity habits have gotten folks into a world of trouble.)

Remember when we were allowed to ride hands-free in the back of grandpa´s pickup truck? Or when we drove without seatbelts? Well, if you don’t, could you imagine allowing yourself or your children to ride without one? What’s the first thing you do when you get in a car? If the answer is not, “Put on my seatbelt,” you are not only outnumbered, you’re taking unnecessary risk.

MFA is no different. Like the adoption of seatbelts, we can jump up and down all we want with our messages of “MFA for All Users, Always On, All the Time” yet, as with seatbelt laws, it often takes a catastrophic event or a wake-up call to spark change.

The cyberattack on Change Health happened because MFA was not being used. It’s not the first attack of its kind. In fact, according to studies, 80% of organizations that suffered a BEC (Business Email Compromise) attack had no multi-factor authentication MFA in place before the incident (ArcticWolf). According to CISA, MFA will reduce the risk of cyberattack by 99%.

The Tipping Point for Mandatory MFA

Have we reached the Tipping Point? Is it time for companies to stop offering and start enforcing MFA? There is no shortage of pushback for mandatory MFA, with reasons ranging from friction for the user to cost … but we believe the pros far outweigh the cons. At TraitWare, we’ve removed friction, and our solution will save 90% or more on support costs, not to mention lower insurance premiums. … Perhaps the Time To Offer MFA is OVER and the time to move to mandatory phishing-resistant MFA for all companies is HERE.

According to the National Security Alliance (NSA) Oh Behave report, “94% of people who have enabled MFA continue to use it. “Our data does not support the view that MFA is too much to ask of people,” states the report. “Done right, it’s quick and convenient.”

MFA Done Right / Case In Point

Take the example of Salesforce, who started requiring MFA of their users in 2022. Even better, Salesforce products include MFA functionality at no extra cost. And, Salesforce understands that not all MFA is created equal. They decided against the following weaker forms of MFA: Push notifications or one time passcodes (OTPs) because they are vulnerable to MFA fatigue attacks; and answers to security questions because hackers have become adept at guessing the answers based on users’ social media info, etc. While they too experienced pushback for their decision, as of 2024, they have a 100% enrollment rate for employees and MFA for all of their customers. 

Salesforce recommends the following for companies looking to roll out MFA for their users

  1. Understand the workforce √
  2. Offer options that fit into existing workflows √
  3. Make it easy for admins √

Checking all the boxes above, we believe that companies and service providers should implement an access control policy where Phishing-Resistant MFA is native. When the MFA is built in, it means vastly improved security AND much improved user experience. That means happier people.

Keeping it Simple Wins

All of the TraitWare integrations are there to not only enhance security but also to make life easier for users and administrators. It’s in our mission statement and in our DNA as a company. It’s the entire reason we got started. Fed up with the headaches around Passwords, we set out to prove that you could rid the user of frustration AND have superior security. 

We will continue to work hard to spread awareness about phishing-resistant MFA for companies of all sizes, and never stop innovating to offer products that are simple and secure. In recent news, we announced the TraitWare Microsoft EAM (External Authentication Method) Extension which makes Windows MFA access easier than ever before. It’s now simple to add MFA and to use SAML and OIDC protocols. The Citrix integration has also been simplified, and we’re seeing an uptick in interest from the Healthcare Sector

Conclusion

When considering the cost of improving cybersecurity postures, we know that the failure to modernize can come with crippling costs. Amid the noisy gloom around Cybersecurity today, there is Bright Light. The solution for vastly improved security AND convenience combined is Here Today. 

If you are considering making the switch to modernized security and passwordless phishing-resistant native MFA for your company, reach out any time. TraitWare’s MFA solution is FREE to try and there’s no obligation. We’re here to help and happy to chat. 

###