In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, got hit with ransomware that shut down a big chunk of the U.S. healthcare payment infrastructure for weeks. Pharmacies couldn’t process prescriptions. Medical practices couldn’t submit claims. UnitedHealth’s 10-K filing eventually put the total financial impact at over $2.4 billion.
In May 2024, the CEO of UnitedHealth testified before the U.S. Senate about how the attackers got in. The initial access was a Citrix remote access portal. The attackers had a stolen username and password. The portal did not require multi-factor authentication.
That’s the whole initial access vector for a $2.4 billion incident. No MFA on one externally-facing login.
It isn’t a healthcare problem
The natural response reading that is to think “well, we’re not Change Healthcare.” True. You’re not running pharmacy benefit management for half the country. Also true is that every firm has some version of the Change Healthcare problem. Some system, somewhere, with a login that faces the internet, without MFA, because MFA never got turned on for that one thing and nobody goes back and checks.
For a small law firm or CPA practice, the usual suspects are:
An old VPN that a former employee of your IT provider set up years ago. You don’t use it much. Nobody remembers who it’s configured for. MFA was going to be added later. It never was.
A remote desktop gateway for the one partner who wants to be able to access their office PC from home. MFA wasn’t in the initial build because it was too complicated. It still isn’t there.
A third-party practice management tool your firm started using three years ago. The admin account was set up with a password and no MFA. You log in once a quarter. The admin credentials haven’t changed.
A shared mailbox somewhere, or a service account used by an integration, or an Exchange admin center login that someone in IT uses from their personal laptop, or a cloud backup console with a weak password from 2018.
You don’t know these exist until somebody goes looking. And the attackers run exactly the kind of scans needed to find them.
The attackers already know where yours is
This is the part worth sitting with. Attackers don’t guess which of your logins doesn’t have MFA. They run automated scans that catalog every internet-facing authentication endpoint your firm has, and they check which ones accept password-only logins. The Shodan search engine makes this a commodity. Security researchers use it to find exposed systems. Attackers use it for the same thing.
If your firm has a Citrix portal, a RDP gateway, an OWA login, a VPN concentrator, a SharePoint tenant, a FileMaker server, a QuickBooks portal, a practice management portal, anything that accepts credentials over the public internet, attackers have already catalogued it. The only question is whether MFA is on. Stolen credential lists are cheap. Attackers have a million of them. They just need one weak login on one of your systems and they’re in.
CISA’s Known Exploited Vulnerabilities catalog is a running list of stuff that attackers are currently using at scale. A lot of that list is about unpatched vulnerabilities. A lot of it isn’t. A lot of it is about misconfigurations, and the biggest misconfiguration in the catalog of small-firm breaches is MFA that isn’t turned on.
What to actually do
Make a list. Every system anyone at your firm logs into. Start with the obvious ones: Microsoft 365, your practice management tool, your accounting software, any VPN, any remote access tool, any cloud storage, any vendor portal. Then expand the list to every tool on the employee onboarding checklist. Then ask each partner what they log into that isn’t on the list. You’ll find three or four things you forgot about.
Once you have the list, go through each one and verify MFA is enforced, for every user, no exceptions, no opt-outs. Don’t trust your memory. Don’t trust your IT provider’s word. Log into each system’s admin console and look at the user-by-user MFA status. If you find even one user without MFA, the answer isn’t to call them and ask them to enable it. The answer is to enable it from the admin side and let them deal with the new prompt.
For systems that don’t support MFA natively, either replace them or put them behind a gateway that enforces MFA. A practice management tool from 2015 that only supports passwords is a liability. Either the vendor added MFA since you last looked (ask them, a lot of them have), or you need to front it with an SSO product like Microsoft Entra that can add the MFA layer, or you need to move to a different vendor.
MFA on internet-facing logins isn’t a project. It’s a baseline. NIST’s SP 800-63B has recommended this since 2016. The CISA #MFA guidance has been out for years. Cyber insurance underwriters now require it as a condition of coverage. Defense contractors need it for CMMC. Healthcare entities need it for HIPAA. And Change Healthcare demonstrates in the most expensive way possible what it costs to miss one login.
Two billion dollars for one Citrix server without MFA. That’s not hyperbole. That’s the line in UnitedHealth’s financial statements. Every firm has the same vulnerability. The only variable is how much damage the attacker can do once they get through the one login nobody fixed.