The UnitedHealth Group Cyberattack Is A Cautionary Tale About MFA

The UnitedHealth Group cyberattack finally has a root cause. A breach with such a major impact must have used some novel tradecraft exploiting a never-before-seen zero-day, right?


UnitedHealth was breached because it did not employ one of the most basic security measures—multifactor authentication (MFA). One of the remote access tools the company was using only protected by a single authentication method, allowing an attacker access for as long as they had a valid username and password.

This breach targeting UnitedHealth’s Change Healthcare, a payment processor, has had significant impacts that have rippled throughout healthcare providers both big and small, with the inability to process billing and some clinics even struggling to make payroll. The duration dealing with the aftermath was substantial. Weeks went by while UnitedHealth was still trying to restore services and once again start processing payments for their customers.

Lambasting an organization the size of UnitedHeath for lacking such a fundamental security control doesn’t make any business more secure though. But the incident can serve as a stark reminder that security basics need to be done right. Every. Single. Time.

RELATED: Fallout And Lessons Learned From Big Healthcare Cyberattacks

Back To Basics

Security companies are constantly working to convince purchasers like you, the MSP business owners, that their new buzzword technology will finally be the silver bullet to make your cyber defenses impervious. Layering the new technology of the year on top of your existing stack is great if you have the budget and the need, but it does not remove the necessity of continually reassessing the efficacy of your existing controls. Audit processes that have been built to support security technology and ensure its continual efficacy are critical in managing the risk of the organization.

Threat modeling is often done in cybersecurity to evaluate defenses. This is the process of comparing the steps of an attack chain to the corresponding defense layers within an organization. The outcome of a threat modeling exercise is a list of gaps where a business lacks adequate defense for a tactic used in the attack chain. A similar process should be applied to governance controls, such as internal audits.

Put Safeguards In Place For MFA

What are the ways a system could be in a state in which user authentication lacked MFA? Either no one enabled MFA in the first place, or someone disabled it at some point. Proper governance will both minimize and detect these states from occurring.

Make sure MFA is deployed. How might one minimize the risk of a system deploying without MFA? One suggestion to ensure all new systems, tools, and technologies are deployed in a secure state is to supply technicians with standards and procedures dictating this configuration.

Humans are error-prone though, and sometimes they overlook a standard or miss a step in a procedure. Using a change management process that includes peer reviews of configurations and adherence to standards adds an additional layer of defense. Ensuring MFA is a mandatory configuration for new users further minimizes this risk with technical control.

Make sure MFA is not disabled. How might one minimize the risk of MFA being disabled? Conduct regular audits and review of system configurations. Proper governance requires accurate inventories. The first step to control the risk of configuration drift is an accurate list of all the systems, tools, and technologies in an environment. On a regular basis, have someone at your MSP review a customer’s inventory against the list of standards and report on gaps and drift. In addition to the inventory of assets, tracking which of those assets are externally exposed or contain critical data will ensure the most important systems are reviewed first. Human audits take time and are typically no more frequent than monthly. Adding technology to monitor and report in real-time when an account lacks adequate protection closes the time gap between audits.

Turn Security News Into Action

There are many other ways to respond to the above situations. The ones used are to showcase the process of turning security news into action at an organization. Focus on understanding how your MSP can defend against the situation that has caused the worst day of another organization’s life.



Chris Henderson

Chris Henderson runs threat operations and internal security at Huntress. He has been securing MSPs and their clients for over 10 years through various roles in software quality assurance, business intelligence, and information security.


Get The #1 Media Source For MSPs!
Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends And Business Growth Strategies. Subscribe now!

Upcoming Events

Stay Up To Date

Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends and Business Growth Strategies

Never Miss An Update