Lessons from the Change Healthcare attack. Why MFA Matters

by | Jun 4, 2024 | News, Security

By now, regular readers know how important MFA is.

Unbelievably, there are still some people who think this is for someone else, and they don’t need it themselves.   Unfortunately, we are seeing some of these people fall victim to the very scams we’ve been writing about.

Newsflash – MFA must be for everyone.  The hackers are attacking ALL of us!

Cyberattacks are becoming more frequent and sophisticated, targeting businesses of all sizes and sectors. The consequences are terrible.

Check out US health giant “Chance Healthcare”.  That was a $US22million ransom, $600 million to fix the issues and a total cost estimated at $1.4-$1.6 billion.

But it isn’t just big US organisations that are vulnerable.  Small kiwi firms are even easier targets.

According to a recent report by CERT NZ, the national cybersecurity agency, there were 1,431 cyber incidents reported by New Zealand organisations in 2023, resulting in $33.4 million in direct financial losses. Small businesses were the most affected, accounting for 45% of the incidents and 64% of the losses.

How can you implement MFA for your business?

Talk to Kinetics!  There are many options and tools available to help you set up MFA for your business, depending on your needs and preferences. Some of the most common ones are:

  • Email or SMS codes: You can receive a code via email or text message that you need to enter before logging in. This is a simple and widely supported option, but it can be vulnerable to interception or spoofing.
  • Authenticator apps: You can use an app on your smartphone, such as Google Authenticator, Microsoft Authenticator, or Authy, that generates a code or a QR code that you need to scan or enter before logging in. This is a more secure and convenient option, but it requires you to have your phone and the app with you.
  • Hardware tokens: You can use a physical device, such as a USB key or a smart card, that you need to plug in or tap before logging in. This is a very secure and reliable option, but it can be costly and easy to lose.
  • Biometric factors: You can use your fingerprint, face, voice, or iris scan as a verification method before logging in. This is a very secure and user-friendly option, but it requires you to have a compatible device and software.

You can also use a combination of these methods to create a stronger and more flexible MFA system. For example, you can use an authenticator app as your primary method and a hardware token as your backup method in case you lose your phone or the app doesn’t work.

What are some examples of MFA in action?

MFA is becoming more common and essential for many online services and platforms, especially those that handle sensitive or confidential data. Here are some examples of how MFA is used in different sectors and scenarios:

  • Healthcare: In February 2024, Change Healthcare, a leading healthcare technology company, suffered a massive cyberattack that compromised the data of millions of patients and providers. The attack was traced to a phishing email that allowed the hackers to access the company’s network using stolen credentials. The company later announced that it would implement MFA for all its employees and customers to prevent such incidents in the future.
  • Banking: Most banks and financial institutions require MFA for their online and mobile banking services, such as transferring money, paying bills, or checking balances. For example, ANZ Bank offers its customers the option to use an SMS code, a voice code, or a device registration as their MFA method.
  • Education: Many schools and universities use MFA for their online learning and administration systems, such as Moodle, Blackboard, or Canvas. For example, the University of Auckland uses MFA for its staff and students to access its online services, such as email, library, and student portal. The university supports various MFA methods, such as email, SMS, app, or token.
  • Government: Many government agencies and departments use MFA for their online services and applications, such as MyIR, RealMe, or SmartStart. For example, the Ministry of Social Development uses MFA for its clients and staff to access its online services, such as MyMSD, Work and Income, or StudyLink. The ministry uses an app or a token as its MFA method.

Don’t be the next victim.

Insist everyone in your organsation has MFA on every website they sign into. Think of it as a small amount of inconvience to avoid a massive, existential crisis in your workplace!