The following is a guest article by Ariel Parnes, Co-Founder and COO at Mitiga

Healthcare security has long focused on protecting Electronic Health Records (EHR). But today’s most damaging incidents aren’t hitting clinical systems directly. They’re triggered by compromised identities – often a single stolen login.

In 2024, the Change Healthcare ransomware incident began with compromised credentials used to access a remote Citrix portal that lacked multi-factor authentication (MFA). That single identity failure cascaded into months of disruption across claims, pharmacies, and eligibility checks, ultimately exposing data on roughly 190 million people – the largest healthcare data breach in U.S. history.

The Change breach is not an outlier – it’s a signal. In 2024 alone, U.S. healthcare organizations reported 725 large data breaches (500+ records) affecting more than 275 million individuals, the third year in a row with 700+ such incidents. At the same time, IBM estimates the average healthcare breach now costs around $9.8M – more than any other industry.

The pattern reveals a clear shift. The perimeter has moved.

Identity is the New Perimeter for Clinical Operations

Modern care delivery now runs on many connected systems. A single patient encounter can move through:

• A core EHR
• Cloud-hosted imaging and lab systems
• SaaS tools for telehealth, referrals, and patient engagement
• Clearinghouses and revenue cycle platforms
• Analytics and AI services running in one or more public clouds

Identity is the link that ties this activity together. It’s the clinician account signing orders, the service account moving HL7 messages, and the vendor admin login accessing a hosted portal.

Many hospitals still center their security around networks and endpoints, using firewalls, VPNs, and endpoint agents. Those are necessary, but they don’t reflect where risk forms today. When an attacker can authenticate into the same cloud services your clinicians use, there’s no firewall to trip over. There is only the question: do you trust this identity right now, in this context?

Where the Blind Spots Really Are

Most providers can answer detailed questions about their EHR’s audit trail. When it comes to cloud and SaaS, far fewer can say the same.

Here’s where visibility often breaks down:

• Third-Party SaaS and Intermediaries: Critical services like claims clearinghouses, cloud-based practice management, and niche apps often sit outside the hospital’s security monitoring; teams may receive SOC reports, but not the underlying identity and access logs
• Fragmented Telemetry: EHR logs, VPN access logs, Microsoft 365 or Google Workspace events, SaaS logs, cloud provider logs, and identity provider logs – they all live in separate tools; during an incident, correlating them becomes slow, manual work when speed matters most
• Inconsistent MFA and Legacy Remote Access: As the Change Healthcare breach illustrated, a single remote-access path without MFA can become the key to a nationwide outage
• Service Accounts and Shared Logins: Non-human accounts, shared credentials, and vendor backdoor accounts often go poorly inventoried and weakly governed; these accounts stay invisible until something breaks or is abused

These blind spots mean that when an attacker phishes a single user or tricks a helpdesk, they can quietly move through mail, file sharing, VPN, and cloud consoles long before anyone notices.

AI is Scaling Identity Abuse

Attackers are also modernizing. And hospitals are a prime target. The Health Sector Cybersecurity Coordination Center (HC3) has warned of rising social engineering campaigns, where threat actors call hospital IT help desks pretending to be finance or administrative staff. Their goal: convince agents to reset MFA or change account recovery details. 

Now, generative AI is making these campaigns more convincing:

• Voice cloning tools can mimic a clinician or executive, applying pressure on helpdesk agents to “just fix it quickly”
• AI-written phishing emails reference real internal tools, projects, or patient workflows, making them harder to spot
• Automation can mirror “normal” usage patterns, logging in at realistic times, from plausible locations, using typical click paths – to make compromised sessions look routine

What an Identity-First Defense Looks Like

If the EHR is no longer the perimeter, the security strategy should evolve accordingly. A modern, identity-first approach in healthcare has a few defining characteristics:

Unify Identity Telemetry Across EHR, Cloud, and SaaS

Build or adopt a security data lake/cloud detection and response layer that ingests identity provider logs (SSO/IdP), EHR access logs, cloud-native logs, and major SaaS audit trails. The goal is a single place where you can ask: What has this identity done in the last few hours or days? And does any of it look wrong?

Harden the Obvious Failure Modes

• Enforce strong MFA on all remote access paths, particularly for admins and third-party vendors
• Remove legacy access routes or front them with modern identity controls
• Treat helpdesk workflows for password and MFA reset as high-risk transactions with clear verification steps and audit

Make Behavior, Not Just Credentials, Your Signal

Tune analytics to healthcare-specific patterns, like on-call behavior, shared clinical workstations, and vendor access windows. Suspicious signals should be identity-centric: unusual cross-cloud data access, anomalous privilege use, or sign-ins from atypical geographies.

Use AI on Defense, with Guardrails

The same techniques attackers use to scale can help you collapse investigation time: summarize identity activity, correlate related alerts, and propose likely containment steps. Start with focused use cases like phishing triage or identity anomaly investigation – and keep humans in the loop.

Measure Success as “Zero-Impact” Outcomes

Incidents will happen. The goal is to detect them fast enough that they don’t cause downtime, data loss, or a reportable breach. That means tracking metrics like time to detect anomalous identity behavior, time to revoke and reissue access, and time to restore safe, read-only access to clinical systems.

Hospitals can’t keep treating identity, cloud, and SaaS as edge concerns around a supposedly secured EHR core. After all, the largest and most expensive breaches of 2024 and beyond didn’t originate from clinical systems but the digital infrastructure that connects them. The attacker’s path runs straight through the identity fabric that ties those systems together.

As we head into 2026, we can’t see mega breaches like Change Healthcare as an outlier. That was a warning shot. The HIPAA Journal’s breach trends show that the scale of healthcare breaches is accelerating, with record exposure reaching unprecedented levels, despite billions spent on traditional prevention solutions. If you don’t know which identities you trust across your cloud and SaaS estate, you don’t actually know where your perimeter is.

The pressure is shifting. Security leaders in the coming year will be judged not just on whether incidents happen but on how quickly they respond, how little damage is done, and how well trust is maintained.

The systems that support care have to be resilient under pressure. That starts with knowing which identities you trust, what they’ve touched, and how to take action the moment something feels wrong.

About Ariel Parnes

Ariel Parnes is a cybersecurity executive, entrepreneur, and retired Colonel from the 8200 Cyber Unit, with 20+ years of experience in offensive and defensive cyber operations, cyber warfare, intelligence, and technology innovation. His contributions were recognized with the Israel Defense Prize for pioneering technological advancements in the security domain.