Why identity infrastructure is a target for cyber attacks

Identity infrastructure is the digital access system behind staff accounts, passwords, multifactor authentication, permissions, vendor access, device access, and activity logs. Attackers target it because it can give them a direct path into sensitive systems. A stolen password, hijacked login session, abused vendor account, or service account with too much access can make an attacker look like a real user. Once inside, they may be able to move through systems, view patient data, or disrupt operations without immediately setting off alarms.

Hospitals, clinics, cloud platforms, medical devices, third-party vendors, and external services often need to connect with one another. Each account and connection creates another possible entry point. Strong identity controls help healthcare organizations limit access and reduce the chance that one compromised account turns into a wider breach.

What is identity infrastructure?

Identity infrastructure is the digital trust infrastructure for controlling access and actions. It covers identity and access management, single sign-on, multi-factor authentication, directories, role-based access controls, privileged accounts, vendor accounts, service accounts, and the logs that record access activity. Identity infrastructure is particularly important in healthcare, where a single person may be required to use email, scheduling, billing, electronic health records, cloud storage, medical devices, and third-party platforms all in the same day.

The systems are technical conveniences that enable rapid, controlled access in high-stakes clinical settings. The previously mentioned study states, “[These] systems are essential in enabling the right access of the right personnel to the right patient’s clinical information at the right time.” Modern health care systems connect hospitals, cloud platforms, medical cyber-physical systems, and external services.

The connection improves care coordination but adds to the trust fabric that attackers can exploit. To put it simply, identity infrastructure is the digital environment’s front door, its badge reader, its permission map, and its security camera. When it works, it means the right person, at the right time, has the right system. If it does not, attackers can use trusted channels rather than having to get through obvious technical flaws.

Why identity has become more valuable to attackers

Identity is even more valuable today because it provides attackers with something better than a technical exploit: trusted access. Using a stolen login, session token, or over-permissioned account, an attacker could impersonate a legitimate employee, vendor, contractor, or administrator. It makes identity compromise faster, quieter, and more scalable than breaking into every system individually. The 2019 BMJ Health & Care Informatics study states, “Healthcare data has significant value and is a potential target for hackers,” and explains that phishing uses “targeted communications such as email or messaging” to push users toward malicious links, fake websites, or malware downloads.

Recent news stories, like our reporting on how hackers used stolen login credentials to break into Change Healthcare, illustrate the scale of risk. Additional reporting pointed to the Snowflake-linked campaign, which involved stolen credentials and affected high-profile customers, including Ticketmaster-related data. One weak access point can create a chain reaction.

How attackers target identity infrastructure

Attackers target identity infrastructure with phishing, credential theft, password reuse, stolen session tokens, weak multi-factor authentication, compromised vendor accounts, and abuse of trusted single sign-on systems. They often start with the people because people are always in the face of identity systems.

The study explains that phishing is especially dangerous in hospitals because employees often have access to internal systems and sensitive data, meaning “even 1 innocent click could expose the organization to a network of hackers nearly impossible to trace.” Workload was associated with employees clicking phishing links (among all factors tested).

Why identity attacks are hard to identify

Identity attacks are difficult to identify as they are often real accounts, real passwords, real sessions, and normal-looking workflows. A firewall can see an authorized login. The cloud platform may show a valid token. An email system knows its sender, which can make identity compromise more deceptive than obvious malware.

Research titled, Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis, on electronic health record cybersecurity, found phishing accounted for a large share of affected electronic health record incidents, showing how trusted communication channels can become breach pathways. The hospital phishing study of 397 employees also found that workload, not stated security intention, predicted clicking behavior. Identity risk is often present in routine work, not outside it.

Google Workspace’s rollout of device-bound session credentials was reported as a response to rising session token theft, where attackers hijack accounts even after authentication. Paubox research found that 107 healthcare email attacks in the first half of 2025 compromised more than 1.6 million patient records, with Microsoft 365 involved in 52% of breaches.

Healthcare organizations need email security that treats identity signals, sender behavior, impersonation risk, and abnormal message patterns as part of detection. Paubox is the layer that helps close the gap between a technically valid identity and a genuinely trustworthy message, especially when attackers abuse inboxes, vendors, and familiar names.

FAQs

What is identity infrastructure?

Identity infrastructure is the set of systems, policies, and tools that authenticate users, manage permissions, enforce access rules, and record account activity.

Why do attackers target identity infrastructure?

Attackers target identity infrastructure because it provides them with trusted access to systems, data, cloud environments, and administrative tools.

Is multifactor authentication enough to stop identity attacks?

Multifactor authentication is helpful, but it is not enough alone. Attackers still have phishing, push fatigue, stolen session tokens, compromised devices, and over-permissioned accounts up their sleeves.