"Phishing-as-a-Service has gotten more sophisticated, and the kits made available through them [are] difficult for a targeted organization to detect," warns Amy Larson DeCarlo, Principal Analyst at GlobalData. This stark warning cuts through a decade of established security wisdom, where enabling multi-factor authentication (MFA) became the default solution for protecting sensitive data. For organizations governed by HIPAA, implementing MFA was a foundational pillar of compliance, a necessary step up from the vulnerabilities of password-only security. Yet, many now stand on a false belief that their compliance checkbox translates to genuine security.
The danger, DeCarlo said, is that "cybercriminals can use these kits to capture credentials and session tokens, which in turn can be used to gain access to Personally Identifiable Information of patients and employees." The stakes for healthcare are uniquely high. A compromised account containing electronic protected health information (ePHI) is a gateway to catastrophic outcomes like:
While security awareness programs have trained users to protect their passwords, modern attackers now leverage what Amy Larson DeCarlo describes as "readily accessible and cost-effective" MFA bypass kits. These toolkits enable attackers to sidestep MFA by targeting the authenticated session itself, not just the credentials.
The most potent of these bypasses is the Adversary-in-the-Middle (AiTM) attack. This technique works precisely as described in threat advisories from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). An attacker creates a reverse-proxy server that perfectly mimics a legitimate login portal. When the user clicks a phishing link, this server acts as a malicious digital postman, sitting between the user and the real service to intercept, read, and forward all communication. The attack flow, as outlined by CISA, is deceptively seamless:
The ultimate prize in this elaborate heist, as DeCarlo points out, is the capture of "session tokens." A session token, often called a session cookie, is a small piece of data a website stores in your browser after you successfully log in. It's a digital backstage pass that proves you are authenticated.
By sitting in the middle of the authentication, the attacker intercepts and steals this session cookie. With this stolen cookie, they can simply "replay" it in their own browser to gain full, authenticated access to the user's account. They have effectively become the user, able to browse their email, access patient files in the EHR, and exfiltrate sensitive data, all without ever needing the password or the MFA device again for the duration of that session. IT policies that configure long-lived sessions, for instance, 8 or 12 hours, to avoid inconveniencing busy clinicians, inadvertently widen the window of opportunity for an attacker to exploit a stolen cookie.
Another technical bypass exploits not the user, but overlooked IT configurations. Many healthcare organizations have diligently enabled modern authentication with MFA for web access to services like Microsoft 365. However, they often forget to explicitly disable older, less secure email protocols like IMAP, POP3, and SMTP.
These legacy protocols do not support modern authentication methods, meaning they cannot enforce an MFA challenge. Consider a doctor who sets up their work email on a new personal tablet. The device's default mail app may connect using IMAP, prompting only for a username and password. Because the organization never disabled this protocol on their server, the connection succeeds, completely bypassing the MFA policy that protects the web portal. An attacker who has phished that doctor's password can now use this forgotten backdoor to gain direct, unmonitored access to their entire mailbox and all the ePHI it contains, rendering the organization's MFA investment useless.
When a direct technical assault is not possible, attackers pivot to their most reliable and often most vulnerable target. "It is important for healthcare institutions and payer organizations to understand that the weakest security link in an organization is the human element," Amy Larson DeCarlo states. This is the foundational principle behind an entire class of attacks designed to exploit human psychology. As security experts at the SANS Institute note, most common forms of MFA require human interaction, and "where human interaction is required, people can be phished." These attacks turn a user's security tools against them by manipulating trust, urgency, and simple fatigue.
This attack, which CISA explicitly warns about as "push bombing" or "push fatigue," has gained fame for its brute-force simplicity. After obtaining a user's password (often from a previous breach), the attacker triggers login attempts over and over again. This floods the user’s smartphone with a relentless blast of MFA push notifications from their authenticator app. The goal is to annoy, confuse, and wear down the target. In a busy clinical environment, a practitioner dealing with a constant stream of alerts may approve a request by accident, or approve it deliberately just to make the incessant notifications stop.
The 2022 breach at Uber serves as a real-world case study. The attacker spammed an employee with push requests for over an hour. When the employee correctly ignored the prompts, the attacker escalated, contacting the user directly on WhatsApp while posing as a member of Uber's IT department. They claimed the notifications were part of a system issue and told the employee to accept the prompt to resolve it. This combination of technical spam and targeted social pressure worked, granting the attacker high-level access to Uber's internal systems.
This classic social engineering tactic weaponizes the very codes designed for security. The attack often begins with an urgent phone call or text message to a busy professional asking for this private information. Imagine a nurse on a hectic shift receiving a call. While on the phone, the attacker has already used the nurse's stolen password to trigger a legitimate login, which sends a real OTP to her device. Believing she is following a valid security procedure, the nurse provides the code. The attacker enters it, gains access, and can immediately begin exfiltrating patient data. The user, trying to be helpful and compliant, has unwittingly become the final key that unlocks their account.
Considered a more invasive and targeted attack, SIM swapping bypasses the user entirely by attacking the telecommunications infrastructure. As defined by CISA, SIM swapping involves an attacker using social engineering or bribery to convince an employee at a mobile carrier to transfer the victim's phone number to a new SIM card controlled by the attacker. They might pose as the victim, claiming they lost their phone and need to activate a new one.
Once the swap is complete, the attacker's device becomes the new endpoint for the victim's phone number. All incoming calls and SMS text messages are routed to the criminal. This renders SMS-based MFA completely useless. For any service that relies on sending a code via text, from work email to personal bank accounts, the attacker can now initiate a login or password reset, receive the MFA code on their own device, and gain full control. This cascading risk is why cybersecurity authorities universally consider SMS to be the weakest, most vulnerable form of MFA.
The clear and present danger posed by modern bypass techniques demands a fundamental shift in how we approach authentication. As Amy Larson DeCarlo advises, "All organizations should move away from easily exploited factors, including passwords, one-time passcodes, security questions, and push notifications. Instead, they should implement... passkeys." This marks the strategic shift toward what CISA calls the "gold standard" of authentication: phishing-resistant MFA.
What truly separates these modern methods is their foundation in public-key cryptography. As the SANS Institute explains, this means no shared secret, like a password or an OTP code, is ever transmitted across the internet where it could be intercepted by an AiTM attack. Instead, the process flips the script on traditional authentication. Research into authentication theory, such as the "Counter Challenge" method, proves the core weakness of older systems; the user is always asked to prove their identity to a server that is blindly trusted. Phishing-resistant methods solve this by establishing mutual authentication. The server must first prove its legitimate identity to the user's device before any authentication can succeed.
This is achieved through a cryptographic key pair that is created when a user registers with a service. The "public key" is stored by the service, while the "private key" remains securely stored on the user's device. As DeCarlo notes, "The private key that authenticates the user is stored on the hardware of an end user's device. It isn't shared so threat actors can't access it." This key pair is bound to the legitimate website's domain. When a user attempts to log in, the authenticator first verifies that the domain it's interacting with matches the one it has on record. A phishing site, even a perfect replica operating on a different URL, cannot pass this cryptographic check. The technology itself detects the fraud and refuses to engage, protecting the user even if they are tricked.
The open standards that enable this powerful security are FIDO2 and its web component, WebAuthn. CISA guidance confirms that this framework provides the "only widely available phishing-resistant authentication" today. These standards are supported by all major browsers and operating systems, making them accessible for broad deployment. FIDO2 authenticators come in two primary forms, each with distinct advantages in a healthcare setting:
Passkeys represent the next evolution in this technology, designed to make phishing-resistant authentication both universal and user-friendly. A passkey is a discoverable FIDO credential that can sync across a user’s device ecosystem (via their Google, Apple, or Microsoft account). This solves a major usability challenge of earlier security keys, as a user can sign into a service on a new computer by simply approving a prompt on their nearby phone.
This approach is not just a security upgrade but a productivity enhancement. According to Microsoft, a traditional password sign-in can take up to 9 seconds, whereas a sign-in with a passkey averages around 3 seconds. For busy clinicians, this time savings adds up, removing friction while increasing security. Passkeys are not just a better password manager; they are a true password replacement designed to finally eliminate the weak, phishable secrets that have plagued digital security for decades.
Yes. Attackers can spam your phone with push requests until you approve one by accident, an attack called "MFA Fatigue."
Phishable MFA requires a person to enter a code or approve a prompt, which can be stolen. Phishing-resistant MFA uses technology to automatically verify the website is legitimate before you can log in, stopping the attack for you.
A FIDO2 key is a physical device you tap or plug in, which is great for shared computers. A passkey is a credential stored on your phone or laptop that uses its built-in biometrics (like Face ID) to log you in.
HIPAA requires you to protect against known risks. Since older MFA methods are now a major known risk, adopting phishing-resistant MFA is the best way to demonstrate you are taking "reasonable and appropriate" steps to protect patient data.