A stolen credential doesn’t just breach a database. It cancels surgery.

Three breaches in 2024. All entered through a credential. All caused direct patient harm. MyCena closes the entry point before the attacker reaches the clinical systems.
Book a briefing →
0
Patient records — Change Healthcare, largest healthcare breach in US history
0
Total cost to UnitedHealth from one stolen Citrix credential
0
NHS appointments cancelled — Synnovis ransomware, London blood supplies depleted
0
Net loss — Ascension Health, 2024 ransomware attack across 140 hospitals
The 2024 pattern

Three breaches. Same entry point. Patients harmed in all three.

Every major incident in 2024 traced to the same failure — a credential in human hands the organisation could not control.

Change Healthcare — February 2024
$2.5B
Stolen credentials accessed a Citrix portal with no MFA. Nine days inside before ransomware deployed. 190 million patient records exposed.
94% of US medical practices reported financial losses. 74% reported delays in patient care. The breach disrupted claims processing nationally for weeks — hospitals, pharmacies, and doctors’ offices could not verify insurance or process payments. The UnitedHealth CEO confirmed to the Senate that the entry was a stolen Citrix credential with no multi-factor authentication.
Entry point: stolen Citrix credential
Ascension Health — May 2024
$1.1B
Ransomware entered via a downloaded file giving credential access across the network. 140 hospitals across 19 states reverted to paper records.
Ambulances were diverted. Surgeries cancelled. Doctors waited four hours for CT scan results on stroke patients. 5.6 million people affected. The provider posted a $1.1 billion net loss for fiscal year 2024. Staff described operating conditions as returning to the 1980s — no digital records, no electronic medication orders, no access to patient histories.
Entry point: compromised credentials, lateral movement
NHS Synnovis — June 2024
£37.7M
Ransomware disabled pathology services across seven London hospitals. Blood testing reduced to 10% of capacity. National O-negative donor appeal launched.
1,134 planned operations cancelled in the first 13 days. 2,194 outpatient appointments lost. NHS England declared a critical incident. 900,000 patient records were exfiltrated and published online. Services were not fully restored until December 2024 — six months after the attack. The Dutch DPA’s €475,000 fine for Booking.com’s 2021 breach was for notification failure alone — the regulatory exposure from Synnovis-scale incidents is substantially larger.
Entry point: credential access to NHS trust systems

In every case, the attacker authenticated as a legitimate user. Every security system in place saw a valid login — because the credential was valid. The failure was not at the clinical system layer. It was at the credential layer above it.

Risk landscape

Six credential risks specific to healthcare

Healthcare carries the standard enterprise credential gap — plus consequences that exist nowhere else. A stolen credential in a bank costs money. In a hospital it cancels treatment.

01 — Patient safety
The credential that diverts an ambulance
When ransomware disables clinical systems, hospitals go on diversion. Emergency departments operate without records. A stroke patient waiting four hours for a CT result is a direct consequence of a stolen credential.
Unlike every other sector, a healthcare credential breach is not an IT incident first — it is a patient safety event. The Ascension attack forced ambulance diversions across 19 US states simultaneously. Clinicians reverted to paper across 140 hospitals. There is no recovery procedure that compensates patients who received delayed care during those weeks.
02 — Third-party access
Supplier credentials reaching clinical networks
Synnovis was not the hospital. It was a pathology supplier. Its credentials reached seven hospital networks. One supplier breach became an NHS critical incident across London.
Healthcare organisations depend on hundreds of third-party suppliers — medical device manufacturers, EHR vendors, pathology partners, pharmacy systems. Each holds credentials to clinical networks. The blast radius of a supplier breach is proportional to how many hospitals that supplier serves — not to the supplier’s own size or security investment.
03 — Shared credentials
Shared logins in clinical environments
A shared login produces unauditable access events. HIPAA, DSP Toolkit, and CQC all require individual user accountability. Shared credentials fail all three simultaneously — and leave no forensic trail when something goes wrong.
Clinical workstations in busy ward environments are frequently shared across shift changes. When an incident occurs, there is no individual to attribute the access to — the shared credential means everyone on the shift is a suspect and no one is provably accountable. Auditors treat shared credentials as a material finding. Insurers treat them as a coverage risk.
04 — Remote access
Clinicians accessing EHR platforms remotely
Change Healthcare entered through a remote Citrix portal. Remote access credentials are the most targeted entry point in healthcare — and MFA alone does not protect a credential that has already been stolen.
Clinicians, administrators, and suppliers access EHR platforms from home, from clinics, from partner organisations. The credential for that remote access exists in human hands — it can be phished, socially engineered, or purchased on the dark web. MFA verifies the person presenting the credential. It cannot verify that the person presenting it is the right person if the credential was stolen before MFA was presented.
05 — Regulatory liability
HIPAA, DSP Toolkit, and ICO enforcement
Health data is special category under GDPR. HIPAA OCR investigations into every major US healthcare breach of 2024 are ongoing. The ICO calibrates fines to the sensitivity of the data exposed — not just the number of records.
NIS2 creates personal liability for named management at essential service operators. The NHS trust CISO or CFO who was made aware of a credential governance gap and did not act is now within scope of individual enforcement action under NIS2 Article 20. The regulatory framework has changed — awareness without action is the liability.
06 — AI in clinical workflows
Clinical AI agents with ungoverned credentials
AI agents deployed in clinical workflows access patient data and systems through credentials. Those credentials are typically created by developers, stored in configuration files, and governed by nobody. The non-human credential gap is growing as fast as AI adoption in healthcare.
Diagnostic imaging AI, clinical documentation tools, and patient triage systems each hold credentials to EHR platforms and clinical databases. An AI agent that is decommissioned or compromised carries the same breach risk as a human user who was never offboarded — at machine speed and without the behavioural signals that anomaly detection looks for. MyCena governs AI agent credentials on the same platform as human users.

“A credential breach in healthcare is not a data problem first. It is a patient safety problem.”

Where credential control applies

The healthcare credential entry points MyCena closes

MyCena governs the authentication layer above clinical systems. No EHR platform is modified. No medical device is touched. No clinical workflow changes.

MyCena governs
Remote access to EHR and clinical systems
Clinician and administrator remote access portals
✓ Change Healthcare entry point — closed structurally
Remote access credentials to Citrix, VPN, and clinical portals are generated centrally. Clinicians never see or type them — MyCena injects at authentication. The Citrix portal that was breached at Change Healthcare would have had no credential visible to steal. Nothing to phish. Nothing to purchase on the dark web.
MyCena governs
Supplier and third-party access
Pathology partners, medical device vendors, EHR suppliers
✓ Synnovis entry point pattern — closed structurally
Third-party suppliers authenticate through credentials the healthcare organisation generated — the supplier never holds them. When a relationship changes or an incident is detected, all access is revoked in seconds across every clinical system simultaneously. The Synnovis blast radius — one supplier, seven hospital networks — is structurally closed when the hospital owns the credential, not the supplier.
MyCena governs
Clinical workstations and shared environments
Ward workstations, nursing stations, radiology terminals
✓ HIPAA individual accountability — satisfied architecturally
Every clinician has individually generated credentials. No shared logins. Every access event is traceable to a named individual with a precise timestamp. HIPAA audit requirements are satisfied continuously — not assembled before inspection. The audit log exists from the first day of deployment.
MyCena governs
Clinical AI agents
Diagnostic AI, documentation tools, patient triage systems
✓ Clinical AI credential governance — same platform as human users
AI agents deployed in clinical workflows authenticate through MyCena alongside human clinicians. Their credentials are centrally generated, individually attributed, and instantly revocable when the deployment changes. Governed from first deployment — not discovered after breach.
What MyCena delivers

Structural credential control across the healthcare access layer

MyCena closes the entry points used in every 2024 healthcare breach without touching clinical platforms, EHR systems, or medical device infrastructure.

Remote access — nothing to phish or steal
Clinicians connect to remote access portals by clicking — MyCena injects the credential invisibly. No credential is ever visible, typed, or held. A Citrix portal attack requires a credential to steal. MyCena ensures there is nothing to find.
Supplier access revoked in seconds, not days
Every supplier accesses your network through credentials you generated. When a relationship changes or an incident is detected, all access across every system is revoked with one command. The Synnovis breach lasted months because revocation required system reconstruction. MyCena revocation takes seconds.
HIPAA individual accountability — structural
Every access event is attributed to a named individual, timestamped to the second, logged automatically. No shared credentials. No unattributed access. The HIPAA audit log is generated continuously — not compiled before inspection.
Deployed in two weeks — no clinical disruption
MyCena deploys as a software overlay above existing clinical systems. No EHR platform is modified. No medical device is touched. No clinical workflow changes. Clinicians notice one difference: they click to connect instead of typing a password.
94%
of US medical practices reported financial losses after Change Healthcare
74% reported delays in patient care. One stolen credential on one remote access portal caused this. The clinical consequences flowed directly from an architectural failure — a credential that should never have existed in human hands.
How it works

Credential control without touching clinical infrastructure

No EHR platform changes. No medical device modifications. No clinical workflow disruption.

Step 01
Central generation — no clinician creates their own access
Every credential — for clinicians, administrators, and suppliers — is generated by the organisation centrally. No individual creates a password for any clinical system. No supplier brings their own credentials to your network. Credential ownership is organisational from the moment of creation.
Step 02
Invisible injection — click to connect, nothing to phish
Clinicians click to connect to any system — EHR, remote access portal, clinical application. MyCena injects the credential at authentication. Nothing is displayed, typed, or held in memory, device, or clipboard.
Step 03
Automatic audit trail — HIPAA evidence generated continuously
Every access event is logged — which clinician, which system, timestamp to the second. The HIPAA audit log and DSP Toolkit access evidence exist continuously. No manual compilation. No preparation before inspection. Evidence on demand, not on request.
Step 04
Instant revocation — supplier or clinician, all systems
A supplier relationship ends: one command, all access revoked across every clinical system in seconds. A clinician leaves: same command, same speed, complete revocation with timestamped log. A potential breach detected: immediate revocation before lateral movement completes.
Regulatory framework

HIPAA, DSP Toolkit, NIS2, CQC — all structurally satisfied

Every healthcare access control framework requires demonstrable evidence of individual user accountability and prompt revocation. MyCena generates that evidence automatically.

HIPAA — Access Control & Audit
✓ Individual accountability and audit — structural
164.312(a)(1) requires unique user identification — no shared credentials. 164.312(b) requires audit controls recording access to ePHI. Both satisfied architecturally: individual credentials per user, every access event automatically logged and attributed.
UK DSP Toolkit — Standard 7
✓ Access evidence — continuously generated
NHS Digital DSP Toolkit Standard 7 requires organisations to demonstrate that access to patient records is controlled and auditable — showing who accessed what and when. MyCena generates this evidence continuously, not assembled before annual submission.
NIS2 — Articles 20 & 21
✓ Supply chain credential governance — satisfied
NHS trusts classified as essential services face NIS2 access control and supply chain security obligations. Article 20 creates personal liability for named management. The Synnovis breach — a supply chain credential entering NHS networks — is exactly the scenario NIS2 Article 21 was written for.
CQC — Fundamental Standards
✓ Governance evidence — audit-ready on demand
CQC Regulation 17 requires good governance including systems to assess and monitor the quality and safety of services. A credential breach that cancels surgery and diverts ambulances is a CQC governance failure. Structural credential control is the demonstrable measure that prevents it.
GDPR — Special Category Data
✓ Article 32 technical measures — architectural
Health data is special category under GDPR Article 9, requiring explicit technical and organisational measures. The ICO calibrates enforcement to the sensitivity of the exposure. Structural credential control — not policy-based access management — demonstrates the Article 32 technical measures regulators expect.
Cyber insurance
✓ Level 4–5 maturity — premium reduction evidence
Healthcare cyber insurance premiums are at record highs after 2024. Underwriters are asking specifically about remote access credential governance and supplier access controls — the two entry points in Change Healthcare and Synnovis. Structural credential governance is the evidence that supports premium negotiation at renewal.
Healthcare credential briefing
A 45-minute briefing on credential control for healthcare — specific to your clinical environment, regulatory obligations, and supplier landscape.
Book a briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.