MediSecure and Synnovis both fell to ransomware after attackers needed nothing more than stolen usernames and passwords. In each incident the operators had obtained valid credentials through infostealer malware or phishing and simply logged into remote-access portals before moving laterally. Once inside they deployed encryption that halted prescription processing for Australian pharmacies and blood-test reporting across multiple NHS trusts. Verizon’s 2025 DBIR shows that 54 percent of ransomware victims had their domains listed in credential dumps, a pattern these breaches followed exactly.

Healthcare environments face added pressure because systems cannot be powered down without direct patient impact, which extends dwell time and inflates the average breach cost of $4.44 million reported by IBM. The decisive detail in each case was the same: the initial authentication step required no cryptographic proof that the request originated from a legitimate device.

How Credential Reuse Created the Entry Point

The stolen credentials functioned independently of any endpoint. Attackers supplied the username and password from machines they controlled, and the authentication system accepted the session because it had no way to verify device identity. From that point, routine post-exploitation steps—creating new accounts, mapping networks, and scheduling tasks—proceeded without additional barriers. The absence of device binding meant the password alone was sufficient to cross the perimeter, regardless of how the credentials had originally been obtained.

Why Conventional Second Factors Did Not Block the Attacks

Accounts that did require a second factor still relied on values that could travel over the same network channel as the password. SMS codes and push notifications were either captured alongside the primary credential or relayed in real time. Because these factors were not cryptographically linked to a specific piece of hardware, the attacker satisfied them from the same compromised session. The identity provider saw only a completed authentication flow and granted access.

Device-Bound Private Keys Remove the Reusable Credential Problem

MFA 2.0 replaces every phishable factor with a private key that never leaves the endpoint and is never stored centrally. During registration the device generates the key pair; only the public key is sent to the identity provider. Every subsequent sign-in requires the original hardware to sign a fresh challenge. Because the private key cannot be extracted or replayed, the stolen-credential step that enabled both the MediSecure and Synnovis incidents never occurs.

This model applies uniformly to managed endpoints, BYOD devices, and server workloads. Service accounts receive device-bound keys that can be provisioned and rotated programmatically without exposing passwords or shared secrets. The protection covers registration, device onboarding, authorisation, authentication, and decommissioning rather than applying only at login. Without a usable credential at the first hop, attackers never reach the point of lateral movement or encryption deployment.

AuthN by IDEE implements this architecture by enforcing the same public-key model across the full identity lifecycle. The result is prevention at the architectural level instead of reliance on detection after credentials have already been used.