Operations Brief
Cyber attackers are always on the lookout for new ways to break into organizations, and healthcare is no exception. As hospitals and clinics adopt multi-factor authentication (MFA) to protect their systems, attackers are finding ways to bypass MFA with session tokens and cookies that prove a user is already logged in.
Many intrusions rely on identity compromises rather than vulnerabilities, and attackers are gaining access to networks through session hijacking and token theft. Session hijacking occurs when an attacker captures a valid session identifier to impersonate a user, bypassing the normal login process and MFA. A stolen token is like a digital key that was issued after you successfully signed in. When attackers get that token, they reuse it to impersonate the user and access systems as if they were already authenticated.
An intruder masquerading as a doctor, nurse, or administrator could view or alter patient records, issue unauthorized medication orders, or download large volumes of sensitive data. All of this might occur without triggering an MFA prompt or obvious alarms, since the activity appears to originate from a legitimate, logged-in user. Such a compromise could result in severe outcomes like jeopardizing patient privacy and undermining trust, violating HIPAA regulations, and disrupting patient care.
Microsoft reports a 111% year-over-year increase in “token replay” attacks. The organization states that nearly 70% of security incidents in 2025 involved stolen credentials, phishing, or misuse of legitimate accounts. Fortified Health Security is seeing how rapidly this threat is growing, with numerous incidents identified in recent client compromise investigations.
Session hijacking and token theft are deceptive and serious threats. They allow attackers to silently slip into healthcare networks by exploiting legitimate login sessions and bypassing strong measures like MFA. The good news is that by reinforcing device and identity security, monitoring abnormalities, and educating our workforce, healthcare organizations can greatly reduce the risk.
By treating session credentials with the same care as passwords and applying layered defenses, healthcare teams can stay a step ahead of attackers and keep critical systems and patient data safe.
Healthcare organizations should take a layered, defense-in-depth approach to counter these threats. Below are some best practices and practical steps to help prevent attackers from logging in with stolen credentials and sessions:
| Best Practice | Action |
| Require managed and compliant devices | Use device management and define Conditional Access policies to require that users access resources from a compliant device. |
| Turn on Credential Guard for your Windows users | If computers are running Windows 10 or later, prevent theft of Active Directory credentials by configuring Credential Guard. |
| Require token protection in Conditional Access | Configure Conditional Access to require token protection for sign-in sessions, so only applications and devices using bound sign-in session tokens can sign in. These tokens can’t be used if they’ve been stolen and moved to another device. |
| Create a risk policy to disrupt token theft in your environment automatically | Configure Conditional Access policies to protect both medium and high-risk sessions by either challenging users with MFA or by requiring reauthentication. |
| Strengthen MFA and logins | Use multi-factor authentication everywhere, but also make it phishing-resistant. |
| Follow the principle of least privilege | Issue the minimum access necessary for staff roles. |
| Monitor for unusual activity | Monitor user sessions for anomalies such as logins from unusual locations, devices, or times, and large, unexpected data downloads. |
| Be ready to respond | Develop an incident response plan for credential or token theft that includes quickly revoking tokens and active sessions. |
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.