NHS MFA Policy

How to make NHS MFA policy implementation easier

Multi-factor authentication (MFA) has become the gold standard in access control for organisations that are serious about data security. It’s not hard to see why: as cybercriminals become increasingly capable and efficient — and working environments become increasingly digital and often remote — the area available for malicious activity is expanding rapidly.

Large and dispersed organisations are particularly vulnerable to cyber-attacks. For example, NHS Digital deals with tens of millions of malicious attacks on NHS accounts every month, and in this period the NHS’s digital perimeter security system must protect tens of billions of transactions, carried out on millions of items of hardware and from countless locations, including patients’ homes and community-based clinics. And of course, the NHS and its partners are bound by data protection regulations, such as the Data Protection Act 2018 (which is effectively the UK’s iteration of GDPR).

Given this context, and the extreme sensitivity of the data involved, NHS England’s introduction of an organisation-wide NHS MFA policy makes perfect sense.

In this article, we explore the nature of MFA and how it lets users secure accounts with far greater security than traditional forms of authentication. We also take a closer look at the new NHS MFA policy, the challenges that implementation might generate and how SecurEnvoy MFA can overcome them while making policy implementation and compliance straightforward.

What is MFA?

Every time we sign in to a digital account, that system must make sure we are who we claim to be, for example by asking for a username and password. This process is called authentication.

For many years, the username and password combination was the standard form of authentication, but it’s not very secure and is becoming less so with every passing day. Cybercriminals have a growing array of techniques available to them and often find it easy to breach accounts that rely on traditional authentication techniques. That is why MFA is fast becoming the norm.

Multi-factor authentication (MFA) requires anyone trying to log in to identify themselves with more than one form of authentication. Examples of authentication types include something you know (e.g., a password), something you have (e.g., a smartcard or secure USB key) and something you are (e.g., biometric identifiers like your fingerprint or facial recognition). So, an account secured with MFA might ask you to provide both a password and a code generated by the authenticator app on your smartphone, for example.

The use of MFA makes it much harder for unauthorised users to breach an account. It’s one thing for a cybercriminal to work out your password but — unless you have been particularly careless — it’s extremely unlikely that they will also have access to your smartphone or secure USB.

While the use of MFA might initially seem like an extra step that burdens end users, choosing a solution with a diverse range of authentication options tailored to various user personas can be advantageous. Coupled with dynamic access policies that guarantee appropriate authentication for specific access levels, it results in a seamless user experience. Consequently, users are likely to adopt it more quickly, thereby bolstering security in a shorter timeframe.

Thus, in practice, MFA is a user-friendly way to secure data and account access. Indeed, according to the United States Cybersecurity and Infrastructure Security Agency, the use of MFA makes account hacking 99% less likely.  The use of MFA can also help organisations provide a reliable, verifiable audit trail of data access that can be used to prove regulatory compliance (e.g. for data security audits) and/or to support incident investigations.

What is the new NHS MFA policy?

In early 2023, NHS England published a new MFA policy that mandates the use of MFA in specified ways across its own and some affiliated organisations by March 2024. The policy currently applies to NHS trusts and foundation trusts; integrated care boards; arm’s-length bodies of the Department of Health and Social Care; commissioning support units within NHS England; and operators of essential services for the health sector in England as designated under the Network and Information Systems Regulations 2018.

You can find the policy and guidance documents here.

In light of this policy, since early October 2023, new NHSmail accounts have MFA enabled by default, but organisations must apply MFA manually to older systems and account access, to various extents according to each account-holder’s role and data access rights. Ultimately, MFA will be applied throughout the health sector, with particularly stringent requirements for accounts that are used remotely (which might, for example, include community nursing teams and mobile clinics) and those with privileged access.

In the great majority of cases, NHS and affiliated organisations will have to take responsibility for the deployment of MFA to their systems. Required technical approaches have not been specified or recommended in detail, but organisations are advised to comply with a range of best-practice guidelines such as those published by the UK government; the National Cyber Security Centre (NCSC); and the US Cybersecurity and Infrastructure Security Agency.

For NHS organisations already operating under immense post-pandemic pressure, and often without substantial in-house cyber-security experience or expertise, this is quite a challenge.

Finding the right partner for NHS MFA implementation

Given the specifications and timelines involved, many NHS and affiliated organisations will save a great deal of time and resource, and will greatly limit their risk exposure, by working with a trusted provider to implement MFA.

As an innovator in MFA solutions, a securely established company — we recently celebrated our twentieth birthday — and a provider to the NHS (read our case study with Milton Keynes Hospital here) SecurEnvoy is a natural choice for NHS MFA policy implementation. A comprehensive alternative to Microsoft Azure MFA, our MFA solution boasts an array of features and seamlessly integrates with your current legacy on-premises systems like VPN and remote desktop (RDP), as well as cloud applications and data repositories. Catering to organisations of any size, from ten to over half a million users, we provide a wide range of user-friendly authentication options. This ensures that your staff can access systems and data with minimal friction. Furthermore, our efficient set-up process ensures minimal delay, allowing you to align with the March 2024 deadline without any disruption to your workflows or services.

SecurEnvoy is trusted by thousands of organisations worldwide, including NHS organisations. Why not try our MFA solution free of charge today? Just click here to arrange your free trial, and take the headache out of NHS MFA policy implementation.

Published: 31 October 2023

Category: Industry News, Industry Research

2FA / Compliance / Healthcare / MFA

Darren Leach

Darren Leach, UK Sales Manager

Darren has been working in the cyber security industry for over 20 years. He has worked for both cyber security vendors and partners, and has managed regions across the UK, Ireland and Northern Europe. Darren joined SecurEnvoy 6 years ago as UKI Channel Manager, and now is responsible for the UK business including customer and partner relationships.

Multi-Factor Authentication



Any user. Any device.

For companies that take authentication seriously.

Learn more about SecurEnvoy MFA
Cyber Security Blog

Hear more from
our security

Sign-up today

What to read next...