How to make NHS MFA policy implementation easier
What is MFA?
Every time we sign in to a digital account, that system must make sure we are who we claim to be, for example by asking for a username and password. This process is called authentication.For many years, the username and password combination was the standard form of authentication, but it’s not very secure and is becoming less so with every passing day. Cybercriminals have a growing array of techniques available to them and often find it easy to breach accounts that rely on traditional authentication techniques. That is why MFA is fast becoming the norm.Multi-factor authentication (MFA) requires anyone trying to log in to identify themselves with more than one form of authentication. Examples of authentication types include something you know (e.g., a password), something you have (e.g., a smartcard or secure USB key) and something you are (e.g., biometric identifiers like your fingerprint or facial recognition). So, an account secured with MFA might ask you to provide both a password and a code generated by the authenticator app on your smartphone, for example.The use of MFA makes it much harder for unauthorised users to breach an account. It’s one thing for a cybercriminal to work out your password but — unless you have been particularly careless — it’s extremely unlikely that they will also have access to your smartphone or secure USB.While the use of MFA might initially seem like an extra step that burdens end users, choosing a solution with a diverse range of authentication options tailored to various user personas can be advantageous. Coupled with dynamic access policies that guarantee appropriate authentication for specific access levels, it results in a seamless user experience. Consequently, users are likely to adopt it more quickly, thereby bolstering security in a shorter timeframe.Thus, in practice, MFA is a user-friendly way to secure data and account access. Indeed, according to the United States Cybersecurity and Infrastructure Security Agency, the use of MFA makes account hacking 99% less likely. The use of MFA can also help organisations provide a reliable, verifiable audit trail of data access that can be used to prove regulatory compliance (e.g. for data security audits) and/or to support incident investigations.What is the new NHS MFA policy?
In early 2023, NHS England published a new MFA policy that mandates the use of MFA in specified ways across its own and some affiliated organisations by March 2024. The policy currently applies to NHS trusts and foundation trusts; integrated care boards; arm’s-length bodies of the Department of Health and Social Care; commissioning support units within NHS England; and operators of essential services for the health sector in England as designated under the Network and Information Systems Regulations 2018.You can find the policy and guidance documents here.In light of this policy, since early October 2023, new NHSmail accounts have MFA enabled by default, but organisations must apply MFA manually to older systems and account access, to various extents according to each account-holder’s role and data access rights. Ultimately, MFA will be applied throughout the health sector, with particularly stringent requirements for accounts that are used remotely (which might, for example, include community nursing teams and mobile clinics) and those with privileged access.In the great majority of cases, NHS and affiliated organisations will have to take responsibility for the deployment of MFA to their systems. Required technical approaches have not been specified or recommended in detail, but organisations are advised to comply with a range of best-practice guidelines such as those published by the UK government; the National Cyber Security Centre (NCSC); and the US Cybersecurity and Infrastructure Security Agency.For NHS organisations already operating under immense post-pandemic pressure, and often without substantial in-house cyber-security experience or expertise, this is quite a challenge.Finding the right partner for NHS MFA implementation
Given the specifications and timelines involved, many NHS and affiliated organisations will save a great deal of time and resource, and will greatly limit their risk exposure, by working with a trusted provider to implement MFA.As an innovator in MFA solutions, a securely established company — we recently celebrated our twentieth birthday — and a provider to the NHS (read our case study with Milton Keynes Hospital here) SecurEnvoy is a natural choice for NHS MFA policy implementation. A comprehensive alternative to Microsoft Azure MFA, our MFA solution boasts an array of features and seamlessly integrates with your current legacy on-premises systems like VPN and remote desktop (RDP), as well as cloud applications and data repositories. Catering to organisations of any size, from ten to over half a million users, we provide a wide range of user-friendly authentication options. This ensures that your staff can access systems and data with minimal friction. Furthermore, our efficient set-up process ensures minimal delay, allowing you to align with the March 2024 deadline without any disruption to your workflows or services.SecurEnvoy is trusted by thousands of organisations worldwide, including NHS organisations. Why not try our MFA solution free of charge today? Just click here to arrange your free trial, and take the headache out of NHS MFA policy implementation.Published: 31 Oktober 2023
Category: Industry News, Industry Research
2FA / Compliance / Healthcare / MFA
Multi-Factor
Authentication
(MFA)
Any user. Any device.
Anywhere.
For companies that take authentication seriously.
Learn more about SecurEnvoy MFA
Hear more from
our security
experts