Embracing Enhanced Security – Our Guide to NHS England's Multi-Factor Authentication Policy

Why It's Changing

With cyber threats looming ever larger, safeguarding patient data and healthcare systems has never been more critical. The NHS England multi-factor authentication (MFA) policy marks a transformative step towards bolstering cyber defence. With user accounts often targeted as the weakest link, the move towards MFA is designed to thwart attackers, making unauthorised access exponentially more challenging. The policy is a clear call for enhanced data security, aligning with guidance from the Data Security and Protection Toolkit (DSPT) and the Network and Information Systems (NIS) Regulations 2018.

How This Will Help

MFA isn’t just an added layer of security; it’s a significant barrier against cyber intrusions. By requiring users to provide two or more verification factors to access systems, MFA can block 99.9% of automated cyber attacks. This means even if a password is compromised, unauthorised users can’t easily breach the system. For the NHS, implementing MFA translates to better protection of sensitive patient information and a more resilient infrastructure capable of delivering uninterrupted patient care.

How Will It Affect Me?

For NHS staff, the introduction of MFA means adapting to new login procedures for accessing systems remotely or for performing privileged tasks. The transition to MFA will require learning how to use additional authentication methods, which may include receiving a code via SMS, using a push notification from a mobile app, or employing a hardware token like an NHS smart card. While the change might require an adjustment period, the ultimate goal is to secure data and systems effectively, ensuring that healthcare services remain robust against cyber threats.

When Is It Likely to Happen?

The policy was effective immediately upon publication which was in August 2023, and NHS organisations are urged to comply as soon as practical. Recognising the logistical challenges of wide scale MFA deployment, the Joint Cyber Unit expects organisations to demonstrate progress toward full compliance. By 29 February 2024, organisations must show plans to meet the policy’s requirements by 30 June 2024. Compliance will primarily be assessed through the Data Security and Protection Toolkit (DSPT) submissions, with the possibility of additional information notices under the Network and Information Systems Regulations 2018 for further clarification.

As cyber threats evolve, so must the strategies to counteract them. This phased approach will allow organisations time to adopt MFA technologies, ensuring a secure transition without disrupting critical healthcare services. It underscores a commitment to improving cyber resilience across the NHS, safeguarding both patient data and healthcare delivery against evolving cyber threats.

SARD's Commitment to Supporting the MFA Transition

As we adapt to these changes, SARD, as a dedicated system provider to the NHS, is fully aware of the upcoming shifts in authentication protocols. Our team is proactively preparing to ensure a smooth transition for our customers, aligning with the new MFA policy requirements. We are committed to keeping our users informed and supported every step of the way as well as keeping any changes as hassle free as possible.

Should you have any queries or need further clarification on how these changes may affect your interaction with SARD systems, we’re here to help. Please don’t hesitate to reach out to our support team. We’re here to help.

For more information about how SARD can help, be sure to follow us on LinkedIn.

Additional Resources:

Guide to multi-factor authentication (MFA) policy

Multi-factor authentication policy: enforcement intent

Related Articles:

Navigating Medical Job Planning in the NHS - 10 Top Questions Answered!

The Undeniable Truth – Even Experts Need Help with Workforce Planning in Healthcare

What Good Looks Like – Workforce Planning in the NHS


-->