NHS Multi-factor Authentication (MFA) Policy
On 24th April 2023, the National Cyber Security Centre (NCSC) unveiled significant updates to the Cyber Essentials scheme, a move that underscores the growing importance of cybersecurity in today’s digital age. Among the most notable changes is the mandatory implementation of multi-factor authentication (MFA) for all users across all cloud services.
The New Cyber Essentials Mandate
Previously, the Cyber Essentials scheme required only admin users to have MFA enforced. This was a step in the right direction, ensuring that those with the highest level of access to sensitive data had an added layer of security. However, as cyber threats have evolved and become more sophisticated, the NCSC recognised the need to bolster security measures across the board.
The updated mandate now requires MFA for all users, not just administrators. This means that every individual accessing cloud services, regardless of their role or the nature of their access, will need to go through an additional authentication process. This change is expected to significantly increase the number of MFA checks during a Cyber Essentials Plus assessment.
NHS Digital’s Announcement on MFA
NHS Digital recently underscored the significance of MFA, acknowledging it as one of the most effective methods to shield data and accounts from unauthorised access. Their policy ensures the application of MFA on digital systems throughout the health sector, especially focusing on accounts that are remotely accessible or have privileged system access.
Targeted at senior IT leads, cybersecurity leads, and other relevant personnel, both the policy and guidance have been adopted by the Department of Health and Social Care as guidance under s3(3)(b) of the Network and Information Systems (NIS) Regulations 2018. Organisations designated under these regulations as operators of essential services for the health sector are legally bound to consider this guidance.
Currently, this policy is applicable to:
- NHS trusts and foundation trusts
- Integrated care boards
- Arm’s length bodies of the Department of Health and Social Care
- Commissioning support units in NHS England
- Operators of essential services for the health sector in England as designated under the NIS Regulations
Why MFA Matters
MFA is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity. In simpler terms, it’s like having two locks on your door instead of one. Even if a cybercriminal manages to crack one lock (your password), they still have another lock (a unique code sent to your phone, for instance) to contend with.
By extending MFA requirements to all users, the NCSC is sending a clear message: every point of access, no matter how seemingly insignificant, can be a potential vulnerability. By safeguarding each access point, the entire system becomes more secure.
Leading the Way in Cybersecurity
Our organisation has always prioritised the security of our users and their data. We’re proud to say that when the Cyber Essentials changes came into effect, we were already one step ahead. As one of the few online training providers to the UK healthcare industry with MFA in place for all users, we’ve demonstrated our commitment to cybersecurity.
This foresight not only ensures that we remain compliant with the latest regulations but also provides our users with the peace of mind that their data is in safe hands. It’s a testament to our belief that security is not just about meeting standards but about exceeding them for the benefit of our users.
Our proactive approach aligns seamlessly with NHS Digital's new mandate, showcasing our commitment to cybersecurity and the safety of our users.
The recent changes to the Cyber Essentials scheme, combined with NHS Digital's announcement, highlight the ever-evolving landscape of cybersecurity. As threats become more advanced, so must our defences. MFA for all users is a significant step forward in this journey. We, at Blue Stream Academy, are proud to have been pioneers in this area, and we remain committed to staying at the forefront of cybersecurity best practices.