Multi-factor Authentication – Now a requirement in the NHS

Are you ready yet? We’re here to help

Recent changes to the NHS Data Security and Protection Toolkit (DSPT) (DAPB0086: Data Security and Protection Toolkit, published under s250 of the Health and Social Care Act 2012) have upgraded recommendations around how remote access to systems and privileged accounts are managed. It now mandates that multifactor authentication (MFA) MUST be enforced on all remote user access to all systems and on all privileged accounts that access externally-hosted systems (for example cloud-hosted or SaaS applications). Furthermore, it states that MFA SHOULD be enforced on privileged accounts that access all other systems (for example in-house or on-premises applications).

This is a significant move forward in the provision of cyber security and applies to NHS trusts and foundation trusts, integrated care boards (ICBs), arm’s length bodies of the Department of Health and Social Care, commissioning support units (CSUs) within NHS England and operators of essential services for the health sector as designated under the Network and Information Systems Regulations 2018. However, many organisations are unprepared. Market research conducted by Imprivata last year (with research firm WBR Insights, that questioned 200 security leaders at healthcare companies across the US and UK), indicated that only half of the respondents surveyed are using MFA.

What is Multifactor Authentication?

Multifactor authentication is a core security technology that requires multiple verification factors to gain access to data and applications. Authentication methods are typically:

  1. something you have (a token or a smartcard for example)
  2. something you know (a PIN or password)
  3. something you are (biometrics such as a fingerprint, facial recognition or a palm vein scan).

A combination of two or more of these methods provides a strong defence against a variety of attacks where an account identity and password are targeted.

Why has the NHS changed its requirements?

Increasing cyber attacks targeting the sector mean that healthcare organisations need to strengthen their cyber security processes. This is not always easy for resource-strapped organisations that are focused on providing the best possible care for patients. Security is often seen as a barrier to accessing systems at the point of care, adding extra stress to frontline clinicians. However, when the right technology is used, MFA can be implemented as part of a package that makes access to clinical systems much faster and almost transparent to the end user, as well as more secure.

A focus on privileged or admin access accounts is required because they carry more power than an ordinary user account and are therefore a prime target for cyber criminals looking to harvest patient information which is highly valuable on the dark web, or to disrupt critical healthcare provision for malicious purposes. Remote user access is also higher risk because access is often via an unsecure or unmanaged network that may be more prone to attack.

The use of MFA is a key part of taking a Zero Trust cyber security stance, which is considered industry best practice. This means checking all identities and devices that connect to the corporate network, even if they have previously been verified. By identifying and managing privileged accounts organisations increase security by supporting a Zero Trust model, and reducing the potential attack surface.

How Imprivata can help

Integrated Access Management (IAM) and digital identity solutions from Imprivata can support multifactor authentication, PAM and Zero Trust. Our integrated digital identity solutions centrally control access management and authentication for people, systems and devices (including Internet of Medical Devices). This helps to provide the authentication requirement to meet the NHS guidelines, without the workload/cognitive burden for busy clinicians.

Additionally, our white glove services are able to provide an additional resource and clinical systems expertise to IT departments. These services have helped customers to get the most from their investment in Imprivata digital identity technology, ensuring the solutions support clinical workflows, resulting in enthusiastic adoption by frontline clinicians. South Tees is a prime example where we provided this service.

My colleague, Chris Beyer, who is Manager, International Managed Services, talks about our focus on building productive partnerships in his blog. For more information about how Imprivata can help your organisation meet the new NHS DSPT recommendations for remote and privileged access to systems contact us today.