Multi-factor authentication (MFA) is to be mandatory for NHSmail accounts from March of next year.
Chris Day, clinical informatics manager in the NHS England Transformation Directorate, said the step is being implemented to provide a new line of cyber protection and encouraged organisations that use the service to adopt the relevant toolkit and guides.
This follows the recent publication of an NHS policy on the use of MFA as a central element of cyber security in the health service.
Writing in a blogpost, Day said that most cyber attacks could prevented by MFA, which requires an additional factor to name and password to log into a digital system.
He reiterated a call – recently expressed by NHS England’s head of operations and engagement in cyber security Paul Barnes – for organisations to follow the policy, and that MFA is being rolled out to all the 1.7 million NHSmail users in health and social care.
Reducing patient risk
Day identified two challenges in the effort, one to spread the perception in the NHS that cyber security is not an irritant or unwanted cost but a means of reducing risk to patients. The other is to give organisations the capacity and knowledge to implement MFA.
“Within local NHS trusts, staff have been using smartcards to sign into some systems for many years,” he said. “This is multi-factor authentication. People don’t think about why they must use the smartcard anymore.
“We need the same mentality throughout all of our workflows.”
