A leading cyber security official of NHS England has urged organisations to follow its recently published policy on multi-factor authentication (MFA).
Paul Barnes, head of operations and engagement in cyber security, was speaking at the UKAuthority Resilience and Cyber4Good online conference yesterday.
He said the use of MFA – which requires an additional factor to name and password to log into a digital system – should now be regarded as a core element of cyber security in the health and care system.
In late August NHS England published the relevant policy document, as part of its guidance for essential operators in health services on compliance with the Data Protection and Security Toolkit.
“It applies to trusts, integrated care boards, arm’s length bodies, non-NHS providers and others,” Barnes said. “It states that organisations must enforce MFA for remote user access to systems; must enforce MFA to all privileged access accounts on externally hosted systems; and should enforce MFA on all privileged users access to other systems.
“There are some exceptions to that as we recognise that not everyone, or every system or scenario is suitable for MFA. But the message is coming through; if users and password credentials are given away or stolen, the attackers have that information, and MFA will stop the escalation of the attack.”
Requirements and exceptions
The policy document lays out details of the requirements and exceptions, the latter of which includes unprivileged user account access from within an organisation’s trusted network and access to a system to which the same user has previously authenticated with MFA from the same device.
It outlines the distinctions between ‘basic’, ‘better’ and ‘best’ strengths for different purposes, and says organisations may user other authentication services, such as NHS Care Identity Service 2 or NHSmail, to provide MFA through federation.
Barnes also told the conference that NHS England has developed a five pillared approach in its strategy for cyber resilience in the health and care system. This involves: a focus on the greatest risk and harms; defending as one; developing people and culture; building secure for the future; and exemplary response and recovery.
A key element of this is the Cyber Improvement Programme, which involves investment in three areas: developing security controls and capabilities, targeted investment at the level of integrated care systems and providers; and an expansion of the customer scope to reflect the risk landscape.
Barnes also referred to the ongoing development of a ‘cyber security strategy in a box’ product for integrated care systems, which he said will be available to other organisation such as local authorities.
