Multi-factor authentication: a silver cyber bullet?

Source: Chris Day , Clinical Informatics Manager, NHS Digital

Clinical informatics manager Chris Day says full implementation of multi-factor authentication is critical to local organisations’ cyber security.

Cyber security is about risk reduction and that can make it a difficult sell in the NHS.

Hard-pressed boards often want to know how much something is going to save them, but the cost of not implementing cyber security measures can only be calculated when their network or system is compromised.

When that happens, the cost of cyber incident response often looms very large indeed. That is without considering harm to patients through lost or compromised data and the unavailability of key systems. On top of that, a breach chips away at the public trust on which the NHS completely relies. People rightly expect us to keep their information safe. If cyber-attacks are not prevented and managed effectively, we risk loosening our bond with the public.

What needs to be done?

While each cyber-attack is unique, a common theme for many is the presence of a compromised username and password. This is most clearly seen in phishing attacks that aim to capture account details that attackers can use to hijack user accounts.

That means they almost all could be prevented by multi-factor authentication (MFA), such as by combining a smartcard or authenticator app on a phone with a strong password. In fact, evidence suggests that MFA reduces the risk of successful cyber-attacks by blocking over 99.9% of account compromise attacks (Source: Microsoft 2022).

Multi-factor authentication has been available for a long time in other sectors such as banking. It’s a normal part of our daily lives. We use it without even thinking about it.

And yet most NHS organisations do not have multi-factor authentication fully enabled in their IT systems. We’ll often see trusts fully implement it after becoming compromised, when it is too little too late.

Implement multi-factor authentication

All health and care organisations (including acute trusts, social care, and arm’s length bodies) should fully implement multi-factor authentication. It will significantly improve their ‘security posture’ – that is, their overall cybersecurity strength and how well they can predict, prevent and respond to ever-changing cyber threats.

Specifically, we’ve got to get all internet-facing accounts that give remote access, all administrative accounts for networks, and all clinical systems behind multi-factor authentication.

Email accounts are a key target for cyber-attacks and MFA on email accounts will greatly increase the cyber security posture of the system as a whole.

Currently, multi-factor authentication is being rolled out for the 1.7 million NHSmail users across health and care. We are working closely with NHS organisations across the system to do this. In March 2024 MFA will be mandated for all NHSmail accounts as a second line of protection. I would encourage organisations that use NHSmail to use our adoption toolkit and guides which offer helpful tips on how to roll this out.

Change cultures

There are 2 key challenges to overcome.

First, we need to continue our fight for hearts and minds. Cyber security must not be seen as an irritant or an unwanted cost. Everybody in the NHS must understand that it is about avoiding risk to patients, preserving scarce resources and maintaining the public’s trust.

Second, we’ve got to give organisations the capacity and knowledge to implement multi-factor authentication.

Services are under great pressure and the solutions we put in place must work for staff and support efficient working. Within local NHS trusts, staff have been using smartcards to sign into some systems for many years. This is multi-factor authentication. People don’t think about why they must use the smartcard anymore. We need the same mentality throughout all of our workflows.

Click here for the source.