NHS Digital has published new rules requiring all digital systems to have MFA protection, with special focus on accounts with privileged access.
NHS bodies have been told they must “achieve full compliance” by 30 June 2024.
But they have even less time than that to be ready, with NHS Digital stating they must provide evidence of their plans to adhere to the new requirements by 29 February 2024 at the latest.
And, in fact, the Multi-Factor Authentication policy takes effect immediately.
An excerpt from NHS Digital’s announcement on the new policy informs that organisations “should enforce MFA on all privileged user access to all other systems”.
And they must enforce MFA on:
1) All remote user access to all systems
2) All privileged user access to externally hosted systems
NHS Digital stated: “This policy will ensure that MFA is used on digital systems throughout the health sector, with particular requirements on accounts that are remotely accessible or have privileged access to systems.”
We’ve already seen in the DSP Toolkit in recent years that protecting privileged accounts has become more and more important.
Ultimately, if a bad actor gets into the IT environment with the intent to cause damage or drop ransomware, but can’t get access to the privileged account, they won't be able to elevate their privileges, preventing them from accessing and harming critical systems like backups.
Many, if not all, NHS bodies work with third parties – suppliers or contractors – who need to access the IT environment. Enforcing MFA will provide a much greater level of protection for working with these key partners, who bring many benefits, but also raise risks without a higher level of security in place.
Watch our NHS webinar on the dangers of third-party access
The new MFA policy follows the publication of the new NHS Cyber Strategy earlier this year.
Although MFA has been encouraged through DSPT compliance previously, this new directive has greatly strengthened it and made it compulsory across the board. We’ve already seen MFA becoming a compulsory part of cyber insurance requirements in the last few years.
Data Security and Protection Toolkit (DSPT) submissions will be the method to determine if they are complying and if these are not complete or clear, information notices may be issued under the Network and Information Systems Regulations (NIS) 2018.
The policy requirements, which have been wrapped into the DSPT, apply to:
• NHS trusts and foundation trusts
• integrated care boards
• arm’s length bodies of the Department of Health and Social Care
• commissioning support units in NHS England
• operators of essential services for the health sector in England as designated under the NIS Regulations
NHS Digital expressed the importance of bringing this new MFA policy into effect, saying that “Multi-factor authentication is widely recognised as one of the most effective ways to protect data and accounts from unauthorised access. MFA… is an effective control against a wide range of account compromise techniques, stopping simple attacks altogether and making it much more difficult for even sophisticated attackers to succeed.
“Industry research suggests that MFA can prevent 99.9% of account compromise attacks, and MFA is widely considered by cyber security authorities globally to be one of the most important controls that any organisation can deploy. Its use in the NHS will help protect patient data and organisations’ capability to deliver patient care.”
NHS Digital makes the point that MFA is widely considered to be essential. Indeed, the National Cyber for Security Centre says MFA is highly important for protecting backup systems.
It says: “Multi-factor Authentication should be enabled, and the MFA method should not be installed on the same device that is used for the administration of backups. Privileged Access Management solutions remove the need for administrators to directly access high-value backup systems.”
Osirium PAM provides exactly the solution that NHS bodies need to protect privileged accounts effectively and securely, aiding also with DSPT compliance.
More than 50 NHS Trusts already trust Osirium PAM to manage and safeguard privileged access.
In terms of MFA, Osirium PAM includes time-based one-time passwords (TOTP) for multi-factor authentication (MFA) and also supports external authentication through RADIUS with major IAM solutions to reduce the risk of third-party accounts being shared.
Single Sign On (SSO) is performed by injecting the required admin credentials for the target system by PAM. This means passwords are never sent down to the client, thereby removing the possibility that sniffing memory, or looking at command strings within the process tree, will ever reveal a password.