Cybersecurity in healthcare isn’t just about protecting data, it’s about protecting lives. From making sure doctors can access the right patient records to safeguarding critical systems from ransomware, strong security is essential. That’s why the NHS has made Multi-Factor Authentication (MFA) a requirement across all healthcare organisations.
As of June 2024, NHS trusts, GP surgeries, hospitals, labs, and all other healthcare providers are expected to be fully compliant with this policy. If you’re still making plans, or unhappy with your current MFA solution – now is the time to act.
Why MFA is Important?
MFA means using more than just a password to log in. It might involve a fingerprint, a text message code, a push notification, or a hardware key. Even if a hacker has a password, they can’t get in without the second piece of proof.
This added layer of protection is crucial. According to the Verizon 2023 Data Breach Investigations Report, 74% of data breaches involve stolen credentials or social engineering. Simply put, passwords alone are not enough anymore.
In healthcare, where patient data and life-saving systems are at stake, the consequences of an attack can be devastating. One ransomware attack in Germany even led to the tragic death of a patient due to delayed treatment.
What Does the NHS MFA Policy Say?
The NHS policy focuses on getting MFA in place quickly, especially for users who access systems remotely or who have admin privileges. It encourages all healthcare organisations to use strong industry standards and choose authentication methods that suit their teams and workflows.
Importantly, the policy doesn’t ask for a “perfect” solution. Instead, it says to implement what’s feasible now and improve it over time. This approach allows organisations to start small, meet the basic requirements, and expand later.
MFA is a Starting Point – Not the End Goal
The NHS has taken a positive step by making MFA mandatory. However, it’s worth remembering that cybercriminals often get in through lower-level accounts and move up from there. That means stopping at “privileged” users still leaves gaps.
Healthcare organisations should think about extending MFA to more users over time, not just admins or remote workers. The more people covered, the harder it is for attackers to gain a foothold.
And while MFA is essential, it isn’t foolproof. Attackers can still get in using tricks like phishing or social engineering. That’s why MFA should be part of a broader security strategy that includes training, monitoring, and a zero-trust mindset.
Need Help Choosing or Switching MFA Providers?
DTE is a Gold Partner of RSA Security and has years of experience helping organisations in healthcare and beyond strengthen their digital defences. If you’re not happy with your current MFA setup or haven’t rolled one out yet – consider RSA as a trusted alternative.
RSA’s ID Plus platform offers flexible, passwordless authentication that works across cloud, on-premises, and hybrid environments. And NHS organisations can try it free for 45 days.
Get in touch for more information on how we can help you stay safe and strengthen your defences.
