When it comes to healthcare, cybersecurity can literally be the difference between life and death. To coordinate patient care, deliver the right electronic health records to the appropriate medical personnel, or protect sensitive information, hospitals, labs, and other healthcare providers must stay online, connected, and secured.
That’s why the National Health Service’s (NHS’) new requirement that all entities implement multi-factor authentication (MFA) is such an important milestone. I’m not just saying that on behalf of RSA: this is personal. I’m from the UK and still have family there. By implementing MFA, the NHS will continue to keep its patients’ (my family’s included) highly sensitive health information safe.
And while the policy is particular to the NHS, it’s also part of a broader global trend. The new NHS requirement follows mandates in the U.S. to improve the nation’s cybersecurity. Likewise the European Union’s NIS2 directive aims to establish a “high common level of cybersecurity” among all member states. Incidents like Log4j, the war in Ukraine, and state-sponsored cyberattacks have all put cybersecurity front and center around the world: it’s never been more important for all organizations to focus on hardening their defenses. That’s especially true for healthcare, which is why I’m so encouraged that the NHS is taking cybersecurity seriously.
But for a system as large and complex as the NHS, it will take real work to implement multi-factor authentication in time to meet the February 2024 deadline to demonstrate implementation plans, or the June 2024 deadline for full compliance. So, let’s look at why MFA matters in cybersecurity, review the NHS MFA policy requirements, and discuss the capabilities that NHS trusts, integrated care boards, arm’s length bodies of the Department of Health and Social Care, and other healthcare providers should prioritize.
Multi-factor authentication (sometimes stylized ‘multi factor authentication’) provides an extra layer of security that helps to ensure a user is who they claim to be. Rather than only requiring an email address and password, MFA requires that users provide an additional factor—such as entering a verification code, responding to a push notification, using a security key, or providing biometric information—to log-in.
Adding that extra layer of security can have a tremendous impact. Providing a password and email simply isn’t enough to stop most data breaches: the Verizon 2023 Data Breach Investigations Report found that 74% of all breaches involve either “Error, Privilege Misuse, Use of stolen credentials, or Social Engineering.” The report also found that the use “of stolen credentials became the most popular entry point for breaches” over the past five years.
And it’s not just that more breaches start with compromised passwords—it’s that those breaches also tend to have a bigger impact. The IBM Cost of a Data Breach Report 2023 found that breaches which began with stolen or compromised credentials took 308 days to detect and contain on average, making them one of the most frequent, longest-lasting, and costliest initial attack vectors.
I’d recommend that GPs, hospitals, and labs use the NHS MFA policy as a way to address the very real threat of cyber attacks, and not view it as another ‘tick-the-box’ measure they need to complete. Because the NHS’ digital systems are already under attack:
- Earlier this year, a cybersecurity firm found that “millions of medical devices in NHS Trust hospitals are…entirely open to ransomware attacks by cybercriminal gangs”
- In July, the BlackCat / ALPHV ransomware syndicate reportedly made off with 7 terabytes of patient data from Barts Health NHS Trust, one of the UK’s largest hospital groups
- This June, the University of Manchester announced that “NHS details of more than one million patients had been compromised”
- In 2022, NHS IT provider Advanced announced that it would take “three to four weeks to fully recover” after it was hit by a ransomware attack; that attack forced medical personnel to take care notes “with pen and paper” for weeks, which in turn created “six months to process and input” the manual backlog
- The National Cyber Security Centre (NCSC) noted that state-sponsored actors “targeted…the NHS during the height of the pandemic”
I could go on. Whether it’s ransomware attacks, account compromise attacks, social engineering, or plain old phishing, cybercriminals are trying to get their hands on user accounts and patient data, or to disrupt operations to the point that hospitals have to pay. Because peoples’ lives really are on the line: in 2020, threat actors disabled systems at Düsseldorf University Hospital in Germany. During the attack, doctors attempted to transfer a patient to another hospital to receive care. The patient died during the transfer, marking “the first known case of a life being lost” as the result of a ransomware attack.
RSA has worked with the health sector for decades. This year, we released significant new capabilities that will help keep electronic health records secure, and we understand that securing medical systems requires that organizations address compliance requirements and harden themselves to cyber attacks.
I think the NHS England MFA policy does a good job prioritizing an achievable goal: getting multi-factor authentication in place is table stakes in cybersecurity, and the policy’s directive that MFA must “be enforced on all remote user access to all systems” and “be enforced on all privileged user access to externally-hosted systems” will help secure a significant number of high-risk users and use cases.
That said, I think the mandate should go further and extend to all users. The NHS defines ‘privileged user’ as “a systems administrator or having security-related functions.” I expect that their intent in securing admins first is to keep their accounts from being compromised and implementing system-wide security changes.
If that’s the case, then that’s a reasonable first step—as long as it’s not the last step. Stopping with privileged users accessing external systems or remote users still leaves far too much trust baked into the system. Cybercriminals are very good at finding the gaps in a security system and exploiting them to their full advantage—and leaving MFA off any users without security-related functions or internal users is a very big gap.
Organizations tend to put most of their defenses around higher-value accounts and prepare to defend themselves from external attacks; that thinking fails to recognize that many attacks progress internally after compromising a lower-level account. Very few attacks begin by compromising administrative credentials.
Instead, attackers “use a variety of tools to traverse your environment and then pivot, including using phishing and stolen credentials to obtain access and adding backdoors to maintain that access and leverage vulnerabilities to move laterally,” per the Verizon 2023 Data Breach Investigations Report. While attackers will try to gradually move upwards and escalate their privileges as they go, they start by compromising the lower-level and less secure accounts.
Moreover, while MFA is critical, it’s not a silver bullet. Organizations need to move closer to zero trust and make security a critical component of every business process. Look at the BlackCat / ALPHV hacking group that breached Barts Health Trust: this autumn, that same group managed to evade MFA by socially engineering the IT Help Desk at Caesars Entertainment Group in Las Vegas, which reportedly led to a $15 million ransom payment.
Don’t get me wrong: there’s a lot to like in the NHS England multi-factor authentication policy. For instance is its use of industry standards: if NHS offices choose to implement biometric authentication, the policy recommends reviewing NIST SP 800-63B s5.2.3 and NCSC ‘Biometric recognition and authentication systems’. Those are extremely helpful documents—by referring to them, NHS personnel can build best practices into their MFA deployment.
The NHS England MFA policy guide also prioritizes pragmatism and flexibility, noting that “[a]ll technical approaches to MFA are currently permitted” and that organizations shouldn’t try to find an “ideal” solution: “instead you should implement what is feasible, and improve it over time.” The NHS says that organizations “should choose a factor—or more likely several factors—based on the circumstances of your organizations and users.”
That approach—to not let perfect be the enemy of the good and to improve MFA over time—is excellent. More than likely, NHS organizations will need to support multiple user groups working in multiple environments. Moreover, they’ll need MFA that can adapt to new user groups and new environments as the organization’s needs evolve.
To do that, it’s essential that the NHS prioritize solutions that support a range of MFA methods today, and that’s built to extend to extend across on-premises, multi-cloud, and hybrid environments. NHS personnel can try ID Plus for 45 days to see those capabilities at work.
