Multi-factor authentication (MFA) policy

Multi-factor authentication (MFA) is widely recognised as one of the most effective ways to protect data and accounts from unauthorised access. This policy will ensure that MFA is used on digital systems throughout the health sector, with particular requirements on accounts that are remotely accessible or have privileged access to systems. 

Both the policy and guidance are aimed at senior IT leads, cyber security leads or any other appropriate person in organisations.

The policy has been adopted by the Department of Health and Social Care as guidance under s3(3)(b) of the Network and Information Systems (NIS) Regulations 2018. Organisations that are designated under the Regulations as operators of essential services for the health sector have a statutory obligation under s10(4) to have regard to such guidance. 
 
This policy currently applies to: 

• NHS trusts and foundation trusts
• integrated care boards
• arm’s length bodies of the Department of Health and Social Care
• commissioning support units in NHS England
• operators of essential services for the health sector in England as designated under the NIS Regulations 

The accompanying guidance provides further details on how cyber, IT or the appropriate leads within your organisation can apply MFA within their own organisation and includes exemptions and scenarios to support implementation. 

When MFA is enabled, users access systems by presenting proof of at least two factors from something they know (such as a password), something they have (such as a device), or something they are (biometrics, like a fingerprint or iris scan).

This extra layer of security means our systems are far less likely to be attacked, and our data and ability to continue to provide patient care is much more secure.

For further advice and information, contact the Joint Cyber Unit by emailing [email protected].