NHS Arden & GEM CSU’s IT service has successfully implemented Multi Factor Authentication (MFA) to strengthen the organisation’s protection against phishing, malware and ransomware attacks.
The Cyber Security team worked collaboratively with the wider IT service, HR, internal communications and information governance – over a three-month period – to roll out MFA functionality to protect 1,500 NHS Mail, SharePoint, Teams and OneDrive accounts. As a result, Arden & GEM has reduced the chances of data loss and improved its overall cyber posture.
The challenge
Like all healthcare organisations, Arden & GEM is a target for phishing, malware and ransomware attacks which are increasing in frequency and sophistication. In autumn 2022, a phishing campaign targeting the finance team was recorded as a ‘near miss’ cyber event and led to an incident review and recommendations being presented to the Executive team.
One of the recommendations made was to turn on MFA for NHS Mail accounts across Arden & GEM. This approach would protect the NHS Mail, SharePoint, Teams and OneDrive accounts of users from the impact of compromised logins. However, instructing and enabling 1,500 individuals to make this change to their account would require a targeted, supportive, multidisciplinary approach over a three-month period.
Our approach
With the support of the Executive team and the Senior Information Risk Owner (SIRO), the Cyber Security team put together a technical options appraisal which outlined the preferred choice of using the Microsoft Authenticator app as the primary route for MFA, with a secondary option of using SMS for those staff who don’t use smartphones.
A multidisciplinary approach
With the technical options explored and a solution chosen, the next step was to bring together colleagues from IT with HR, internal communications and information governance to plan and deliver a two-stage approach to implementation.
Within the IT team, a dedicated full-time resource was assigned to this project for its duration to oversee the rollout and provide technical support to users. They were supported in this task by the IT service desk and, for those staff particularly struggling to set up MFA, a Cyber Security Engineer. Advice and guidance were also provided by the information governance team.
The HR team was able to provide accurate staff lists (by department) to correlate with NHS Mail accounts. While an approach to contacting staff was developed in partnership with the internal communications team.
Targeting higher risk users
The rollout initially targeted users working in finance, procurement and HR teams, which were identified as departments at higher risk from current phishing attacks. The Cyber Security team attended department meetings to explain the process and why it was being implemented before sending out email instructions to individuals.
Full organisational rollout
With MFA enablement already underway with higher risk users, the next stage in the approach was to continue the rollout across the rest of the organisation. The first step to support this was the creation of a dedicated intranet page and FAQs section. This could then be used as a reference point for the subsequent communications plan which included:
- An all user email inviting staff to enrol with MFA with clear instructions and a deadline
- Targeted emails, sent at two-weekly intervals, to those users who didn’t enrol by the deadline
- Further targeted emails, copying in line managers, for those colleagues who still hadn’t complied
- A final reminder from the Head of Cyber Security reiterating the importance of this project
- Finally, a cut-off date was agreed with the SIRO, at which point MFA functionality was turned on automatically.
Reporting from the NHS Mail portal allowed the team to track enablement throughout the process, including daily uptake statistics and weekly overview reporting which was shared with stakeholders.
Overcoming challenges
Two key challenges presented during the course of this project. The first was concerns from some staff members without work mobile devices who were unsure about using their own mobile phones for MFA. This was overcome by sharing information and guidance about the both the safety and simplicity of this approach, and also encouraging staff who had already used a personal device for MFA to become advocates.
The second was ensuring that all new starters turned on MFA, something which cannot currently be done by default within NHS Mail accounts as individuals first need to agree to the User Acceptance Policy (UAP). Working with HR, the new starter policy has now been updated to include MFA and this is then checked by the Cyber Security team during monthly audits.
The outcomes
Following a targeted and supportive approach to communications and rollout, 95% of users voluntarily enrolled into MFA for NHS Mail within a three-month period.
For the 5% of users who hadn’t enrolled by this point, MFA was forcibly turned on. This was done in a staggered manner (a maximum of 30 staff per day) to ensure the service desk was prepared and resourced to cope with user demand.
As a result, Arden & GEM has reduced the chances of data loss and improved its overall cyber posture while individuals are now better protected from password harvesting and if they inadvertently or incorrectly click on spurious links.
"As the executive-level owner of information risk, I am responsible for ensuring that information threats and vulnerabilities within the organisation are identified and mitigated against. The cyber security team did an efficient and effective job of implementing MFA, not only by supporting a wide range of users to enable stronger protection within their NHS Mail accounts but also by increasing understanding of why this protection is needed in the first place."
Helen Seth, Director of Business Intelligence and Provider Management and SIRO at NHS Arden & GEM CSU