The NHS England multi-factor authentication (MFA) policy and accompanying guidance has recently been published and applies to:

- NHS trusts and foundation trusts 

- Integrated care boards 

- Arm’s length bodies of the Department of Health and Social Care 

- Commissioning support units within NHS England 

- Operators of essential services for the health sector in England as designated under the Network and Information Systems Regulations 2018 

MFA acts as an effective control against a wide range of account compromise techniques, with industry research suggesting that it can prevent 99.9% of account compromise attacks. Its use in the health sector will help protect patient data and organisation’s capability to deliver patient care.  This policy is aimed at organisational cyber or IT leads, or the appropriate person within these organisations, who should review and act on the policy and guidance.

For further information, contact the Joint Cyber Unit via email: england.cyber@nhs.net