AXREM Multi Factor Authentication (MFA) Guidance

12 March 2025

The following provides information on the methods available to implement Multi Factor Authentication (MFA) in accordance with NHS cybersecurity policies.

Context

The cyber security strategy for health and social care “2023 to 2030 Vision” is: A health and social care sector that is resilient to cyber-attack, in turn improving the safety of patients and service users.

A series of high-profile damaging attacks on healthcare facilities has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in security. Given there are currently over 80,000 suppliers to the health and care sector, the need to act is clear.

Healthcare organisations require:
• Systems to be updated to address known vulnerabilities, or – where no longer
supported – mitigations be put into place while replacements can be acquired.
• Suppliers of technology to healthcare organisations to achieve at least “Standards
Met” as part of the Data Security and Protection Toolkit (DSPT).
• Appropriate application of Multi-Factor Authentication (MFA) in line with the NHS
England: multi-factor authentication (MFA) policy.
• Backups of their critical business data, with tested plans that cover incident
response, disaster recovery, and business continuity.
• Board level exercises to ensure they are confident of their ability to respond in the
event of a cyber-attack.
• Prompt reporting following a cyber-attack affecting patient care or data, and work in
partnership with NHS England, while adhering to all regulatory requirements.
• Software to meet contractual requirements, for example, is produced in adherence
to the DSIT/NCSC Software Code of Practice.

Read the guidance in full here: 120325 AXREM MFA Guidance Paper Resource Library