NHS cybersecurity experts talk passwords and Specops

NHS organizations have a challenge on their hands when it comes to cybersecurity. They have to defend sprawling, heterogeneous IT environments against relentless cyber‑threats, all while keeping their number one priority in mind: patient care. On a recent Specops webinar, Darren James, Senior Product Manager at Specops, spoke to three NHS IT leaders with an extensive mix of frontline cybersecurity experience:

• Nasser Arif, Cyber Security Manager, LNWUH Trust and THH NHS Foundation Trust
• John Edirimanasinghe, Solutions Architect, Hertfordshire, Bedfordshire, & Luton ICT Services
• Ed Bullas, ICT Support Engineer, Black Country Healthcare NHS Foundation Trust

We’ve highlighted some key experiences and opinions from the panelists on the unique issues facing the NHS and how they’re meeting those challenges within their trusts.

What challenges does the NHS face in 2025?

The NHS is a vast organization, so it’s unsurprising its sprawling IT estate is fragmented and varied. Compared to other industries, there’s still a reliance on legacy systems and older hardware, and it’s challenging to get a unified view of assets and vulnerabilities across the network as a whole. There’s also a heavy reliance on third-party vendors and complex supply chains. At the same time, growing volumes of sensitive patient data and tight regulatory demands raise the stakes. Any breach or downtime can compromise both privacy and clinical outcomes.

The 2017 WannaCry ransomware attack was a devastating example of what a cyber incident can do. Attackers disrupted over a third of NHS trusts in England, encrypting critical systems and forcing hospitals to cancel thousands of appointments and divert emergency patients. The attack exploited unpatched Windows vulnerabilities and highlighted widespread weaknesses in NHS cyber preparedness and legacy infrastructure.

The NHS cyber workforce is under immense strain and needs to make effective use of the resources available to them. Cost-effective tools that can tip the scales back in their favor are invaluable.

Password challenges within the NHS

On top of the many passwords NHS workers deal with in their personal lives, they have multiple work passwords to stay on top of too. When Darren asked the panelists how many passwords NHS staff have to deal with, John answered: “I’d say at least five to ten passwords. Clinicians needs to access multiple systems, as do back office IT staff. We try to reduce the burden with SSO and password managers, as we want to make sure there’s a balance between user experience and security.” Ed added: “Definitely in excess of 10 to 12 passwords, and it’s even more for elevated accounts.”

Darren also asked the panelists about the password reuse problem and whether it’s something they regularly see within the NHS. Nasser explained: “Based on cyber awareness training, users are more savvy about not using home passwords at work. So password reuse isn’t as bad as it used to be, but is still definitely taking place – especially in their personal lives. We need to fundamentally change behaviors, but it takes time and effort.”

Where can a stronger password policy help?

When the panelists were asked what drove them to strengthen their password policies with Specops Password Policy, Ed said it was an area he’d had in his sights for some time: “We didn’t want to do it solely to pass an audit – we genuinely wanted to up our game. Our team understands passwords are the weakest form of authentication (they sometimes feel like a nightmare we can’t wake up from!). So we knew we wanted to improve the policy, especially for domain logons. Passwords aren’t going away any time soon.”

John was keen to point out the importance of balancing strong policies with a good user experience: “It’s all well and good when IT enforce strong policies, but it won’t work if the users are struggling with it. We want to align policies, meet requirements, and give a good user experience at the same time.” Ed and Nasser both confirmed that one of the key benefits of Specops Password Policy has been the end user feedback that helps to guide users towards creating a password that meets their new and improved password policy.

The panelists also discussed the benefits of being able to continuously scan their Active Directories for breached passwords. John explained his experience at his trust: “We always pick up a few compromised passwords. Doing it continuously helps you spot patterns and address the areas of non-compliance.” Nasser added: “Sometimes it’s the same people, so we can use it to teach new behaviors.”

Check Your AD for over 1 Billion Compromised Passwords with a free, read-only audit

Was it a challenge to roll out new passwords policies?

Darren asked about the panelists experience of rolling out their new password policy with Specops Password Policy. Ed shared his trust’s experience: “We’re rolling out the new policy naturally as passwords expire after 90 days, so as users create their next password, the new policies take place. We’re fairly new on the journey and will soon be ramping up the Breached Password Protection feature and letting users know the benefits.”

Nasser also stressed the value of communicating the benefits of a new policy with end users: “NHSmail has helped people get used to MFA at work, but we did see an uptick in service desk calls after rolling out the new password policy. This is where communicating with users and service desk agents is key, so they know how the new policy benefits them and their profession. As our duty of care to patients extends to the digital realm too.”

How useful are password audits?

Darren also asked the NHS panelists to share their experience of working with Specops’ free, read-only auditing tool: Specops Password Auditor. Nasser responded: “It’s fascinating to find people with the exact same password (especially if it isn’t a weak one) and really highlights the need for continuous monitoring. I actually found a husband and wife sharing a password from different departments! It’s interesting to see with privileged users too – admins aren’t perfect either.”

John had a similar experience: “When I ran it for the first time, I was shocked at the amount of compromised passwords being used. And there are other things it helps you manage proactively – like why do we need this stale admin account? The insight you get from a free tool is amazing.”

Ed added: “We run Specops Password Auditor every now and then just to get that snapshot view. With several thousand users, it’s unsurprising you find issues. But it’s always amazing to see a few people with the exact same passwords. We’ve caught some poor password practices, even from privileged users.”

Find Over 1 Billion Breached Passwords with FREE Password Auditor

What about NHS service desk security?

The recent ransomware attacks on Marks and Spencer and other UK retailers have left organizations on high alert, with the NHS being no exception. Attackers are able to clone voices with AI vishing and target service desk agents with advanced social engineering attacks. It’s something John has been thinking about: “Yes, social engineering is a big threat. Attackers are targeting the human side of things, so we’re taking it very seriously at the NHS. Protecting the human layer is just as important as technical controls.”

As Nasser explained, it’s a threat that’s also on his team’s mind: “It’s hard to crack someone’s passwords these days with MFA. But social desk engineering can be effective, for example where attackers call up for a password reset or MFA token reset with an deepfaked voice. Understandably we often talk about the threat of ransomware, given past attacks on the NHS. But it’s easy to forget phishing and social engineering can follow our staff home, too.”

Minimize encryption lockout calls to the service desk with self-service key recovery

What role can self-service password reset tools play within the NHS?

Darren recalled Specops working with NHS organizations in the past and hearing stories about doctors having to drive for hours in the middle of the night to reset passwords and get access to key systems. John explained the benefits they’ve seen from enabling Specops’ uReset (a self-service password tool): “Specops uReset has been a strategy enabler for us. As well as avoiding situations where clinicians have to travel or call helpdesks to reset passwords, the First Day Password feature means we don’t have to make people come into the office to pick up a device. Users can log in first time without us having to risk sending them a password.”

Let end users securely reset their passwords from anywhere, anytime.

Reduce your organization’s risk today

Whether you need support rolling out a new password policy, rooting out breached passwords, bolstering service desk security, or reducing the burden of password resets and lock outs – Specops is here to help. We’ll be happy to explain how Specops products could fit in with your unique environment: get in touch today to arrange a trial.