Country: United Kingdom
Goal: Strengthening passwords, reducing burden on service desk, ensuring secure authentication and meeting compliance requirements
Result: Password vulnerability detection, breached password protection, enforced password policy and SSPR solution
Solution: Specops Password Policy, Breached Password Protection, Password Auditor, Secure Service Desk
NHS Digital within its Keep I.T Confidential campaign, outlines key cyber security threats as a risk to the NHS and patient data which includes, weak passwords, phishing, tailgating, unlocked screens, and social engineering. The campaign goal is to mitigate risk by generating user awareness around these issues, in some of these key areas however, NHS trusts are putting in place technical controls to alleviate these risks further and enforce policy when essential.
Specops Software have proudly been working with the NHS since 2006, delivering password security and authentication solutions protecting NHS and patient data, reducing burden on service desks and helping meet regulatory requirements.
Strengthening NHS Passwords
Strong passwords are high on the agenda within the NHS. Over 80% of breaches involve brute force or lost and stolen credentials and the average person is known to reuse a password as many as 14 times, it is imperative for the protection of NHS and patient data that users are not using weak, reused, or leaked passwords.
Specops Password Policy & Breached Password Protection is being widely adopted by NHS trusts to solve this issue and in addition for meeting requirements for Cyber Essentials Plus certification, enabling the simplification of management of fine-grained password policies, including password complexity, custom dictionaries, passphrase settings and providing a Breached Password Protection service that checks user passwords against a regularly updated list of over 2.5 billion leaked passwords.
“Specops Password Policy is easy to get up and running and works as promised… We were supported throughout the proof of concept process and I would gladly recommend the solution to anyone wanting to improve their password security.”
Andre de Araujo, Head of ICT – NHS Foundation Trust
Learn more about how this NHS Trust removed weak passwords for Cyber essentials.
In addition to Cyber Essentials and Cyber Essential Plus, Specops Password Policy meets passwords requirements for the self-certified NHS Data Security & Protection Toolkit (DSPT) enabling password policy enforcement criteria relating to:
- Preventing creation of obvious passwords (such as those based on easily-discoverable information) via custom dictionaries
- Prevention of common passwords and breached passwords via technical controls
- Prevention and identification of password reuse
Remote Working and Reducing Service Desk Burden
As the UK’s largest employer with a complex IT infrastructure, the NHS faced a major task in enabling employees to transition to remote working, still requiring access to critical clinical data and services, whilst working to ensure minimal disruption to day-to-day operations.
Remote work plays heavy on IT support and service desks, with expired passwords and account lockouts identified as the most burdensome and risk prone problems to tackle. In addition, each one of these calls reflects a cost, but, that cost can be alleviated by enabling self-service password resets (SSPR) within NHS trusts.
Specops Software’s self-service password reset solution, Specops uReset, enables trusts to address password changes to account lockouts, while providing users with clear password policy feedback, including password change failure due to breached password use. It provides secure self-service password resets with a range of multi-factor authentication (MFA) and automatic update of locally cached credentials.
Creating additional value for IT Administrators by further minimising account lockouts due to password expiries, Specops Password Notification is being utilised and configured via a graphical user interface to send custom email notifications to remind users of pending password expiries, without the need of scripts.
Social Engineering and the Service Desk
Social engineering, continues to be on the increase as a successful tactic used against overwhelmed service desks. It is a technique employed by hackers to harvest or trick users to divulge personal or confidential information such as patient data, health care records or details of IT systems.
A password reset request is then made by the hacker using the harvested information to pass identity checks and then obtain a new password of their choosing, enabling easy access to the network and not requiring the need to hack a password.
Specops Secure Service Desk was designed to prevent this attack method and reduce social engineering vulnerability, enabling trusts to enforce secure user verification with multi-factor authentication methods and strengthen the wider IT security infrastructure.
Cyber security next steps for NHS Trusts
Our recommendation for NHS trusts when looking to improve their cyber security posture, is to ensure you have confidence in your first line of defence – namely your users and their passwords.
Start with a situational analysis and complete a password audit to highlight password related vulnerabilities; Specops Password Auditor was developed to identify multiple vulnerabilities, exportable in report format all in a matter of minutes.