NHS maintains strong password security

Strengthening NHS Passwords

The NHS Digital Keep I.T Confidential campaign is designed to raise cybersecurity awareness across the health service through outlining key threats, including weak passwords, phishing, tailgating, unlocked screens, and social engineering. NHS trusts are also putting technical controls in place to alleviate risks further and enforce policy when essential. Since 2006, Specops Software has supported these efforts.

Specops Password Policy & Breached Password Protection have been widely adopted by NHS trusts to enforce stronger password creation. In addition for meeting requirements for Cyber Essentials Plus certification, Specops solutions deliver simplified management of fine-grained password policies, including password complexity, custom dictionaries and passphrase settings, as well as providing a Breached Password Protection service that checks user passwords against a regularly updated list of over 5 billion leaked passwords. As Andre de Araujo, Head of ICT – NHS Foundation Trust states:

Specops Password Policy is easy to get up and running and works as promised… We were supported throughout the proof of concept process and I would gladly recommend the solution to anyone wanting to improve their password security.

In addition to Cyber Essentials and Cyber Essential Plus, Specops Password Policy meets passwords requirements for the self-certified NHS Data Security & Protection Toolkit (DSPT) enabling password policy enforcement criteria relating to:

• Preventing the creation of obvious passwords (such as those based on easily-discoverable information) via custom dictionaries
• Preventing use of common passwords and breached passwords via technical controls
• Preventing and identifying password reuse

Remote working and reducing service desk burden

As the UK’s largest employer with a complex IT infrastructure, the NHS faced a major task in enabling employees to transition to remote working, still requiring access to critical clinical data and services, whilst working to ensure minimal disruption to day-to-day operations.

Remote work is a heavy strain on IT support and service desks, with expired passwords and account lockouts identified as the most burdensome and risk-prone problems to tackle. In addition, each one of these calls is a cost – one that can be alleviated by enabling self-service password resets (SSPR) within NHS trusts.

Specops’ self-service password reset solution, Specops uReset, enables healthcare providers to address password changes for account lockouts. uReset also provides users with clear password policy feedback, including failing the attempted change if the password is breached. It provides secure self-service password resets with a range of multi-factor authentication (MFA) methods and automatic update of locally cached credentials. Specops Password Notification delivers additional value by sending custom email notifications to remind users of pending password expiries, without the need of scripts.

Social engineering and the service desk

Social engineering continues to succeed and is increasingly being favored to use against overwhelmed service desks. Hackers employ this technique to harvest or trick users to divulge personal or confidential information, including credentials or information that allows the hacker to reset passwords and bypass identity checks.

Specops Secure Service Desk is designed to prevent this attack method and reduce social engineering vulnerability, enabling trusts to enforce secure user verification with MFA methods and strengthen the wider IT security infrastructure.

The NHS Trusts Specops has helped

Learn more about how Specops solutions have helped NHS Trusts across the UK:

The Clatterbridge Cancer NHS Foundation Trust enforces stronger passwords without compromising usability.

Mid Cheshire Hospitals NHS Foundation Trust strengthens password security.

Cybersecurity next steps for NHS Trusts

Our recommendation for NHS Trusts when looking to improve their cybersecurity posture, is to ensure you have confidence in your first line of defence – namely your users and their passwords.

Start with a situational analysis and complete a password audit to highlight password related vulnerabilities; Specops Password Auditor identifies multiple vulnerabilities, exportable in report format, in a matter of minutes.