This site is intended for health professionals only

Deadline for enabling multi-factor authentication on NHSmail delayed

by Julie Griffiths
22 May 2023

Share this article

The deadline for implementing multi-factor authentication (MFA) for NHSmail has been delayed by almost a year, said NHS England.

NHSmail users had been set a deadline of 30 June for implementing MFA.

But NHS England said in an email to NHS digital leaders on 9 May that this would be pushed back because some organisations said they needed longer to prepare.

Now organisations will be supported to make the changes ‘as soon as possible over the next 11 months’.

Most organisations are expected to have fully implemented MFA by the end of March 2024, said NHS England.

But as MFA is so important in strengthening the NHS’ collective cyber security, it should be implemented as quickly as possible, it added.

According to Microsoft, MFA can block over 99.9% of account compromise attacks and decreases the likelihood of a successful cyber-attack.

NHS England has published a policy on MFA implementation. It includes the default enablement of MFA when new NHS mail user accounts are created from 3 July. However, local administrators will have the ability to disable this.

The policy also says that practices will be able to add trusted sites to the organisation to make for a better user experience without compromising on safety. This will mean staff are not prompted when logging into their account but are still protected by MFA.

NHS England said it is working on enhanced reporting to give practice managers a better view of multi-factor authentication activity in their practices.

To support practice managers in making the necessary changes, there is help available in the form of guidance and an MFA Adoption Toolkit.

The implementation of MFA is the latest in a number of measures to improve online security.

In January, NHS Digital published cybersecurity resources to help support GP practices mitigate risk and protect patients and their data.

And as human error remains a leading cause of data breaches, Management in Practice published a guide on how to keep your practice safe.