NHSmail MFA: Securing Your Digital Health Records

09/04/2017

Rating: 4.02 (6339 votes)

In today's increasingly digital world, safeguarding sensitive information is paramount, especially within the healthcare sector. For professionals working with NHSmail, understanding and implementing robust security measures is not just good practice; it's a necessity. One of the most effective tools at your disposal is Multi-Factor Authentication (MFA). This article will delve into what MFA is, why it's crucially important for the NHS, the benefits it offers, and provide a comprehensive guide on how to enable it for your NHSmail account.

How do I enable MFA?
Call: An automated voice call is made to the mobile phone number registered prompting the user to press # on their keypad. You should enable MFA using mobile app, text message or phone call in addition to using a FIDO2 token or NHS Smartcard for security purposes.
Table

What is Multi-Factor Authentication (MFA)?

Normally, accessing your NHSmail account involves a simple combination of your email address and password. However, Multi-Factor Authentication (MFA) introduces an extra layer of security, acting as a stringent verification process to confirm that it is indeed you logging in. Beyond your usual credentials, MFA requires you to provide a second, distinct form of authentication. This could be an authentication app on your smartphone, a code sent via text message (SMS), or an automated phone call to your registered number. This additional security check is designed to create a formidable barrier, preventing unauthorised access to your account, even if your password has been compromised.

Why is MFA Crucial for the NHS?

The healthcare industry handles some of the most sensitive personal data imaginable. Electronic health records, patient histories, and treatment plans are all stored digitally, making them attractive targets for cybercriminals. Cyberattacks targeting these systems pose a significant risk to patient privacy. Hackers could gain access to confidential information, potentially leading to severe consequences for patient safety and the continuity of care. Furthermore, malicious actors can deploy ransomware viruses to hold medical records or essential devices hostage, jeopardising access to vital tools and information needed for effective patient management. The statistics paint a stark picture:

Key Statistics on Data Breaches and MFA Effectiveness:

StatisticSourceYear
Up to 80% of data breaches can be prevented by simple actions like enabling MFADBIR2020
Over 93% of healthcare organisations experienced a data breachHerjavec Group2017-2020
More than 99.9% of accounts compromised by cyber attacks can be blocked by using MFAMicrosoft2022

These figures underscore the critical need for robust security measures like MFA within the NHS to protect patient data and maintain the integrity of healthcare services.

The Multifaceted Benefits of MFA

Implementing MFA for your NHSmail account offers a wide array of advantages that extend beyond basic security:

  • Enhanced Data Protection: MFA ensures that patient data resides in a more secure and protected environment, significantly reducing the risk of unauthorised access.
  • Password Recovery Assistance: Should you ever forget your password, MFA can provide a smoother and more secure pathway to regaining access to your account.
  • Protecting NHS Reputation: By bolstering security, MFA helps maintain public trust and protects the reputation of the NHS as a secure and reliable institution.
  • Increased Resilience Against Cyber Threats: MFA provides a vital shield against the ever-evolving landscape of cyberattacks, offering increased protection against malicious attempts to breach your account.
  • Unusual Access Detection: MFA systems can detect and flag attempts to access your account from unfamiliar locations or devices, alerting you to potential security breaches.

Your Authentication Options for MFA

NHSmail offers three convenient and secure methods for you to authenticate your account via MFA. You can choose the option that best suits your needs and preferences:

  • Authentication App: This is Microsoft's recommended method due to its enhanced security. You'll download the Microsoft Authenticator app to your smartphone. This app allows you to verify your sign-in with a simple tap or by generating a time-sensitive verification code. Even if your phone is lost or stolen, accessing the app requires an additional layer of security, making it harder for unauthorised individuals to gain access.
  • Text Message (SMS): This method involves receiving a six-digit verification code via a text message to your registered mobile phone number. You then enter this code when prompted during the login process.
  • Phone Call: With this option, you'll receive an automated voice call to your registered mobile phone. You'll be instructed to press a specific key on your keypad to confirm your identity.

It's important to note that for maximum security, you should enable MFA using one of these methods in addition to using a FIDO2 token or your NHS Smartcard. If you are using a FIDO2 token or NHS Smartcard as your primary MFA method, you may not be prompted for a secondary MFA challenge.

How to Set Up MFA for Your NHSmail Account

Setting up MFA is a straightforward process designed to enhance your account security quickly.

Important Note: As of 5 October 2023, all newly created user accounts will have MFA enabled by default. The following self-enrolment steps are primarily for accounts created prior to this date.

You can initiate the MFA setup process either through self-enrolment or by following the prompts when you next log in to the NHS Portal. After initial setup, you will need to select your preferred authentication method and follow the specific steps provided, or refer to the accompanying videos for visual guidance.

Remember to always register an alternative method of MFA for emergency situations. This could be an alternative mobile phone number or setting up the Microsoft Authenticator app on a second mobile device. This ensures you can always access your account, even if your primary device is unavailable.

If you are using a mobile browser for MFA enrolment, the steps are generally the same as for desktop browsers, with a slight variation for the Microsoft Authenticator app setup.

1.1 Self-Enrolment Steps

To begin the MFA setup process through self-enrolment:

  1. Sign In: Navigate to https://portal.nhs.net/ and sign in with your NHSmail account credentials.
  2. Access Profile: Click on ‘Profile’ in the navigation bar at the top of the screen and select ‘My Profile’ from the drop-down menu.
  3. Navigate to Self-Service: On the ‘My Profile’ page, click on ‘Self-Service’.
  4. Select Self-Enrol: Choose the ‘Self-enrol’ option for MFA.
  5. Confirm Enablement: Click ‘Confirm’ to enable MFA on your account.

Upon successful completion, you will see a confirmation message: ‘success: MFA enabled successfully for [your_nhsmail_account]@nhs.net’. Now that MFA is enabled, you need to set up your chosen authentication method (Mobile app, call, or text message). Follow the relevant steps below to configure your selected method.

1.2 Setting Up the Microsoft Authenticator App

For the most secure authentication experience, follow these steps to set up the Microsoft Authenticator app:

  1. Initial Sign-in: Once MFA is enabled, sign in to your NHSmail account on your PC at https://portal.nhs.net/. Select ‘Click me to enrol for Multi-Factor Authentication’ and then ‘Next’ to begin the MFA setup.
  2. Download App: On your PC, you will see an option to download the Microsoft Authenticator app. If you don't have it, download it from your smartphone's app store. The app is free.
  3. Scan QR Code: On the registration page on your system, you will be presented with a QR code. Open the Microsoft Authenticator app on your mobile phone, tap the ‘+’ or ‘+ Add account’ icon, select ‘Work or school account’, and then ‘Scan QR code’. Point your mobile device's camera at the QR code displayed on your PC screen.
  4. Verify Account: Once scanned, a unique number will appear on your PC screen. On your mobile app, a prompt will appear asking you to enter this number. Enter the number in the app and select ‘Yes’ to approve.
  5. App Password: You will then be prompted to create an app password. This is a password of at least 8 characters that may be required for legacy applications that do not support MFA. Store this password securely.
  6. Confirmation: Upon successful setup, you will receive a confirmation message. Click ‘Done’ to complete the process.

When you next log in to NHSmail, you'll see a two-digit number on the login screen. The Microsoft Authenticator app will then prompt you to approve the login. Type the displayed two-digit number into the app to confirm, and your NHSmail portal will open.

Important Consideration: Microsoft Authenticator is not supported on Apple Watch. If you use an Apple Watch, it is recommended to delete the app from your watch and use it on another compatible device.

1.3 Setting Up via Text Message (SMS)

If you prefer to use text messages for verification, follow these steps:

  1. Initiate Setup: Sign in to your NHSmail account at https://portal.nhs.net/. Select ‘I want to set up a different method’ to add an alternative authentication option.
  2. Choose Phone Option: From the list of available MFA methods, select the ‘Phone’ option. (Note: The office phone option is not supported.)
  3. Enter Phone Number: Select your country code and enter the mobile phone number you wish to use for verification. Ensure it's a UK-based number. Select ‘Text me a code’ as your authentication method and click ‘Next’.
  4. Receive and Enter Code: You will receive a six-digit verification code via SMS to your mobile phone. Enter this code into the text box provided on the screen and click ‘Next’.
  5. App Password: Similar to the Authenticator app method, you will be prompted to create an app password (at least 8 characters). Store this securely.
  6. Confirmation: Once the code is validated and the app password is set, you will receive a confirmation message. Click ‘Done’ to complete the setup.

1.3.1 WhatsApp Verification

In some instances, you may receive your verification codes via WhatsApp. These messages will resemble SMS but will feature Microsoft branding and a verified checkmark. This occurs if you have WhatsApp installed and configured on your registered mobile number. An internet connection is required for this. Microsoft will silently attempt to deliver a message via WhatsApp to check if you have it installed. The phone number associated with Microsoft’s WhatsApp Business Agent is +1 (217) 302 1989.

User Information Stored: When MFA codes are sent via WhatsApp, only the phone number associated with your WhatsApp account is stored for delivery purposes. Microsoft does not store chat history or contact details. It's important to be aware that using WhatsApp for this service may involve data collection practices beyond those covered by NHS.net Connect. Always refer to the WhatsApp Privacy Policy for details.

Opting Out of WhatsApp Verification: Microsoft does not offer a direct option to disable WhatsApp as a delivery method. To prevent receiving MFA codes via WhatsApp, you can either uninstall WhatsApp from the device or change your preferred verification method to an alternative, such as the Authenticator App.

1.4 Setting Up via Phone Call

The phone call method follows a similar principle to text message verification. After initiating the setup via the NHS Portal and selecting the ‘Phone’ option, you will be presented with the choice to receive a call. When the automated call comes through, you will be prompted to press a specific key on your keypad to authenticate your login. As with text messages, you will also need to set up an app password.

Frequently Asked Questions about MFA

Q1: What happens if I lose my phone?

A1: This is why registering an alternative MFA method is crucial. If you've set up the Microsoft Authenticator app on another device or have an alternative phone number registered for text messages or calls, you can use that to access your account.

Q2: Do I need to use MFA if I'm already using an NHS Smartcard?

A2: While an NHS Smartcard offers a good level of security, MFA provides an additional, vital layer of protection. It's recommended to use MFA in conjunction with your Smartcard for comprehensive security.

Q3: Can I change my MFA method later?

A3: Yes, you can typically change your preferred MFA method through the NHS Portal’s ‘My Profile’ and ‘Self-Service’ sections.

Q4: Is there a cost associated with using MFA?

A4: No, the Microsoft Authenticator app is free to download and use. Standard mobile network charges may apply for text messages or calls if you are outside the UK.

By understanding and implementing Multi-Factor Authentication, you are taking a significant step towards protecting sensitive patient data and ensuring the security of your NHSmail account. Stay vigilant and keep your digital health records secure.

If you want to read more articles similar to NHSmail MFA: Securing Your Digital Health Records, you can visit the Taxis category.

Go up