The NCSC first published guidance back in January this year urging Govt organisations to bolster their cyber security resilience, this included ‘improving access controls and enabling multi-factor authentication (MFA).’ This guidance was bolstered at the end of April when a joint advisory from the NCSC and international partners details the 15 most commonly exploited vulnerabilities in 2021. The Cybersecurity & Infrastructure Security Agency published these mitigations:
Identity and Access Management
- Enforce multifactor authentication (MFA) for all users, without exception.
- Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords.
- Regularly review, validate, or remove privileged accounts (annually at a minimum).
- Configure access control under the concept of least privilege principle.
- Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges).
The need to undertake Supplier engagement with NHSE when there is a change in NHS policy/guidance to NHS Trusts has been flagged by the NCSC.
At least one BIVDA member’s Service Dept are having problems with these new security controls which are affecting their ability to provide remote servicing and leading to issues regarding confidentiality for staff. BIVDA understands that this is also affecting the imaging sector so will be liaising with Axrem but it would be helpful to know if this is a widespread issue to help escalate the issue to the relevant people at DHSC/NHSE.
Please let Doris-Ann know if this is an issue for your organisation.
