3 min read

NHS multi-factor authentication (MFA) policy and email security: What you need to know

Posted by Rick Goud on 31st August 2023

NHS multi-factor authentication (MFA) policy and email security: What you need to know image

NHS organizations are being encouraged to utilize multi-factor authentication controls across their solutions to ensure the protection of sensitive data. A new policy, published in early 2023, requires impacted organizations to make every reasonable effort to comply as soon as practicable. 

The policy sets out to:

“(...) promote and ensure widespread use of multi-factor authentication as a fundamental cyber security control, in order to manage the data security risks associated with user credential compromise.”

Who does the MFA policy apply to?


Currently, the policy applies to: 

  • NHS trusts and foundation trusts
  • Integrated care boards
  • Arm’s length bodies of the Department of Health and Social Care
  • Commissioning support units in NHS England
  • Operators of essential services for the health sector in England as designated under the NIS Regulations 

What does the MFA policy mean?

Multi-factor authentication is a procedure with which we are all familiar. Whether we’re accessing a banking app, logging into a website, or creating an online account, MFA is commonplace.

The NHS’s new policy evidences a commitment to combating data security risks. By applying a second security layer, MFA protects systems against unauthorized access. However, while protecting user accounts is of the utmost importance, the same level of security must also be applied to emails containing sensitive data.

Across integrated care systems, and between staff and patients, email remains the most relied upon method of communication for NHS staff. The recent NHS Lanarkshire data incident, which saw sensitive patient data shared through WhatsApp, evidences the need for robust digital communications; care staff need to be able to communicate quickly and securely, without resorting to instant messaging platforms.

NHS organizations across the country are turning to Zivver to empower staff to email securely and effortlessly. 

In addition to business rules designed to prevent the leading causes of data leaks (human error - think emails mistakenly sent to the wrong recipient, misuse of Bcc/cc etc), Zivver provides MFA. Utilizing a second form of authorization (a code sent via SMS or password, for example), users can ensure only the appropriate individuals can access sensitive emails:

“Zivver’s multi-factor authentication (MFA) functionality in Zivver is particularly helpful. We can apply MFA to authenticate the identity of patients and they can choose the method of authentication they would prefer to use. Patients will often opt for a code sent via SMS. However, for those who don’t have access to a mobile phone, they can choose to receive a password by email. And once we’ve engaged with an individual once, their authentication method is stored for next time; we don’t need to keep setting it for every email.” - Royal Papworth Hospital NHS Foundation Trust

MFA and compliance with GDPR

The methods in which employees handle sensitive data and share it by email is vital in ensuring compliance with data protection legislation. Information must be sent securely.

In fact, regulators are paying greater attention to the use of MFA. While the GDPR does not make MFA mandatory, the legislation does require processors of personal data to take appropriate measures to protect it. 

As MFA is considered best practice when it comes to protecting sensitive data for both organizations and individuals, it is wise that organizations use it to empower employees to protect their accounts and platforms. 

Learn more about how Zivver is empowering NHS trusts, across integrated care systems, to engage with patients securely and effortlessly.  

Future System Digital Programme Lead and Deputy CIO at West Suffolk NHS Trust , Sarah Judge, shares how Zivver is empowering secure, user-friendly digital communications across clinical and community services. Watch now

Rick Goud avatar

Rick Goud

CIO & Founder

Published: 31st August 2023

Subscribe to our newsletter
Share this

Enjoy this article? Share the knowledge

Stay informed with Zivver

Subscribe to get more email security tips straight to your inbox.