Implement Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is a way to make your online accounts much safer by adding extra steps to prove it’s really you trying to log in.

For example, along with the password, you might be asked to enter a code sent to your email, mobile phone or an authenticator app, or answer a secret question, or scan a fingerprint.

Using more than just a username and password makes it much more difficult for criminals to gain access to your accounts. You’ve probably done this when using online banking or logging into social media on a new device.

As a care provider, you should consider introducing MFA to your systems. In order to reach Standards Met on the Data Security and Protection Toolkit for 2024/25 onwards, you need to demonstrate that you have considered MFA and documented any exceptions.

We recommend that you take the following steps:

1. Assess your current systems

• Identify all systems that can be accessed from the internet, such as email, digital social care records, and any cloud-based systems.
• Speak with your software and IT suppliers to understand MFA options available for these systems.

2. Identify potential challenges

• Consider situations where staff might share devices or logins, which could complicate MFA implementation.
• Assess whether any existing security controls may already provide enough protection without the need for MFA.

3. Make decisions on security versus usability

• Determine the appropriate level of security for each system based on the sensitivity of the information it handles, the ease of use for your staff and your organisation’s appetite for risk.
• Balance the need for strong security with the potential impact on daily operations. Too many layers of security often means people find workarounds or reduce their use of that system.

4. Document and report exceptions

• If you decide not to implement MFA for certain systems, you should record that decision and the reasons for it. This should be documented at a senior manager, director or board level. Ensure there is a clear understanding of the risks involved and the rationale behind the decision.

While MFA is crucial for protecting sensitive data, it’s important not to overcomplicate your security. The goal is to increase security while maintaining a user-friendly environment for your staff.