By Josh Neame, Chief Technology Officer at BlueFort Security
It seems like we’re moving through 2025 at a rapid pace. On 5th March, I attended the 3rd NHS Cyber Security Conference: Future-proofing the NHS to meet with leaders across the NHS, private sector and government, as the industry comes together to discuss cyber resilience strategies for one of the UK’s most critical sectors.
With the end of the first quarter of 2025 on the horizon, the event comes at a decisive time for cybersecurity in the UK’s healthcare sector. For me and many of the NHS leaders I speak with regularly, two things are front of mind this year: lessons learned from the Synnovis breach and the impending Cyber Assessment Framework (CAF) deadline.
Synnovis: Lessons Learned
The first thing front-of-mind this year is the ransomware attack on pathology services provider Synnovis in June 2024, which caused significant disruption to frontline care across South East London, and ultimately resulted in Qilin, a ransomware gang, leaking nearly 400GB of stolen healthcare data on the dark web. The incident brought into sharp focus the ongoing cybersecurity challenges facing the NHS, particularly as it looks to combat the increasing threat of supply-chain attacks, third-party vulnerabilities and the significant impact these can have on patient care.
I wrote an article for the BlueFort Security blog in December offering four actionable approaches NHS trusts can take to mitigate the risks highlighted by the Synnovis breach. Since then, I have had many conversations with NHS trust leaders who have been looking carefully at how this breach happened, and the controls they need to put in place to mitigate the associated risks moving forward.
Cyber Assessment Framework (CAF)
The second is the Cyber Assessment Framework (CAF). Developed by the National Cyber Security Centre (NCSC) to help organisations both achieve and demonstrate cyber resilience, NHS trusts and many other organisations in the UK healthcare industry are now subject to CAF requirements, which focus on organisations subject to the Network and Information (NIS) Regulations, those within the UK’s critical national infrastructure (CNI), and those managing cyber risks related to essential services and public safety.
CAF compliance for NHS trusts is now part of the Data Security and Protection Toolkit (DSPT), which aligned with CAF following the most recent update in August 2024. NHS Digital’s goal of the CAF-aligned DSPT is enhancing risk management, fostering a continuous improvement culture, and improving threat management. NHS Digital points out that there will be a greater reliance on evidence and input from cybersecurity and information governance teams, and trusts will be factoring this into their planning to ensure their CAF-aligned DSPT assessment is completed ahead of the 30th June 2025 deadline.
Identity: The Common Thread Between Synnovis and CAF
In my mind, the common thread that connects lessons learned from the Synnovis breach with CAF compliance is identity. The Synnovis breach shone a light on the challenges NHS trusts have around securing identities, which is one of the most significant facing trust security and IT leaders. Attackers continue to rely on valid credentials to gain initial access to systems, highlighted in the Verizon 2024 Data Breach Investigations Report which found that stolen identity and privileged access credentials account for 61% of all data breaches. Gaining full visibility across human identities, machine identities, and service accounts – both on premise and in the cloud – and then applying effective authentication controls to protect user credentials is a mountain every single NHS trust is climbing. In an industry plagued by legacy identities and aging IT environments, this task is no mean feat.
The focus on CAF compliance also puts identity front and centre. Primarily, CAF-aligned DSPT is an outcomes-based framework that focuses on best practice, and gives organisations the flexibility to achieve the required outcomes in a way that works best for their organisation’s unique circumstances. However, several of the key national directive policy requirements are prescriptive, including the multi-factor authentication (MFA) and identity and access management (IAM) policy.
Navigating MFA and IAM Requirements Outlined in CAF
I spoke at the NHS Cyber Security Conference about how the NHS is navigating the complexities of MFA and IAM requirements outlined in CAF with reference to a recent practical scenario. I was joined by King’s College Hospital NHS Foundation Trust IT Manager, Joe Harper, and Peter Batchelor from unified identity security specialist Silverfort, to discuss our work on a project to extend MFA and IAM to legacy systems and non-human identities for CAF compliance.
King’s College Hospital is a large London-based NHS trust with an advanced security-conscious IT team, which had been running a long-term project around Active Directory (AD) hygiene – identifying and closing gaps in one of the areas most targeted by external threat actors. With CAF coming down the line and being mindful of the recent Synnovis breach, the team knew it needed to take steps to put stronger identity processes in place. Joe and the team partnered with BlueFort Security to deploy Silverfort’s advanced MFA protection capabilities and replace its legacy MFA solution.
Deploying Silverfort at King’s College Hospital NHS Trust
The Trust chose Silverfort for the broad range of capabilities it would provide, including closing gaps in its AD hygiene project by identifying exactly what the service accounts were actually doing, where they were doing it, and when. Achieving this level of visibility and understanding is a critical first step, enabling the right controls to be applied without unintentionally impacting services.
Securing privileged users is a big focus area in CAF, and historically one that is hard to put protections around. The Silverfort deployment enabled the Trust to extend MFA coverage across its privileged users and to services that were previously not protected; allowing for more granular controls and protection around privileged users for tools such as PowerShell and CLI.
My hope is that our session at the conference will be a useful reference point for those trusts still grappling with these areas of CAF compliance and to show that it’s possible to deploy, configure and optimise a new MFA solution in a relatively short amount of time. With King’s College Hospital we were working to very tight deadlines for the rollout, switching out the legacy MFA tool and bringing thousands of users to the new system over the Christmas period so that everything was up-and-running when staff returned in January.
This was made easier by our long-standing partnership with Joe and his cybersecurity team at King’s College Hospital who were very much the driving force behind the success of the project. As Silverfort’s premier partner, BlueFort Security is also ideally positioned to support customers with expert deployment, configuration, and ongoing optimisation, to ensure the technology’s value is maximised and strengthens overall cybersecurity resilience.
