As the NHS increasingly relies on digital systems and technology to deliver services to patients, weak passwords present a cyber risk which can compromise data and system security and potentially disrupt patient care. However, the manual monthly task of compiling lists of users with weak passwords, across five domains, and then contacting those users individually was proving time and resource intensive for Arden & GEM’s IT service.
Using Robotic Process Automation (RPA) to identify weak passwords and prompting users to update these, based on an agreed set of rules, has resulted in a quicker, more efficient and more accurate process which provides greater transparency and reassurance.
The challenge
The NHS’s increasing reliance on digital systems and technology to deliver services to patients means that organisations are being faced with more complex risks from sophisticated hacking and cyber warfare. One of these risks comes from the use of weak passwords, which can be easily cracked, compromising data and system security and potentially disrupting patient care.
While Arden & GEM’s IT service regularly advised and encouraged its 50,000 users to set strong passwords, Microsoft Active Directory has no straightforward way to enforce non-guessable passwords, with limitations on the long password (12+ characters) and complex password functionality.
To understand the extent to which weak passwords were in use across supported domains, the IT service was manually compiling, monitoring and maintaining monthly lists of users with weak passwords. This task in itself was time consuming but when combined with the responsibility for then contacting and chasing individual users to change their passwords, this had become a regular duty for up to five staff members.
Our approach
Utilising a growing internal expertise in Robotic Process Automation (RPA), the IT service designed and implemented an automated process to identify weak user passwords.
Identifying users with weak passwords
The process begins with extracting user information, including their hashed (encrypted) passwords, from five Active Directory domains. This information is then compared with 12.8 million known weak password hashes, supplied by NHS Digital. A single list of users with weak passwords is then generated, which also stores any additional useful information, for example, users who have been contacted before about weak passwords.
Automating the communication process
Users are then grouped by their particular password or account issue so they can receive automated email communications which direct them to update their password in line with the strict rule-based criteria set by the Cyber Security team. The process runs every 24 hours so that users can be sent further appropriate prompts, with non-compliance being escalated to the Cyber Security team after an agreed time period.
"Knowing that there is an automated weak passwords notification process in place gives us the reassurance we need to focus time previously spent on managing the manual process on more value added tasks."
Tej Gudka, Head of Cyber Security at NHS Arden & GEM CSU
The outcomes
- Implementing the RPA approach for weak passwords across 50,000 users and five domains has resulted in a significant reduction in the number of weak passwords which will in turn increase system security.
- Replacing the manual monthly process with a daily automated process has improved both speed and efficiency, with near real time results now being inputted. This has enabled the resource dedicated to manual identification and tracking to be freed up to focus on more innovative and value adding work.
- 77% of users receiving the automated email communications have changed their weak passwords, significantly reducing the number of people requiring a personal follow up.
- The process is fully transparent and auditable which has enabled us to give greater detail and reassurance on Active Directory security to both clients and external auditors.
- The process also enables IT support teams to set the parameters and timescales for an incremental rollout of the automated communication process, to avoid any additional pressure being placed upon the service desk.
What next?
This initiative has also identified 400 disabled or dormant accounts with weak passwords that could automatically have their passwords reset to a strong password by the process. This automation is now in development to enable a regular and systematic ‘clean-up’ of inactive accounts.
"As an NHS organisation providing a wide range of services for patients and employing over 4,000 staff, keeping our systems and data secure is critical to the safe and effective operation of the Trust.
Knowing that password strength is being measured and managed effectively by the Arden & GEM IT service, as part of a holistic approach to cyber security, gives us assurance that weak passwords are minimised and accounts are protected. Using robotic process automation to achieve a challenging target of less than 1% weak passwords on the estate has also enabled the support team to focus on more value added pieces of work that constitute the ongoing cyber security challenge."
Alvaro Pancisi, Head of Informatics at Derbyshire Community Health Services NHS Foundation Trust