We use cookies.

To make your experience the best it can be, we use cookies and similar technologies on our site. We need your permission to allow these technologies, which will maximise browsing experience. For more information on how we use cookies and how to change your cookie settings, please see our cookies and privacy policy.



Please complete this short form to get in touch with a member of our team and we will get back to you as soon as we can.



Sign up to our newsletter by completing the form below.

Header image for the current page Using Robotic Process Automation to improve password security

Using Robotic Process Automation to improve password security

Share this page

As the NHS increasingly relies on digital systems and technology to deliver services to patients, weak passwords present a cyber risk which can compromise data and system security and potentially disrupt patient care. However, the manual monthly task of compiling lists of users with weak passwords, across five domains, and then contacting those users individually was proving time and resource intensive for Arden & GEM’s IT service.

Using Robotic Process Automation (RPA) to identify weak passwords and prompting users to update these, based on an agreed set of rules, has resulted in a quicker, more efficient and more accurate process which provides greater transparency and reassurance.

The challenge

The NHS’s increasing reliance on digital systems and technology to deliver services to patients means that organisations are being faced with more complex risks from sophisticated hacking and cyber warfare. One of these risks comes from the use of weak passwords, which can be easily cracked, compromising data and system security and potentially disrupting patient care.

While Arden & GEM’s IT service regularly advised and encouraged its 50,000 users to set strong passwords, Microsoft Active Directory has no straightforward way to enforce non-guessable passwords, with limitations on the long password (12+ characters) and complex password functionality.

To understand the extent to which weak passwords were in use across supported domains, the IT service was manually compiling, monitoring and maintaining monthly lists of users with weak passwords. This task in itself was time consuming but when combined with the responsibility for then contacting and chasing individual users to change their passwords, this had become a regular duty for up to five staff members.

Our approach

Utilising a growing internal expertise in Robotic Process Automation (RPA), the IT service designed and implemented an automated process to identify weak user passwords.

Identifying users with weak passwords
The process begins with extracting user information, including their hashed (encrypted) passwords, from five Active Directory domains. This information is then compared with 12.8 million known weak password hashes, supplied by NHS Digital. A single list of users with weak passwords is then generated, which also stores any additional useful information, for example, users who have been contacted before about weak passwords.

Automating the communication process
Users are then grouped by their particular password or account issue so they can receive automated email communications which direct them to update their password in line with the strict rule-based criteria set by the Cyber Security team. The process runs every 24 hours so that users can be sent further appropriate prompts, with non-compliance being escalated to the Cyber Security team after an agreed time period.

"Knowing that there is an automated weak passwords notification process in place gives us the reassurance we need to focus time previously spent on managing the manual process on more value added tasks."

Tej Gudka, Head of Cyber Security at NHS Arden & GEM CSU

The outcomes

What next?

This initiative has also identified 400 disabled or dormant accounts with weak passwords that could automatically have their passwords reset to a strong password by the process. This automation is now in development to enable a regular and systematic ‘clean-up’ of inactive accounts.

"As an NHS organisation providing a wide range of services for patients and employing over 4,000 staff, keeping our systems and data secure is critical to the safe and effective operation of the Trust.

Knowing that password strength is being measured and managed effectively by the Arden & GEM IT service, as part of a holistic approach to cyber security, gives us assurance that weak passwords are minimised and accounts are protected. Using robotic process automation to achieve a challenging target of less than 1% weak passwords on the estate has also enabled the support team to focus on more value added pieces of work that constitute the ongoing cyber security challenge."

Alvaro Pancisi, Head of Informatics at Derbyshire Community Health Services NHS Foundation Trust