Staff Notice — October 2024 | Ratebay Care Technologies

Internal Staff Notice

From: Mark Tennant, Head of IT (m.tennant@ratebay.co.uk)
To: All Staff
Date: 8 October 2024
Subject: IT Security Updates — MFA Rollout Progress & Helpdesk Account Changes
Classification: Internal — Not for external distribution

        REF: IT-NOTICE-2024-031

        Via: Staff Notices (SharePoint)

All,

A quick update on two IT security matters that affect all staff. Please read carefully — there are actions required from some of you.

1. Multi-Factor Authentication Rollout — Final Phase

As part of our ongoing Cyber Essentials Plus compliance and the Azure migration programme, we have been rolling out multi-factor authentication (MFA) across all staff accounts over the past three months. I'm pleased to say that 94% of staff accounts now have MFA enabled.

The remaining accounts that have not yet been migrated fall into two categories:

Legacy service accounts — a small number of automated process accounts used by our HL7 integration layer and the legacy clinical system cannot currently support MFA. These are being addressed as part of Phase 2 of the Azure migration (target: Q1 2025). In the meantime, these accounts have enhanced password policies and restricted network access applied.
Three named administrative accounts — the accounts svc_veeam, svc_aadconnect, and admin-legacy cannot currently support MFA due to how they are configured for automated backup and directory sync tasks. These accounts have been flagged on the risk register (Risk ID: RCT-RISK-2024-047) and will be addressed before our next ISO 27001 surveillance audit in Q1 2025.

If you have not yet set up MFA on your account and you are not in one of the categories above, please do so immediately by visiting support.ratebay.co.uk and selecting "Set up multi-factor authentication." If you need help, contact the helpdesk.

2. Helpdesk Shared Account — Important Change

You may be aware that our IT helpdesk has historically used a shared account (helpdesk_admin) for certain administrative tasks. Following a recent internal review, we identified that this account has accumulated significantly more permissions than are necessary for day-to-day helpdesk operations — including some permissions inherited from legacy group memberships that were never cleaned up.

We will be resetting and restricting the helpdesk_admin account during the week of 21 October. The account password will be changed and permissions will be reduced to helpdesk-appropriate levels only. If you currently use this account for anything other than standard helpdesk tasks, please contact me before 18 October so we can ensure continuity.

Action required if you use helpdesk_admin: Contact m.tennant@ratebay.co.uk before 18 October 2024.

3. Reminder — ClearConnect Out-of-Hours Support

A reminder that out-of-hours IT support is handled by our partner ClearConnect Systems. ClearConnect engineers have remote access to our infrastructure via our VPN and can respond to critical incidents overnight and at weekends. To escalate an out-of-hours issue to ClearConnect, log a ticket via support.ratebay.co.uk and mark it as "Critical." The ticket will automatically route to the ClearConnect on-call team.

Please do not attempt to contact ClearConnect engineers directly — all escalations must go through the helpdesk portal so that incidents are properly logged.

Any questions, please drop me an email or catch me on Teams.

Thanks,
Mark Tennant
Head of IT & Infrastructure
m.tennant@ratebay.co.uk | Ext. 2101

This notice was distributed internally on 8 October 2024. It is intended for Ratebay Care Technologies staff only. If you have received this in error, please contact m.tennant@ratebay.co.uk. Do not forward or republish.