New report on cyber security
The Department of Health and Social Care has published research looking at the state of cyber-security in the Adult Social Care sector. You can find the full report here:
The state of cyber security in adult social care - GOV.UK
Key Insights from the Report
The report reveals critical findings that could impact your organisation. As the sector moves toward full digitisation, understanding and addressing cyber risks has never been more important.
The Current Landscape
- 79% of care providers use some established approaches to identify cyber threats with risk assessments, testing of staff awareness and audits the most common approaches.
- Only 33% reported experiencing a cyber incident in the last 3 years (but there is a concern this is under-reported)
- £9,528 is the average cost for providers who experienced incidents over the last three years
- Phishing attacks are the most common threat (75% of incidents)
- (77%) of care providers agreed their frontline staff have the digital skills they need to securely use digital systems, however there were concerns that there were varying levels of digital literacy, high staff turnover and a perception that digital security was not part of a careworkers role.
Common Vulnerabilities & Risks
The report highlights several concerning practices in the sector:
- 39% frequently share organizational devices
- 33% regularly use personal devices for work
- 30% commonly share email addresses
These behaviors significantly increase your vulnerability to attacks.
There were also concerns around changing threats, human error and lack of resources. Some organisations relied heavily on policies but did not have expert advice or a full grasp of the risks the policies were designed to mitigate.
The report notes that care providers rely heavily on their technology suppliers to enable good cyber-security and do not always have the resources to monitor the cyber-security of their technology suppliers as part of ongoing contract management.
A number of suggestions were put forward for Government action to improve cyber security going forward, including:
- ensuring all care providers are aware of the range of support options available to them (for example, from the Better Security, Better Care programme)
- education and awareness raising across all staff
- supporting care providers financially
- strengthening requirements and assurances for care providers and technology suppliers to promote safer cyber practices
- central co-ordination of cyber resilience testing and incident response
- the role of technology suppliers in supporting and upskilling their customers
Best Practices
Care providers with strong cyber security typically had:
- Formal policies specifically addressing cyber security
- 11-15 technical rules and controls in place (see Figure 1 below)
- Specific cyber security insurance
- Regular data backups
- Complete cyber incident response plans
- Nationally recognized certifications (like Cyber Essentials)
- Accessed to expertise from the Better Security, Better Care program
Figure 1: Types of rule or controls in place at care providers
Taking Action: What You Can Do Now
- Assess your current position: Review your policies, procedures and staff awareness
- Implement basic controls: for example, strong passwords, restricted access, up-to-date malware protection
- Develop response plans: Create robust business continuity and incident response plans
- Train your staff: Regular training on cyber threats and secure practices
- Secure your data: Implement daily backups and verify they're usable
- Consider insurance: Evaluate cyber security insurance options
Support Available
The Better Security, Better Care program offers valuable support and expertise. Care providers who access this resource consistently demonstrate better cyber security practices and awareness. You can find out more from the Digital Care Hub:
Data Security and Protection Toolkit | Digital Care Hub
Remember: As the sector moves toward complete digitisation, robust cyber security isn't just recommended—it's essential for protecting your organisation, staff, and those in your care.
