Cyber security in social care: a shared journey

Digitising Social Care 6th Nov 2023

11/6/20233 min read

With Cyber Security Awareness Month behind us, Ethan Gray, Cyber Security Policy Manager for the Department of Health & Social Care, reflects on the journey the sector has made so far towards strengthening its cyber security arrangements.

With an increasing focus across Adult Social Care on digitisation, supported through programmes such as Digitising Social Care, we must also keep our eyes on supporting the sector to improve its cyber security resilience.

Care services have a duty to ensure that those receiving care, as well as their friends and families, and those working in care settings, can be confident that their information is kept safe and secure. In pressurised settings, it would be easy to overlook, but maintaining good cyber hygiene helps protect everyone in care and must be a focus as we continue on this digitisation journey.

Health and Care Cyber Strategy

In March 2023, we published the Cyber Strategy for Health and Social Care. This outlines our vision of a cyber secure health and social care sector in 2030 across five different pillars:

Pillar 1: focus on the greatest risks and harms
Pillar 2: defend as one
Pillar 3: people and culture
Pillar 4: build secure for the future
Pillar 5: exemplary response and recovery

These five pillars will support every organisation across Health and Social Care to meet the vision of a cyber resilient future.

Whilst working on this strategy, we made sure that both Health and Social Care were considered across the pillars. As with the Data Security and Protection Toolkit (DSPT), which has been tailored for social care, we need to do the hard work of understanding the sector and co-designing the approach. This must be proportionate to the potential threats and harms the sector face, which is detailed in pillar one and is the approach taken to the work outlined below.

Current Picture

Thanks to the great efforts of the Better Security, Better Care programme, we have come a long way from where we started. In April of 2021 when the programme began, compliance with the DSPT sat at just 14% of CQC-registered care providers, and now I’m happy to say that we are sitting at 66%, with over 17,500 providers now compliant with the toolkit. This is a huge achievement, with credit due to the many Local Support Organisations who work on the programme. This hard work was rightly recognised at the National Cyber Awards recently, and the team will continue to raise awareness and compliance, helping to ensure a secure future.

Looking to the Future

Following on from the progress over the last two and a half years, the Better Security, Better Care programme continues to work on improving DSPT compliance across the sector, targeting hard to reach parts of the sector to bolster compliance. This includes specific DSPT improvement targets on homecare and on organisations new to the sector.

As outlined in the strategy, by 2025 we will publish a comprehensive and data-led landscape review on the status of cyber security within Adult Social Care. This will provide an outline of what best practice looks like within the sector and how we as a national team can help plug any gaps there may be. This will also look at cyber incidents the sector has experienced in the past year, and how we are continuously learning to improve our response and support.

We know that meeting the DSPT requirement for having staff trained can often prove difficult, but we’re pleased to say that Better Security Better Care, with the launch of the new Digital Care Hub website, is working to produce a suite of e-learning tools for the sector, that will be available later this year. This ensures that cyber knowledge is easily accessible to all those working in social care, and will help care services to satisfy training requirements as part of the DSPT.

While October marked Cyber Security Awareness Month, the importance of protecting information should know no calendar boundaries. It’s crucial that we continue to focus on fostering a strong culture of cyber security across the sector, as it is everyone’s responsibility to ensure the safety and security of those working in and receiving care.