Providers of adult social care in England are making progress in strengthening their cyber resilience, but there are still shortcomings and a need to do more, according to a new government report on the issue.
The Department for Health and Social Care (DHSC) has published Understanding the state of cyber security in adult social care as a step towards building an evidence base to support further efforts.
It is based on a survey last year of 575 regulated care providers in England, along with qualitative interviews with 15, plus 10 technology suppliers and 16 representatives and leaders of adult social care.
Among the survey findings was that 79% of care providers had used established approaches to identify cyber threats in the previous 12 months, including risk assessments and vulnerability audits. But their leaders had concerns about the ability to identify the threats which they attributed to a lack of understanding, staff resources, and limited information from technology suppliers.
Only 33% reported experiencing a cyber incident or unsuccessful attack in the past three years – most commonly phishing, which accounted for 75% of those – and over half of incidents did not have any damaging impacts. 89% of incidents resulted in actions being taken, such as updating cyber policies and procedures and new training for staff.
More awareness
Awareness or cyber security issues had improved, with 82% saying they knew where to go for advice. The report attributes this largely to the including of the Data Security and Protection Toolkit (DSPT) in the Care Quality Commission Single Assessment Framework, the Better Security, Better Care (BSBC) programme, and the cyber incident affecting the software supplier Advanced in 2022.
Subsequently, 82% had a formal policy in place to deal with cyber risks, 80% had a business continuity plan that covers cyber security, and 55% had 11-15 technical rules and controls.
This has fed a high level of confidence, but there were also concerns around human error, the changing technology landscape, advances in cyber crime and a lack of resources.
These have come with a recognition of some risky behaviours. For example, a round of third of respondents reported issues such as the sharing of organisational devices, staff using their own devices for work and sharing email addresses.
In addition, the qualitative interviews revealed worries that the reliance on policies and procedures was not backed up by practical knowledge and experience, weaknesses in business continuity plans and inadequate implementation of back-up plans.
There were also concerns over the heavy reliance on technology suppliers for their expertise, rather than having it in-house, while the suppliers were concerned that the care providers assumed they were fully responsible for cyber security.
Scope for improvements
A number of suggestions for improving resilience emerged from the research, including that all care providers should be made aware of the support options available – such as the BSBC programme – more education and awareness raising for staff, and financial support for care providers while strengthening the requirements on them.
There were also suggestions in favour of central coordination of cyber resilience and incident response. All the groups generally supported a national reporting function of cyber incidents in adult social care, providing the scope to share learnings, but with the proviso that providers would not be identifiable in any publicly shared information.
Writing in the report’s foreword, Minister for Care Stephen Kinnock says it is imperative to improve cyber resilience to meet the Government’s three big shifts in the health and care system – from analogue to digital, hospitals to communities and sickness to prevention – and that the report provides a robust evidence base on cyber security trends and practices in the sector.
“While this is a positive step in the right direction, the report has highlighted that there is still work to be done in order to realise the strategic aims of the health and care cyber security strategy to 2030,” he says.
“The Government is committed to continuous investment in digital and cyber security for the adult social care system. We will continue to build on the work of the BSBC programme, and work with providers to increase standards and adopt the National Cyber Security Centre’s Cyber Assessment Framework.
“Given the financial challenges facing the sector, heightened cyber security is of the utmost importance to prevent both harm to those receiving care and support, and increased financial costs from cyber incidents.”
