Understanding the state of cyber security in the adult social care sector and its supply chains

The Department of Health and Social Care (DHSC) commissioned Ipsos and IPC to conduct research with care providers, technology suppliers and adult social care representatives and leaders in England. The project aimed to understand how cyber security is currently managed within the adult social sector, the prevalence and impact of cyber incidents, and how cyber resilience can be strengthened. It also provides a baseline upon which knowledge and understanding can be monitored.

DHSC has now published the findings from the research. Key findings include:

• Awareness of cyber threats is growing, driven by initiatives like the Better Security Better Care program, the Data Security and Protection toolkit, and high-profile cyber incidents. However, the qualitative research highlighted that this awareness is not yet embedded in care providers’ working practices, and good practices are inconsistently applied.
• Phishing attacks are common, while ransomware poses the most significant financial threat. Low digital maturity, the handling of sensitive financial information and personal data by care providers, and their reliance on a limited number of technology suppliers increase the sector's vulnerability.
• Only a third of care providers reported experiencing a cyber incident in the past three years, potentially indicating underreporting due to a lack of awareness and fear of reputational damage.
• Care providers who said in the survey that they experienced at least one cyber incident over the last 3 years incurred an average cost of £9,528 dealing with this or these incidents. This figure masks a wide range of costs.
• While most care providers have established cyber security policies and procedures, concerns remain about their robustness, implementation, and the quality of the cyber security training provided to staff. In particular, the research found that some risky practices are still common, such as organisational devices sharing and staff using their own devices for work. 
• Care providers’ relationships with their technology suppliers tend to rely on trust as care providers do not always have the skill set, expertise, resources or capacity to check or monitor their technology suppliers after the contracting process. 
• Cost and resource constraints are major barriers to improving cyber security.

The findings and recommendations are relevant to a range of organisations working in the sector, including care providers, technology suppliers, commissioners and local authorities, people drawing on care and support and their families, umbrella organisations (e.g. TSA, CASPA, techUK, LGA, ADASS), and regulators. They are also relevant to the Better Security Better Care programme and the Data Security and Protection toolkit.

Technical details: 

The project started with a rapid evidence review. It used a mix of quantitative and qualitative research methods, with fieldwork taking place between December 2023 and April 2024. A survey with 575 regulated care providers in England was conducted, using a combination of online and telephone interviews. In-depth qualitative interviews were conducted with 15 care providers, 10 technology suppliers and 16 adult social care representatives and leaders, via MS Teams. An online survey with technology suppliers was also conducted using an open link, but only achieved 9 responses despite repeated attempts to engage with this target audience through a range of different channels. Economic analysis was conducted about the cost of cyber incidents reported by care providers in the survey. The project was guided by a workshop with sector experts and leaders, and the regular input of a Data End User Group, established by DHSC.