How can adult social care providers protect against cyber security attacks?

With the transition to digital data systems in the adult social sector, protecting against cyber security threats has become increasingly important.

Adult social care providers need to ensure that they mitigate attacks and prioritise the protection of the sensitive data which they hold.

Recent Government announcements highlight how this Parliament is looking to reform the adult social care sector and support the workforce. The Government intends to ‘go further on digitisation, join up digital systems across health and care and aim for all care providers to be fully digitised by the end of this Parliament’.

However, the Government’s report published on 24 March 2025 (the Report) suggests that the movement towards digitisation doesn’t come without an increased threat to the sector’s cyber security.

The report includes the main findings from research undertaken by Ipsos and the Institute of Public Care at Oxford Brookes University on behalf of the Department of Health and Social Care.

The fieldwork for the research took place between December 2023 and April 2024 and involved the following:

1. A survey being conducted with 575 regulated care providers in England
2. In-depth interviews with 15 care providers, 10 technology suppliers and 16 adult social care representatives and leaders
3. An online survey being circulated to technology suppliers.

The report highlighted:

• The sector understands the threat to cyber security is serious. Around 79% of care providers confirmed they had used some well-established approaches to identify cyber threats, within the last 12 months. However, 17% admitted they still did not use any measures and 4% did not know if they had or not
• Despite 79% of care providers having measures in place to identify cyber security threats, 33% still reported to being subject to a cyber incident or attempt, within the last three years
• Phishing attacks were reported as the most common risk as 75% of care providers who experienced a cyber-attack, were the victim of phishing. This was followed by 35% of providers who reported attackers impersonating their organisation via their emails or online
• Out of all the providers who reported experiencing an attack, only 53% did not suffer any loss of revenue, reputational damage, impact on their staff or impact on their service users
• For those who did experience attacks, 11% lost access to their files or network, 9% had their accounts compromised or their systems used for illicit purchases and 8% had their software or system corrupted and/or damaged
• The serious financial consequences of cyber-attacks on care providers. One provider reported how they spent £900,080.00 (over a three year period), dealing with a cyber security incident.

How providers can protect themselves and their service users

Ultimately, care providers are accountable for the data which they hold. However, it’s often seen that a lack of in-depth cyber expertise and resource to dedicate to cyber security, means that care providers may rely heavily on their technology suppliers, leading them to believe that their technology suppliers are fully responsible for cyber security and data protection.

Going forward, care providers should look to invest in cyber security measures, to protect their business against a cyber-attack or incident, not only from a financial and reputational position but also to protect and maintain trust with their service users, ensuring that sensitive data remains preserved.

Care providers can protect themselves by:

• Implementing and maintaining data protection policies
• Undertaking regular data audits
• Increasing communication with their technology provider, ensuring that they are informed, helping both the care and technology provide to understand their responsibilities
• Conducting mandatory cyber security and data protection training to staff
• Ensuring data is backed up regularly
• Reporting any security breaches to Care Quality Commission, Information Commissioner’s Office or any local authorities.