Cyber Security Awareness and social care

October was international Cyber Security Awareness Month, and over the last few weeks I’ve been reflecting on what Care England members are doing to improve knowledge of cyber security within the management and care teams. 

While increasing numbers of you are taking cyber security seriously, there are still some who need convincing. No care provider operates purely on paper-based information, even if you just use email or mobile phones, rather than full-on digital records, you are still at risk of a cyber attack and information breach. 

If you use any digital technology you have to get your cyber security systems in place and, crucially, you need all of your staff to be aware of their personal responsibilities. Time and again, we see that it’s not the IT systems that represent the greatest risk – it’s human behaviour. We know your care workers didn’t join the sector in order to be IT geeks, but using tech and understanding the consequences is simply a core skill when working in the modern world – and social care is no exception. 

Care England participates in Digital Social Care which says on its website: “We can’t expect staff to be able to spot phishing emails or to know how to create strong passwords without cyber awareness training. While a minority of cyber-attacks are caused by malicious staff, the majority are due to basic human error. Many phishing emails, for example, are very convincing. By training our staff we can set them up for success.” 

I really recommend that you check out the useful resources – such as the National Cyber Security Centre programme, and a guidance on training materials - on Digital Social Care.

Digital Social Care also supports the Better Security, Better Care programme which is designed to help care providers to improve their data and cyber security by using the Data Security and Protection Toolkit (DSPT). As part of the programme, I am involved in supporting large care providers, but in fact, regardless of size, I frequently hear the call “Don’t forget human input in cyber security”. 

Here are just a few stories that the Better Security, Better Care programme has been sharing. 

The stories below refer to large and small providers alike. The first story focuses on Care England member Maria Mallaband Care Group which has been a leader in cybersecurity. Their Data Protection Officer, Naheem Shan shared MMCGs’ experience of improving data protection across multiple services.  “The updated Data Security and Protection Toolkit is really clear and much more relevant to the care sector,” says Naheem. “And the huge benefit is that, as a large care group with almost 30 legal entities and still growing, I can submit one DSPT entry for all our businesses. We use the same policies and procedures across the group – so one DSPT submission works for all. That saves our care home managers – and me – a lot of time.” 

Read MMCG’s story on Digital Social

One provider shared their painful experience of a cyber-attack. An internal investigation suggested that the most likely source of the breach was a former staff member who had recently left. They had changed passwords and administrator permissions but had not disclosed or communicated this prior to their departure. A care manager at the time explains:

“We had actually invested huge amounts into IT and digital solutions and thought we were safe. We had initial conversations with cyber security professionals who said we had ‘pretty good infrastructure’ – but we had essentially left the front door unlocked meaning a rogue individual could just ‘walk in’ and do what they wanted… I cannot express the emotional stress this caused. It felt like we were watching a burglary on CCTV without any power to intervene. Email accounts literally disappeared mid-email. It felt like being in a Hollywood film about it. As soon as we made a fix on one area something else went down or became disrupted.”

They were eventually able to rectify the situation, and some of the basic human procedures they put in place was to ensure passwords were always changed when someone left the organisation. Obvious perhaps – but easy to overlook. 

Elsewhere, home care provider Love In Care, have put a programme in place to help their first-time care workers to understand their data security responsibilities. Aqlia Choudhry, Managing Director, says:

“Many of our staff have been family carers in the past, and this is their first paid job in the care sector. So everything is new for them – including what is appropriate and inappropriate to share on a professional basis. We have really adapted our training and practice to ensure it is accessible and meaningful to them.” 

And Resolve Care – a residential service for men with learning disabilities or autism – are finding the same thing. Graeme Stark, their Service Development Lead explains:

“Simple human actions can either undermine or support the most sophisticated of systems. It’s basic things like making all staff aware of their responsibilities such as closing down their laptops or locking an office door if they have paper or digital records open; thinking about how and where you store passwords.” 

More care providers are using the Data Security and Protection Toolkit to check their data and cyber security arrangements – including how they are raising awareness and training their staff.

Again, Graeme shares that:  

“We are already changing what we are doing as a result of carrying out a self-assessment of our data protection arrangements using the DSPT. So, for example, we are updating our induction booklet and our employment contracts to include more on confidentiality and data protection. We’ve run awareness-raising sessions for our staff, and we are supporting them to access training – including refreshing their existing knowledge on issues that change so quickly, like cyber security.” 

Top cyber security tips

So here’s my top tips on cyber security.

  1. Back up your data – it reduces the risk of being blackmailed by ransomware
  2. Install anti-viral software – it protects against infections
  3. Protect mobile devices – use the screen lock, and ensure you can track and lock them remotely
  4. Use strong passwords and different ones for different accounts
  5. Be careful with email – don’t click, check official sources
  6. Install software updates – they include security updates
  7. Report cyber attacks – contact Action Fraud 0300 123 2040
  8. Use the Data Security and Protection Toolkit to check and improve your cyber and data security arrangements 

Support on cyber security

Use the Data Security and Protection Toolkit to check your data and cyber security arrangements. And you can access free support on the DSPT from the Better Security, Better Care programme and partners.

Find cyber security awareness training guidance and information  

View the Better Security, Better Care webinar on cyberattacks with the National Cyber Security Centre and the South West Cyber Resilience Centre. 

If you want to put your views on this article, please contact Daniel on dcasson@careengland.org.uk. 

Daniel Casson, Care England’s Adviser on digital transformation (www.careengland.org.uk/digitalblog).