At the start of this year, the Government announced a package of reforms intended to improve adult social care services. With a focus on digitisation, this has brought cyber security up the agenda for care providers. The Department of Health & Social Care has now published a report, summarising the result of research undertaken by Ipsos and the IPC at Oxford Brookes University.
The report shows that the human factor remains a significant risk to care providers, as:
- phishing was identified as the most common cybersecurity incident (reported by 75% of providers who had experienced an incident);
- just under half of attacks originated from a third-party organisation (44%), whereas 1 in 5 originated within the care provider’s own systems (21%);
- whilst three-quarters (77%) of care providers agreed their frontline staff have the digital skills they need, concerns were raised in respect of high staff turnover, varying digital literacy levels across the workforce, and the perception that cyber security is not something that care workers typically consider as part of their role.
The research also identified several risky behaviours and practices, including:
- sharing organisational devices, reported by around a third of care providers (39%);
- staff using their own devices for work (33%); or
- sharing email addresses (30%),
With a recognition amongst interviewees that such practice is widespread.
Care providers who reported at least one incident incurred an average cost of £9,528 dealing with incidents over the last three years. However, costs vary significantly, and the highest cost of incidents reported by an individual provider over the past three years cumulatively stood at £900,080. The most common type of impact was having to introduce new measures to prevent future breaches (28%) and commit additional staff time to deal with the attack, exacerbating current workforce pressures.
Whilst two-thirds of care providers (68%) agreed that they would be prepared to trade functionality, or pay more, to receive high-quality cyber security when purchasing digital technology, technology suppliers mentioned that in practice, buying decisions are mostly based on price and functionality rather than cyber security. As a result, when the care provider is the victim of a cyber incident, support is typically offered on a goodwill basis rather than on a formal, contractual basis.
Consequences for senior leaders
Interviews with key representatives and leaders in the sector revealed that care providers are worried about their ability to identify cyber threats and face challenges from working in an industry with low digital maturity, with a small number of suppliers to support them.
Insights from the qualitative interviews suggested that some care providers and their senior leaders relied heavily on policies and procedures without a full grasp of cyber security risks. This means that care providers rely heavily on their technology suppliers for cyber resilience, whilst lacking the expertise or resources to monitor this once the contract is concluded.
Recommendations and resources for support
Whilst costs were identified as a significant barrier to improving cyber security, the interviews also revealed many care providers were unaware of the existing support available to them through the Digital Care Hub’s Better Security Better Care programme, for example.
The report concludes with several recommendations which could benefit the sector as a whole. In the meantime, care providers are encouraged to:
- complete the NHS Data Security & Protection Toolkit (DSPT) and embed good practice within their organisation, rather than treating it as a tick-box exercise;
- have a team or person dedicated to cybersecurity;
- implement compulsory training on cyber security for new joiners and refresher training for all staff;
- source access to cyber expertise, for support on both a proactive a reactive basis;
- implement two-factor authorisation and regular data back-ups;
- prioritise cyber security when engaging technology suppliers.
The full report can be found here, and we would be very happy to arrange a call to discuss how the findings might impact your cyber security strategy.