Research and analysis

Ministerial foreword and report summary

Published 24 March 2025

Applies to England

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/the-state-of-cyber-security-in-adult-social-care/ministerial-foreword-and-report-summary

Ministerial foreword

On 3 January 2025, the government announced a package of groundbreaking reforms to improve adult social care and support the workforce. Part of this announcement includes:

  • going further on digitisation
  • joining up digital systems across health and care
  • an aim for all care providers to be fully digitised by the end of this Parliament

Robust cyber security practices enable and protect the safe access and sharing of data for all of those working in, and drawing on, care and support. However, we know cyber risks are ever increasing, along with the nature of the threat. This report will equip care providers and their suppliers with the evidence and data needed to understand the extent of the risks posed by cyber.

In March 2023, the Department of Health and Social Care (DHSC) and NHS England published A cyber resilient health and adult social care system in England: cyber security strategy to 2030. The strategy:

  • sets out the importance of cyber security in ensuring patient and service user safety
  • details the future vision for a cyber resilient health and social care system
  • outlines some of the challenges and threats faced by each sector

The strategy committed to the publication of a landscape report detailing the current state of cyber security within adult social care providers, in response to a lack of evidence on the level of risk in the adult social care sector. This report, produced by Ipsos UK in collaboration with the Institute of Public Care (IPC), on behalf of DHSC, provides that strong evidence base for both policymakers and care providers to better understand the cyber security risk within the care sector.

In addition to the new care reforms, last year the Prime Minister set out an ambitious health mission, which included 3 big shifts to make our health and care system fit for the future, moving from:

  • analogue to digital
  • hospitals to communities
  • sickness to prevention

A digitised and resilient adult social care sector plays a critical role in all those shifts.

To ensure we can meet these shifts and support care providers on their digitisation journey, it is imperative that we build on the work that has already been done to improve cyber resilience. To do this, we required a more robust evidence base on current cyber security practices and trends within the sector. The adult social care cyber security landscape report provides this and outlines how the work of the Better Security, Better Care (BSBC) programme, a grant-funded DHSC programme, has brought cyber security up the agenda for care providers.

While this is a positive step in the right direction, the report has highlighted that there is still work to be done in order to realise the strategic aims of the health and care cyber security strategy to 2030. The government is committed to continuous investment in digital and cyber security for the adult social care system. We will continue to build on the work of the BSBC programme, and work with providers to increase standards and adopt the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework.

Given the financial challenges facing the sector, heightened cyber security is of the utmost importance to prevent both harm to those receiving care and support, and increased financial costs from cyber incidents.

I want to thank the hard work of all care providers who continue to invest resources into the safety and security of those working in and drawing on care. The government recognises the value of cyber security within adult social care and its importance in protecting the wider system, including the NHS.

Stephen Kinnock MP
Minister of State for Care

About this report summary

This summary provides an overview of the main findings from a research project undertaken by Ipsos and the IPC at Oxford Brookes University, on behalf of DHSC.

The full report is available to download on The state of cyber security in adult social care landing page.

Context

The Network and Information Systems Regulations (NIS Regulations) were introduced in 2018. Healthcare services are an essential service under the NIS Regulations. In 2023, DHSC and NHS England published ‘A cyber resilient health and adult social care system in England: cyber security strategy to 2030’. This strategy provides the vision for protecting health and social care services that are increasingly leveraging digital technology to transform care from the disruptive impact of a cyber attack.

Significant efforts have been made over the last few years to improve both information security and cyber security across the sector through increased awareness of the Data Security and Protection Toolkit (DSPT) and support available through the BSBC programme.

In this context, the project aimed to understand how cyber security is currently managed within the adult social sector and how cyber resilience can be strengthened. It also provides a baseline upon which knowledge and understanding can be monitored.

Methodology

The research started with a rapid evidence review and a scoping phase, which helped determine the remit and objectives of the project and refine the methodology.

The main phase used a mix of quantitative and qualitative research methods, with fieldwork taking place between December 2023 and April 2024. A survey with 575 regulated care providers in England was conducted, using a combination of online and telephone interviews. In-depth qualitative interviews were conducted, via Microsoft Teams, with:

  • 15 care providers
  • 10 technology suppliers
  • 16 adult social care representatives and leaders

An online survey with technology suppliers was also conducted using an open link, but only achieved 9 responses despite repeated attempts to engage with this target audience through a range of different channels.

Economic analysis was conducted about the cost of cyber incidents reported by care providers in the survey. The project was guided by the regular input of a data end user group, established by DHSC.

Main findings

Threats and risks facing the sector

About 4 in 5 care providers (79%) had used some well-established approaches to identify cyber threats within the last 12 months (17% did not use any measures and 4% did not know if they had). The most common approaches were risk assessments that include cyber security (62% reported carrying this out), testing staff awareness and response (41%) and/or carrying out cyber security vulnerability audits (38%).

Representatives and leaders raised concerns regarding care providers’ ability to identify cyber threats, which they attributed to a lack of understanding of cyber security risks and of the likely impacts of incidents, a lack of dedicated staff resources to manage risks, and the limited information shared by technology suppliers about this. 

Phishing was identified by representatives and leaders as the most common type of incident care providers are at risk from, with ransomware the most costly. Technology suppliers identified unauthorised accessing of files or networks as the greatest cyber risk facing care providers using their services or solutions, followed by malware, denial of service attacks and ransomware attacks.

There were concerns about a number of risk factors inherent to the sector that make care providers very exposed to cyber incidents. Low digital maturity, the sensitive financial information and personal data care providers hold, and the sector’s reliance on a small number of technology suppliers contribute to this vulnerability.

Experience and impact of cyber incidents

Only a third of care providers reported experiencing a cyber incident or unsuccessful attack in the last 3 years (33%). As a comparison, in the 2024 Cyber Breaches Survey half of businesses (50%) and a third of charities (32%) reported experiencing a cyber security breach or attack in the last 12 months. There were some concerns about potential underreporting of attacks, with representatives and leaders suggesting that a lack of awareness and fear of reputational damage when disclosing incidents contributed to this discrepancy.

Of the care providers who had experienced an incident or attack:

  • the most common type of incident was phishing (reported by 75% of providers who had experienced an incident) - this was followed by just over a third who had experienced people impersonating their organisation in emails or online (35%)
  • the incidents or attacks had been fairly infrequent - within individual care providers, 2 in 5 incidents happened once only in the last 3 years (27%) or roughly once a year (14%)
  • just under half of the attacks originated from a third-party organisation (44%), and 1 in 5 originated within the care provider’s systems (21%)

Over half of the incidents reported did not have any impact such as loss of revenue, reputational damage, impact on staff or service users (52%). Overall, the most common type of impact was having to introduce new measures to prevent future breaches (28%) and commit additional staff time to deal with the attack (28%), which reflects and may also exacerbate current workforce pressures faced by care providers, as shown in Skills for Care’s state of the adult social care sector and workforce in England. Similarly, over 3 in 5 incidents did not result in any outcomes for the care provider (63%). Loss of access to files or networks (11%), compromised accounts or systems used for illicit purposes (9%) and software or systems being corrupted or damaged (8%) were the most common for those who reported an outcome.

On average, care providers spent £2,575 dealing with cyber security incidents over the last 3 years. This average includes care providers who did not report any incident, and those who reported incidents but said they did not incur any costs as a result. The figure is much higher when excluding those who did not report any incident over the last 3 years: care providers who reported at least one incident incurred an average cost of £9,528 dealing with this or these incidents over the last 3 years. The median was £0 and the highest cost of incidents reported by an individual provider over the past 3 years cumulatively stood at £900,080, indicating a large range of possible costs. When excluding care providers who did not incur any costs as a result of the incident or ‘near miss’, the average cost incurred by care providers over the past 3 years stands at £24,064, with a median cost of £650.

The vast majority of incidents (89%) resulted in actions being taken by the care provider - for example, carrying out training and/or communications to staff (61%) or reviewing or updating their cyber policies and procedures (50%).

Awareness and perceptions of cyber security in the sector

Self-reported knowledge about good cyber security practices was high among care providers (90% reported they know a great deal or fair amount about it). The qualitative interviews confirmed that there had been a significant rise in awareness of cyber security issues in the sector, as a result of the:

  • BSBC programme
  • DSPT and its inclusion in the Care Quality Commission (CQC) Single Assessment Framework
  • adoption of digital technology
  • cyber incident affecting the software supplier, Advanced, in August 2022 that had been a wake-up call for many in the sector

Over 4 in 5 care providers agreed that their organisation knew where to go for advice and expertise on cyber security (82%). Access to cyber security expertise was typically accessed through contracts with cyber security organisations (46%), ad hoc access to specialists (31%), and internal expert team (27%) or individual (21%). However, insights from the qualitative interviews suggested that some care providers relied heavily on policies and procedures without a full grasp of cyber security risks. This surface-level understanding meant exposure to cyber security risks, and the potential impact of cyber incidents were underestimated.

The majority (90%) of care providers consider cyber security a high priority, and it is recognised as an important issue for the leaders of care providers. However, competing priorities and limited resources pose challenges. Misconceptions about data sensitivity, risk levels and reliance on external cyber security teams or technology suppliers could hinder adequate prioritisation and leadership.

In terms of the wider workforce, three-quarters (77%) of care providers agreed their frontline staff have the digital skills they need to securely use the digital technology or systems adopted by their organisation. However, concerns about staff digital skills were raised in relation to high staff turnover, varying digital literacy levels across the workforce (also shown in Adult social care technology innovation and digital skills reviews) and the perception that cyber security is not something that care workers typically consider as part of their role.

Policies, procedures and practices

Care providers reported that they have implemented a wide range of policies, procedures, rules and controls in their organisation to promote cyber security. For example:

  • a majority (82%) had established a formal policy or policies covering cyber security risks, and/or a business continuity plan that covered cyber security (80%)
  • a majority of care providers taking the expert routing through the questionnaire had a broad range of technical rules and controls in place to help minimise the risk of cyber security breaches (such as strong password policies, restricted access, up-to-date malware protection): 55% had 11 to 15 rules and controls, 35% had 6 to 10, and only 10% had 1 to 5 of the 15 rules or controls listed

The majority (around three-quarters) reported that they provide staff with a wide range of training offers on cyber security, and a similar proportion (75%) agreed that they knew the cyber security risks associated with ‘enterprise connected devices’.

As such there was a high level of confidence among care providers in the procedures and policies their organisation had in place to ensure cyber security. Where there was uncertainty, this related to:

  • concerns around human error
  • the changing landscape in terms of technological advances and advances in cyber crime
  • the lack of resources, time and capacity to dedicate to cyber security

Still, representatives and leaders expressed some concerns regarding the robustness of these procedures and policies, their implementation, and the quality of the cyber security training provided to staff.

Furthermore, some risky behaviours and practices seemed to be fairly common. In the survey around a third of care providers reported that things like sharing organisational devices (39%), staff using their own devices for work (33%) or sharing email addresses (30%) were happening fairly or very frequently. In the qualitative interviews, all audiences thought that these practices were widespread, linking them back to low digital skills, lack of awareness of cyber risk and lack of resources (for example, to buy extra licences or devices).

Responding to future cyber incidents

Care providers showed a high level of confidence in their organisation’s ability to deal with a future cyber incident, with the proportion feeling very confident higher among care providers who did not report any incident over the last 3 years (36%, as opposed to 25% among those who did).

Care providers’ high level of confidence in their ability to deal with a future cyber incident was driven by the policies and procedures they had in place, including:

  • written guidance on who to notify (75%), assigned roles and responsibilities (72%), and guidance on when to report incidents externally (64%)
  • business continuity plans covering cyber security (80%) and incident response plans (61%) - over half of care providers have both (53%)
  • back-ups - the majority reported that they backed up their data (81%), with over half reporting that this happened once a day or more (56%). Nearly all (96%) care providers were confident their back-ups were usable and complete
  • insurance - just under two-thirds (64%) reported being insured against cyber security risks in some way

Still, some concerns were raised in the qualitative interviews (particularly from representatives and leaders) around the strength of some of these measures. This again included an over-reliance on policies and procedures that was not backed up by practical knowledge and experience. More specifically, there were concerns about weaknesses common in business continuity plans (for example, underestimating the time it can take to recover from an attack) and back-ups being inadequately implemented.

In terms of actions in the event of an incident, care providers reported that they would notify a range of organisations - in most cases CQC (80%), the Information Commissioner’s Office (ICO) (73%), their insurance company (73%) and/or the local authority (71%), though in practice they explained that who they would notify would depend on the nature of the incident.

Technology suppliers also reported a range of measures in place to respond to an incident - and though there is a low base size it appears that the procedures in place are widespread. They were also confident in their cyber incident response and recovery arrangements.

Technology suppliers’ approaches to cyber security and risks

Technology suppliers generally had a strong awareness of cyber security, current and emerging threats, and its importance within the adult social care sector.

They mentioned a range of characteristics to demonstrate their cyber maturity and resilience, including:

  • senior leadership on cyber security
  • high prevalence of business continuity plans
  • formal policies covering cyber security
  • high take-up of various rules and controls associated with cyber security

All or most participating technology suppliers used third-party cyber services such as IT system monitoring and threat detection, and penetration testing. Technology suppliers also reported high levels of confidence in their digital supply chain.

Maintaining a good reputation, and the likely commercial impact of an incident were the main drivers for good cyber security governance, practices and supply chain arrangements.

Relationship between care providers and technology suppliers

In practice, ownership for cyber security risks is a mixed responsibility between care providers and technology suppliers. As care providers are ultimately accountable for their data, they see themselves as responsible for assuring themselves of the cyber resilience of their digital arrangements.

However, lack of in-depth cyber expertise and resources to dedicate to cyber security mean care providers rely heavily on their technology suppliers. They place a significant amount of confidence in their technology suppliers having appropriate cyber security measures in place. This led technology suppliers and sector representatives and leaders to think that care providers assumed that their technology suppliers were fully responsible for cyber security - which did not reflect care providers’ views. 

When purchasing technology, there was also high confidence among care providers in their commissioning staff’s ability to purchase safe and secure technology. Technology suppliers confirmed that cyber security is increasingly considered when technology is purchased, in particular by large care providers.

Two-thirds of care providers (68%) agreed that they would be prepared to trade functionality, or pay more, to receive high quality cyber security when purchasing digital technology. Still, technology suppliers mentioned that in practice, buying decisions are mostly based on price and functionality rather than cyber security. The care providers who took part in the qualitative interviews confirmed this.

There appears to be limited ongoing monitoring of cyber security risks by care providers after the contracting process. This is due to lack of time, size of organisation (too small to have bargaining power), and not knowing what checks to carry out.

Looking at the support offered to care providers by their technology suppliers, this tends to be at the set-up stage and focused around functionality rather than cyber security. In the event of an incident on the supplier side, support would be offered to the care provider in the form of back-up data, electronic forms and so on, so the organisation can continue to operate offline. Support when the care provider is the victim of a cyber incident would be offered on a goodwill basis rather than on a formal basis.

Improving cyber resilience

Research participants viewed the DSPT as useful for raising awareness of cyber security and driving up the adoption of basic controls. However, DSPT compliance was not viewed as an accurate measure of cyber resilience in the sector. It was thought that some care providers treated DSPT completion as a ‘tick box’, and that meeting DSPT standards did not necessarily equate with depth of knowledge and engagement with cyber security issues. Mixed and conflicting suggestions were made for the future of the DSPT, ranging from simplification (to make it more proportionate to the mix of care providers in the sector) to greater inclusion of Cyber Essentials requirements and external verification of the self-assessment.

Barriers to improving cyber security primarily focused on costs (mentioned by 49%) followed by time and capacity to dedicate to this (34%). They included the cost of updating out of date and legacy digital systems, the time for staff to invest in training and learning about cyber security, and the cost of working with a cyber security supplier providing the level of expertise needed.

Suggestions for improving cyber resilience varied, and focused on:

  • ensuring all care providers are aware of the range of support options available to them (for example, from the BSBC programme)
  • education and awareness raising across all staff
  • supporting care providers financially
  • strengthening requirements and assurances for care providers and technology suppliers to promote safer cyber practices
  • central co-ordination of cyber resilience testing and incident response
  • the role of technology suppliers in supporting and upskilling their customers

All audiences generally supported a national reporting function for cyber security incidents in adult social care where the incident could potentially impact care delivery. This was on the grounds that the function should facilitate sector learning and that providers would not be identifiable in any publicly shared information. Linking the reporting of incidents to a cyber incident response co-ordination offer would encourage the reporting of incidents.

Subgroup analysis

Some fairly distinct groups emerged from the analysis of the survey with care providers, regarding their:

  • leadership on cyber security
  • awareness and understanding of cyber security risks
  • monitoring of risks
  • adoption and implementation of cyber security measures

In terms of size, providers with 50 or more staff were more likely than smaller providers to back up their data once a day or more, use a secure back-up system contracted elsewhere, and report cyber incidents. They were also more likely to have various cyber security controls and risk management arrangements in place. However, on certain questions such as confidence about having appropriate measures in place, responses were similar regardless of size.

Looking at the type of service provided, home care providers were more likely than average to say that cyber security is a very high priority for their owners, directors or senior management (61% versus 51%), and to strongly agree that there is strong leadership in cyber security planning in their organisation (48% versus 40%). They were also more likely to strongly agree their staff have the digital skills needed to securely use the digital technology or systems adopted by their organisation (47% versus 41%), and to strongly agree with a range of statements about cyber security training for staff.

Some care providers demonstrated a high level of engagement with cyber security. They reported a strong understanding of cyber security principles and had implemented comprehensive policies and procedures to protect their organisations. These care providers usually had many of the following in common:

  • a business plan and/or formal policies specifically addressing cyber security
  • 11 to 15 rules and controls in place to ensure good ‘cyber hygiene’
  • specific cyber security insurance
  • regular data back-ups
  • a complete cyber incident response plan
  • Cyber Essentials or other nationally recognised certifications
  • access to cyber expertise from the BSBC programme

In particular, access to cyber security expertise provided by BSBC through the Digital Care Hub was consistently associated with better cyber security practices, when compared with the average. For example, care providers who said they accessed this source of expertise:

  • had better awareness of the likely impact of a cyber incident
  • were more likely to have various rules, controls, policies and procedures in place to manage cyber security day-to-day and respond to incidents
  • were more positive about training and staff awareness on cyber security

A small group of care providers is further behind. In the survey, they did not appear to engage well with cyber security overall, and showed limited awareness of the cyber security risks faced by care providers and the likely impact of cyber security incidents. These care providers tended to have many of the following in common:

  • they lacked formal policies or business continuity plans covering cyber security
  • they only had 1 to 5 rules and controls in place
  • they did not back up their data or backed them up infrequently
  • they did not have cyber security insurance
  • they did not have a cyber incident response plan
  • they had ad hoc access to cyber expertise with an external specialist

This is demonstrated by the association between the sub-groups listed above: for example, 44% of care providers with 1 to 5 rules and controls reported that they do not back up their data, and over half of care providers with no cyber security insurance do not have any cyber incident response plan (55%). These care providers with minimal or no cyber security measures in place are particularly vulnerable to cyber threats, but tended not to realise their vulnerability or could not afford to prioritise cyber security.

Many more care providers fell between these 2 extremes, having implemented some cyber security policies and procedures while also reporting some areas for improvement. 

Evidence of good practice was found among providers of all sizes and types, and so was limited engagement with cyber security. Rather than size, and types of services, it is leadership on cyber security, and access to cyber expertise, which appear to have most influence care providers’ awareness and understanding of cyber security and their adoption and implementation of cyber security practices.

Back to top