Cyber attacks in social care: a case of ‘when’ not ‘if’

Cyber attacks in social care: a case of ‘when’ not ‘if’

October 31st 2023

Originally posted on the Homecare Association website.

In the next of their Cyber Security Awareness Month series, Better Security, Better Care joined forces with Caremark Limited and the Homecare Association to offer advice and guidance to care services on how to reduce the risk and impact of a cyber attack.

During the webinar, David Glover, joint CEO of Caremark Limited gave a compelling presentation about Caremark’s experience of a cyber attack.

Caremark were founded in 2005 and have 140 franchised offices, supporting a total of 8,000 clients each week – making them one of the largest homecare providers in the UK.

As part of their model, Caremark franchisees could pick from one of two different staff rostering systems. In August last year, one of their chosen supplier’s systems suffered a cyber attack which led to the system shutting down without any prior warning.

This had a substantial impact on the business, as David explains:

“It impacted around 50% of our network and approximately £8 million per month of turnover as unfortunately backups were not in place. One of our largest offices affected has around 30,000 care calls each week so this was an extremely difficult situation for us.”

It quickly became apparent to Caremark that restoration of the software wasn’t going to be imminent. The supplier initially informed Caremark that the outage would last 3-4 weeks although subsequently this went on for months.

Solutions

Caremark’s initial consideration focused on how they could support their franchisees to provide safe care to their clients without the rostering, invoicing, and payroll systems in place. As David explains,

“We set up an in-house team of experts from different areas and seconded them to support our franchisees in dealing with the outage.”

Caremark liaised with third party care planning software providers that franchisees were already using to access information to help with staff rostering requirements.  This helped Caremark to build manual workarounds in Excel for invoicing and payroll which franchisees were able to use. As David explains,

“We helped our franchisees with around £15 million worth of invoicing processed through our central office team and had regular dialogue with directors of the software provider who were affected.”

As well as this, Caremark set up weekly webinars with franchisees and provided comprehensive updates of the situation. As David explains,

“It was important for us to have open, transparent communication with our franchisees. We shared the news coming out from the software provider so our franchisees could understand how long the system would be out for and what measures to put into place internally.”

Challenges

Whilst some local authorities were very supportive, others proved more difficult to work with and wrote to franchisees challenging them about data breaches caused by the attack – despite the fact there was no evidence at the time there had been a data breach.

The strain on staff was a huge issue which impacted the business, as staff were working overtime to ensure they were delivering a safe service. This put staff under a lot of pressure, and as David explains, resulted in staff members across franchisees leaving the company.

“Staff were under a lot of pressure which resulted in some staff leaving the company. Franchisees were also unable to take on new customers so there was stagnated growth as their efforts were focused on making sure a safe service could be delivered to our existing customers.”

Lesson Learnt

David strongly recommends reviewing your business continuity plan to ensure it includes cyber security and is robust enough for whatever eventuality might occur. As he elaborates,

“Our business continuity plan only covered a software outage of a few days, whereas this went on for months. Our plan is much stronger now as it prepares for eventualities that you would like to assume would never happen.”

David also recommends having strong back up systems in place to reduce the impact of an attack. Back up systems should be stored somewhere separate from your computer such as an external hard drive or secure storage system based in the cloud.

It’s easy to panic in the event of an attack and look towards integrating other systems to get back up and running again. David urges care providers to proceed with caution,

“Avoid the temptation of hastily adopting a new solution because of the external pressures to do so. You don’t want to jump out of the frying pan into the fire. It’s essential to pause, assess, and make a well-informed decision that you won’t regret further down the road.”

Care services looking to strengthen their cyber security arrangements can use the Data Security & Protection Toolkit (DSPT) to check and review their policies, processes and procedures. The DSPT is a useful way to take a birds eye view of what measures your business should have in place, and it can be used as evidence in regulatory inspections.

Further information

View all case studies

Next Event

View all Events
January

7

January

14

View all Events