The state of cyber security in adult social care: summary

This summary is based on the full report, The state of cyber security in adult social care, published in March 2025 by the Department of Health and Social Care.

 Awareness is high but not fully embedded

The research found that awareness of cyber security issues among care providers and commissioners is high, with 90% of care providers reporting they know a great deal or a fair amount about good practice in cyber security. However, this awareness has not yet fully translated into consistent working practices, and good cyber security measures are not always applied. While 82% of providers have formal cyber security policies and 80% had a business continuity plan in place that included cyber security, gaps remain in day-to-day implementation.

A minority of care providers are further behind

Despite overall awareness, a small but significant number of care providers are not engaging with cyber security. Approximately 17% of care providers do not use any measures to identify cyber threats. Many in this group lack dedicated cyber security personnel, do not complete the Data Security and Protection Toolkit (DSPT), and have few or no cyber security policies in place. They are also unlikely to provide mandatory cyber security training for new staff. Providers without access to cyber expertise, or those with only ad hoc access, often fall into this category.

The scale of cyber threats is underestimated or misunderstood

Even among care providers who engage with cyber security, many underestimate the likely impact of a cyber incident. Many do not fully understand that cyber incidents could affect HR records, payroll systems, and care delivery, with recovery taking months rather than days.

Cyber attacks may be under-reported due to poor monitoring

The research found that only 33% of providers reported experiencing a cyber incident in the last three years, a figure that suggests significant underreporting potentially due to poor monitoring. In the survey, care providers reported using a range of approaches to identify cyber security risks, in particular risk assessments (mentioned by 62%), testing staff awareness and response (for example via mock phishing exercises) (41%) and cyber security vulnerability audits (38%). A third of care providers used specific tools designed for security monitoring.

One in 6 (17%) care providers said they did not use any of the approaches listed in the survey to identify cyber security risks, rising to around a third among those with no business continuity plan covering cyber security (36%), no formal policies covering cyber security (31%) and no cyber incident response plan (32%).

This lack of awareness may contribute to the low reporting rates, as providers may not realise they have been attacked.

Training and risky behaviours remain areas of weakness

Although most care providers offer cyber security training, it is often infrequent or seen as a ‘tick-box’ exercise. The research found that while 75% of care providers provide cyber security training, one-third of providers still report risky behaviours such as staff sharing organisational devices (39%), using personal devices for work (33%), or sharing email addresses (30%). These behaviours are often linked to resource and financial constraints, preventing providers from adopting safer practices.

The DSPT raises awareness but direct support is more effective than compliance alone

Research participants viewed the Data Security and Protection Toolkit (DSPT) as useful for raising awareness of cyber security and driving up the adoption of basic controls. The research found little difference in cyber security practices between providers who met, exceeded, or did not meet DSPT standards. While 78% of providers who participated in the research met DSPT standards, this did not necessarily translate into improved cyber security practices. However, engaging with the Better Security, Better Care (BSBC) programme was consistently associated with better outcomes, suggesting that hands-on support is more effective than compliance alone.

Access to cyber security expertise provided by Better Security, Better Care through the Digital Care Hub was consistently associated with better cyber security practices when compared with the average. Care providers who accessed this expertise:

  • had better awareness of the likely impact of a cyber incident
  • were more likely to have various rules, controls, policies, and procedures in place to manage cyber security day-to-day and respond to incidents
  • were more positive about training and staff awareness on cyber security.

There are weaknesses in the supply chain

Many care providers rely heavily on their technology suppliers but lack the expertise or capacity to properly assess their security practices.

While medium and large providers are increasing due diligence at the commissioning stage, small providers often feel they lack bargaining power. Expanding the Assured Solutions List (ASL) to include a broader range of digital services could help address this challenge by reducing the need for individual providers to conduct due diligence.

Software as a Service (SaaS) is a double-edged sword

The rise of SaaS has improved cyber resilience by incorporating security features such as two-factor authentication and cloud backups. However, this also means that if a major supplier experiences a cyber attack, a large number of care providers could be affected. The research

Support for national coordination is growing

The research found strong support for a national system to coordinate cyber security response and recovery. This could include linking incident response support to products and services on the ASL and requiring mandatory reporting of incidents. There was also support for a national reporting function for cyber security incidents in adult social care, particularly those that could impact care delivery.

Conclusions

While awareness of cyber security has increased significantly in the adult social care sector, it is not yet fully embedded in everyday practice. A minority of providers remain particularly vulnerable, and many underestimate the scale of the threat. Training gaps, risky behaviours, supply chain weaknesses, and inconsistent monitoring contribute to this challenge. Expanding hands-on support programmes, increasing national coordination, and improving supplier accountability could help strengthen cyber resilience across the sector.

Links

The state of cyber security in adult social care – GOV.UK

Digital Care Hub – press release on report