A rough guide to supporting adult social care providers to improve data and cyber security measures.
This guidance is based on experiences since the implementation of the Care Act and is not formal guidance and should not be applied as such. It should be used to have conversations about how the issues raised can be dealt with locally. It does not constitute legal advice and should not be relied upon in that capacity. Independent legal advice should always be sought. It is likely to change in the light of further experience and will be reviewed as appropriate.
- Who is this guidance for? And why is it needed?
Technology has changed the way we deliver social care, and the COVID-19 pandemic has expedited this. Whilst advances in technology bring benefits for the sector, and for the people the sector supports, they also present risks in how information is managed and kept secure.
Data and cyber security is a major issue for all organisations. It is about safeguarding confidentiality and privacy of people’s personal data as well as the availability and integrity of that data, all of which are vital to transfer people smoothly between care settings and to ensure the quality of care. This is not just about technology, but also about individuals understanding their responsibilities and organisations having tested policies and plans in place. Cyber attacks are increasing in number and sophistication. However, if staff are well trained, tested procedures are in place and technical defences in use (e.g. a firewall, regular software updates, etc.) then the risk of cyber attack being successful is reduced.
Understanding data and cyber security is essential to prevent disruption to care provider businesses and the services they provide for people. It is also important in avoiding the risk of digital exclusion, so that providers don’t get ‘left behind’. To help ensure a sustainable and diverse adult social care market, and to safely share information between health and care, commissioners should support the social care provider sector to improve data and cyber security measures. This guidance is for commissioners of adult social care services. It makes suggestions as to how you might do this.
- How to support providers with data and cyber security
There are a range of ways in which commissioners could support care providers with data and cyber security. However, local authorities and CCGs will have differing amounts of resources available to them. This guidance, therefore, is arranged in order of priority, with highest priority activities for commissioners to consider listed first. Commissioners should consider offering the following support:
Signposting, advice and awareness training
Signposting by commissioners and providing an authoritative source of advice helps to raise awareness of data and cyber security within the sector. The following are recommended:
- Signposting to information about data and cyber security
The National Cyber Security Centre (NCSC) is the authority on cyber security and has some useful advice and guidance and resources, including an accessible Cyber Security: Small Business Guide. It now also incorporates Cyber Aware which aims to support simple secure online behaviours to help individuals and families protect themselves from cyber criminals.
Get Safe Online is a UK public private sector partnership supported by the government, which provides a wealth of free expert advice and resources to help people and organisations stay safe online.
Run by social care providers for social care providers, Digital Social Care is a website dedicated to providing advice and support to the sector on technology and data protection. It has a range of resources and accessible information all specifically targeted at social care providers. It is the go-to site for care providers. It is particularly helpful to those who are still getting to grips with data and cyber security, and has guidance on the basics of Cyber Security.
Commissioners should consider giving data and cyber security training and signposting ‘packs’ to small or local services that are entering or new to the market. Other ways to signpost information include through:
- Your regular provider email and written communications
- Provider contract monitoring meetings.
- Provider forums. Discussion helps to engage providers in the subject matter from a practical perspective and helps ‘bring it to life’. Providers with greater knowledge and experience than others can be very effective in supporting these conversation.
- Providing a ‘safe space’ for provider-led exchanges.
- Local care provider associations and partnerships. Engagement through this type of route can be particularly effective.
To keep the subject ‘live’, communications should be conducted on a periodic and ongoing basis. Face-to-face including one-to-one support are often the most effective routes, because these facilitate discussion and reflection. During this period of remote working under COVID-19 and for large and rural areas, video conferencing and webinars can be useful alternatives.
- Advice on how to manage the most common cyber security risks
As part of the national cyber security programme, the Institute of Public Care at Oxford Brookes University carried out research to identify the common, key risks that social care provider services face. The programme report identified the top three cyber security risks prevalent in the sector as: backups; smartphone security; and passwords. Commissioners should support social care providers to take precautions against these three risks, including signposting them to the guidance below:
It is important to take regular backups of important information and to check that the backups can be restored. The National Cyber Security Centre provides advice on backups and in 2020 published further advice on cloud backup options for mitigating the increased threat of ransomware related to COVID-19 as more people are now working at home.
2. Smartphone security
The use of mobile phones in care settings must be safe and secure, but often the risks from smartphones are not considered as thoroughly as the risks posed by computers or tablet devices. The National Cyber Security Centre provides advice on smartphone security
Strong passwords can help prevent unauthorised access to systems and devices which store important information.
Digital Social Care has advice on how to use strong passwords
- Information Commissioner’s Office (ICO) registration
Registration with the ICO is a legal requirement for every organisation that processes personal information, unless they are a not for profit organisation that qualifies for an exemption or do not use any computers or electronic systems e.g. emails, fax, text messages etc. Non-registration can result in a significant fine.
If an organisation is not already registered, they should register as a matter of urgency.
All regulated organisations will have an ICO registration number. Commissioners can check whether providers in their area are registered (and alert them if they are not) by searching the ICO register. Note that the not for profit exemption is very limited in scope and it is unlikely that regulated care providers will be exempt. If there is doubt whether an organisation needs to register, and pay a fee to the ICO, the ICO has a registration self-assessment that can be used to check.
- Awareness training on data and cyber security
Commissioners should help social care providers to access reliable sources of data and cyber security awareness raising training. This could be by signposting providers to free training from authoritative sources such as:
National Cyber Security Centre Stay Safe Online: top tips for staff: an online course that’s easy-to-use and takes less than 30 minutes to complete. It’s not sector specific, but has good generic advice on how to stay safe and an excellent quiz at the end.
BT Skills for Tomorrow: online courses that have clear structured lessons from how to create strong passwords through to securing employee devices and networks. They are not sector-specific, but technical aspects are presented in accessible language.
In addition, CCGs, health trusts and councils will have training in place for their health and care staff and commissioners could approach them to see if access to these courses by local care providers can be negotiated. Local police may offer cyber security fraud awareness training workshops and/or visits to check an organisation’s arrangements, which commissioners could organise for local care providers.
Commissioners could also consider providing cyber security advice ‘surgeries’, for example with your organisation’s Data Protection Officer or cyber security lead in attendance.
- Your use of secure email
Providers need assurance that emails sent by your organisation are secure (by being encrypted) – however this is not always made clear. If you are not using an obviously secure system such as Egress (where a password is needed) ensure that your email footer for example includes a statement about encryption.
Further support to care providers with data and cyber security
- Contract and contract monitoring requirements
Data and cyber security good practice should be required through provider contracts which specify evidence for safe and secure handling of information. To reduce duplication and promote standard and consistent evidence of data and cyber security, it is recommended that commissioners build into contracts the requirement to complete the Data Security and Protection Toolkit (DSPT), at the level of Standards Met.
The DSPT is an online self-assessment, provided by NHS Digital, which is tailored for use within social care, is free, and is increasingly being used by providers as evidence for CQC. Already cited in many NHS contracts, completion of the DSPT as evidence ensures a standard and consistent approach across and for the sector.
The following wording is suggested for use by council commissioners in contracts with care providers:
Data Security and Protection Toolkit (DSPT)
The Provider must give assurance that they are practising adequate data security and that personal information is handled in accordance with appropriate legislation and best practice.
The NHS Digital Data Security and Protection Toolkit (DSPT) is a free online annual self-assessment for this purpose, tailored for use in social care. The Provider must annually complete and publish the DSPT and comply with its mandatory requirements. This should be at the level of Standards Met. Initially, the Provider may complete the DSPT at the level of Approaching Standards but their accompanying action plan must assure that Standards Met will be achieved by the following assessment period.
Better Security, Better Care
To aid DSPT completion, the Provider may access enhanced national and local support available through the Better Security, Better Care programme.
- Support to complete the Data Security and Protection Toolkit (DSPT)
The Data Security and Protection Toolkit (DSPT) is a self-assessment tool on the safe and secure handling of information for health and social care providers. Information about the Toolkit is provided by Digital Social Care.
The DSPT is already mandatory for contracts with the NHS, and prior to COVID-19 had been a precursor for providers to access NHSMail, which is a secure email system. It is also increasingly being used as evidence in CQC inspections. To complement the national Better Security, Better Care programme, commissioners should support providers to complete the DSPT to Standards Met level.
Support for providers to complete the Toolkit can be achieved through a number of different ways; suggestions for these include:
- Assign the role of local Toolkit champion. One or more members of commissioning staff are given responsibility for understanding Toolkit requirements and how to use it; the Toolkit champion then raises awareness of the Toolkit and provides training or other support to local providers.
- Find out what support other local or regional organisations are providing. For example, NHS England Ageing Well leads are working with care homes to support them with the Toolkit.
- Provide training and other support perhaps as part of an existing training offer. There are resources available (see section on Signposting above) to support training offers, including with Toolkit registration. Training can be delivered in a group environment or as one-to-one support.
Examples of good practice
Nottinghamshire County Council supported care homes, domiciliary care and supported living providers within the county. Starting with raising awareness of data and cyber security, including business continuity planning, providers were then supported to complete the DSPT to Standards Met level, through a series of calls and on-site visits.
Wiltshire CCG provided one-to-one support for nursing homes across Bath and North East Somerset, Swindon and Wiltshire to complete the DSPT to meet the standards required for NHSMail prior to COVID-19. Support offered included one-to-one consultations, advice and access to resources and guidance. Following an initial on-site visit, ongoing support via email/phone was provided.
Tips for effective DSPT training and support are included in the Adult Social Care Data and Cyber Security Programme 2019/20 report published by the Institute of Public Care.
- Critical friend support
Commissioners could consider offering critical friend support including on-site visits or virtual meetings to chat through individual provider arrangements, in order to raise awareness of any risks and to develop an action plan and provide signposting. This can be done through:
- Using the ‘critical friend’ questions for providers in Appendix 1. These will take around three hours to complete.
- Using the risk categorisation model outlined in the Adult Social Care Data and Cyber Security Programme 2018/19 Programme Report published by the Institute of Public Care.
- Using the requirements of the Cyber Essentials Scheme
Conversations with providers should be led by a member of staff who is sufficiently familiar with the subject area and knowledgeable about sources of further help and support, e.g. the ‘Toolkit champion’ mentioned above.
Crucially, this type of supportive intervention, conducted outside of any contact monitoring arrangements, can help providers to think in depth about their arrangements for data and cyber security with encouragement to make improvements, without the worry of being judged or penalised in some way.
- Business continuity plans and disaster recovery testing
Most providers will have a business continuity plan in place. Traditionally this type of document will cover areas such as fire or bad weather, but it may not cover access to the critical data needed to continue to provide people’s care should the means to access that data be lost (e.g. through power cut, internet failure, or computer breakdown or other IT problems). Without such a plan in place there is the risk of personal data becoming unavailable or lost, which is a potential data breach.
Commissioners can support providers to have effective business continuity plans for data and cyber security through:
- Raising awareness of the importance of including data access in business continuity plans.
- Sharing and promoting use of a business continuity plan (data) template. An example business continuity plan template is available from Digital Social Care
Once plans are in place these need to be tested – otherwise it will not be clear whether the plans would work in practice i.e. when they are really needed. This could result in data needed for providing care not being available in an emergency. Commissioners could support providers to test their plans through:
- Raising awareness about the importance of providers testing their plans.
- Running simulated ‘tests’ with providers including of:
- Cyber attacks such as ransomware
- Internet failure
- Power failure
- Signposting providers to the tests included within the template available from Digital Social Care as above.
Results from any tests conducted should be discussed with the provider and any improvements should be included in an action plan drawn up by the provider and followed up by the commissioner.
- Support to obtain IT services
Small and medium providers are less likely to have internal IT departments and therefore need to commission this type of service externally. Knowing what to look for in an IT support company can be a daunting prospect for providers who may have little knowledge of the subject area. However, securing an effective IT service is important for providers to keep data safe, by minimising risk of threats and consequential service disruption, and for keeping costs down – reputable IT providers should provide proportionate solutions and not overcharge for their services.
- Ways in which commissioners could consider helping providers to find suitable IT services include:
- Providing advice as to what to look for in an IT support company
- Offering a service to evaluate an IT company on behalf of a provider (this could be a charged for service) utilising the above advice
- Facilitating word of mouth recommendations, as part of signposting as above