Skip to main content

Making the NHS and social care cyber safe

As we move into a more digital age in social care, NHS Digital’s Executive Director of Cyber Operations, Mike Fell, talks about why it’s so important to support staff and create effective policies when it comes to cyber security.

Cyber security never takes a day off

From email and social media to online banking and shopping, it has never been so crucial to take simple but vital cyber security steps to prevent criminals getting hold of data, devices and accounts.

Cyber security is the protection of devices, services and networks, and the information on them, from unintentional access, theft or damage. It is a collaborative effort which relies on everyone in an organisation doing their bit to keep information, networks and applications safe. 

Data is valuable to criminals

Information about our health and care is hugely valuable in driving positive change – data saves lives. Access to data improves population health, supports service planning, and can help us to tackle unequal outcomes.

As a result of the pandemic and increased partnership working between national agencies and local care providers, health and social care is even more digitally dependent. Data is being shared more widely to improve efficiencies and outcomes, but this also increases the amount of data we need to secure, as well as the dependency on it.

Getting cyber security wrong has the potential to cause significant impacts across the health and care system. It could lead to patient safety incidents, disruption to health care services and the loss of sensitive information.

Better Security, Better Care

Improving and promoting good policies, procedures and practices are essential first steps in reducing cyber security risk. If your organisation accesses health and care data, the Data Security Protection Toolkit (DSPT) should be completed every year.

The toolkit, which is an online self-assessment tool, enables you to check that you are undertaking good data security and that personal information is handled correctly. Reaching Standards Met on the toolkit is a requirement if you want access to shared information systems such as GP Connect. Because things change, the toolkit needs to be completed at least once a year in order to be valid – but increasing numbers of care providers are keeping it up to date as a live document.

All adult social care providers can access support from the Better Security, Better Care programme in order to complete the toolkit.    

Better Security, Better Care is a free national and local support programme to help adult social care providers to store and share information safely. It covers paper and digital records and focuses on helping care providers to complete the DSPT.  It includes access to free guidance, template policies, a helpline and 28 local support partners across England.

As a care provider the programme will help you to evaluate and improve your data and cyber security. This means you can reassure the people you support and their families, your staff, commissioners, regulators, and health and care partners, that you are following good practice – and meeting legal and regulatory requirements.

Michelle Corrigan, Better Security, Better Care Programme Director, says:

“Storing and sharing information appropriately is essential to good care. Keeping that information secure is also a safeguarding responsibility and more and more care providers see it that way. But we know they are not data and cyber experts – and they don’t need to be. The Better Security, Better Care programme provides that expertise – and it is free.”

Access support from the Better Security, Better Care programme here.

Every individual has a responsibility to stay cyber resilient

Cyber security is as important as health and safety, and as with that, it is the responsibility of every person in a social care organisation to understand security risks and what they can to do reduce them. NHS Digital’s Keep I.T. Confidential campaign is a fantastic way to help organisations promote good cyber security with staff in social care. The campaign is an online security awareness toolkit which is available for free, to help the NHS and social care organisations to learn about basic security practice and the impact it can have on patient safety. It includes practical steps that staff can adopt into their everyday job, such as setting secure passwords, keeping devices locked when they’re not in use, and being aware of phishing, email scams and social engineering.

Launched by NHS Digital’s Data Security Centre, the materials have been designed to help NHS organisations run their own security awareness campaigns at a time and in a way that suits them.

After a successful first launch in 2019, it has now been updated to meet some of the challenges faced by the social care sector. The toolkit contains a variety of security awareness materials including screensavers, web banners, social media graphics and suggested copy for bulletins and newsletters, to help raise staff awareness.  

There are lots of different versions of images and other resources, that can be used easily within individual social care settings and channels, such as a staff intranet page or internal newsletter. The campaign can also be linked with any staff training on data or information governance. It’s entirely up to organisations to choose how it will best resonate with their staff.  

Tips for better cyber security

Use a strong password: The longer and more complex your password, the more difficult it is to crack. Passwords should be easy to remember, but difficult for someone else to guess. The National Cyber Security Centre (NCSC) suggests a good rule to go by is, “make sure that somebody who knows you well, could not guess your password in 20 attempts”. NSCS also recommends combining three random words to create a single password, or you could use a password manager, which can create strong passwords for you and remember them.

Report suspicious emails: Be aware of potential phishing scams and emails that try to trick you into providing information. Do not open attachments or click on links without establishing if they are legitimate. Successful phishing attempts could pose a risk to patient safety or result in disrupted IT systems.

Watch out for these common signs of a phishing email:

  • Incorrect branding
  • Spelling and grammar mistakes
  • An email address with an irregular format
  • Suspicious links which look out of place
  • An urgent title or request

If you think you have received a phishing attempt:

  • Do not click on any links or attachments
  • Inspect the email address or domain name to determine if it's from a legitimate source
  • Report any suspicious emails as an attachment to [email protected] (social care) or [email protected] (NHS)

Do not provide your login, password or sensitive information if you are asked by email, phone or text message. Look up the main number for the organisation and contact them to check if the request is genuine.

Be aware of what you share: Do not share or wear your I.D pass out in public or show it on social media. Avoid discussing any sensitive information in public places and lock your screen when you’re away from your device, as unlocked screens are an open invitation.

Watch out for tailgaters: Tailgating is a physical security breach where an unauthorised person gains entry to protected areas by following a member of staff through security barriers like doors and gates. Letting unauthorised people in could lead to them taking personal data or accessing systems.

Some useful tips to stop tailgating:

  • Query the status of strangers if it is safe to do so, especially if they try to follow you into staff areas
  • Wear your building pass or ID if issued and ensure it is visible
  • Challenge anyone who doesn't display a visible ID badge, if it is safe to do so
  • Make sure you shut or lock doors and cabinets, where necessary
  • Maintain a clear desk policy when away from your workstation
  • Know who to tell if you see anything suspicious or worrying

Keep up to date with data training: Knowing how to handle data will reduce the risk of service disruption. Data breaches can lead to fines, disruption to services and reputational damage. Make sure you understand and follow the latest guidance around data sharing.

Do not be tricked into giving away information: Social engineering is when criminals use tricks or deception to manipulate people into giving them access to data or systems. Giving unauthorised or suspicious people access to information or places could risk someone swiping people’s data.

How to stop social engineering:

  • If a web browser states that you are about to enter an untrusted site, be very careful. It could be a fake phishing website that has been made to look genuine.
  • If you see a red padlock or a warning message stating your connection is not private, be careful.
  • Never give your login details to anyone. Your ICT department will never ask you to disclose your password.
  • Be cautious with sharing information about your work on social media sites, especially on your personal accounts.
  • If in doubt, seek advice from your local ICT team.

I understand how busy social care staff are, but I would encourage everyone to make sure cyber security is a top priority to help protect data and maintain public trust in our vital services.

Once you start taking small, simple steps, they will become part of your day-to-day work and will make a massive difference to protecting crucial information.


This blog was first published by Care Management Matters on Sept 1 2022


Last edited: 4 January 2023 6:57 am