Pilot maps out cyber protection package for care industry

Care providers can now access a complete off-the-shelf cyber protection package from the Cyber Centre of Excellence (CCoE) and Care England following a successful pilot programme.

The pilot took place from April 2023 until May 2024 and trialled a package of cyber security protection and support for five care providers plus Care England, the representative body for the adult social care sector.

The six organisations taking part in the pilot – two large national providers, one learning disability provider, two small providers and Care England –were given access to a range of practical support and solutions and then asked to feedback their experiences.

Kurtis Toy, Chief Executive of the CCoE, explained that the pilot aimed to understand the risks and issues specific to the care sector: “We understand that this an industry that is time poor and resource heavy. They don’t want to learn about problems, they want to be given solutions. The point of the pilot was to find the right solutions for the sector so we can put a package of cyber support together which raises the bar of security and gives them peace of mind.”

The five parts of the pilot were:

• Access to a half-day National Cyber Security Centre (NCSC) assured online Cyber Risk & Resilience Board & Executive course from CCoE partner OSP Cyber Academy for one senior management member.

• A passive scan was carried out on each company and a report was then generated on any vulnerabilities found and advice given on how to resolve them.

• Five spaces were provided for each company for six online bite-sized NCSC-assured courses from CCoE partner OSP Cyber Academy (Ransomware and Malware, Password and Access Management, Phishing and Social Engineering, Cyber Security at Home, Mobile Device Security and Data Breach).

• Support was given by a virtual Chief Information Security Officer (vCISO), including an individual vCISO session where the trial participants were given tailored advice on improving their cyber security.

• Five licenses for zero-trust cyber security solution AppGuard for each company were installed on individual endpoints and the participants were recommended to install a free application providing phone security.

“It has been good to see the willingness to engage with the trial and see that people recognise the risk and are keen to find solutions,” said Toy, “What we understand is that we need to remove as many barriers as possible because this is an industry that is already under-resourced and time poor. We are confident from running the trial that our Care Protect Package offers the right level of ready-to-go support and solutions for the care industry.”

In the closing meeting for the pilot project, one of the care providers involved in the trial said the most valuable part of the pilot was the reassurance the CCoE expertise gave them around who to trust. “We get offered a lot of cyber security solutions, but it is hard to know how much of what is recommended is good and whether it will enhance the security of the organisation, or whether it is being offered to meet sales targets,” said Manlio Mannisi, Head of IT at SeeAbility. His colleague, Mandy Kendrick, Fundraising Coordinator at SeeAbility, added: “I undertook the online training courses as part of the pilot. The short modules were designed in a way that made them easy to complete. They were simple to follow and, even if you already know a lot about cyber security, they are still excellent reminders and refreshers.”

Louis Holmes, Digital and System Transformation Projects Manager at Care England, said the care industry is becoming increasingly aware of cyber security issues but that solutions such as Care Protect were needed to minimise the time and money needing to be invested. “Providers are under so much pressure with regulation, funding, and workforce issues. Unfortunately, cyber can be pushed down the list of priorities because you can’t see it, it’s behind a computer or mobile screen. But care providers need to invest in cyber security because otherwise their organisation could come under attack and possibly never recover. We can’t lose any more care providers because the sector is significantly underserved as it is,” he explained.

He said that the vulnerability scan and vCISO session were particularly useful elements of the trial for Care England. “The vulnerability scan indicated that there was a potential vulnerability in one of our membership items. While it does not have any personal data on it, if it went down it would take time and money to fix. Having the potential issue alerted has helped us secure that. The vCISO session was also useful as it identified some things to address and how we can work with our Managed Service Provider better. The pilot gave us a lot of takeaways to take forward and is a great starting block to build up on.”

While there have not been any major devasting attacks on care providers yet, Holmes warns that it is a case of when, not if. He also noted that the sector could be seen as a weak link and a way to gain access to interlinked organisations such as local authorities and the NHS through tactics such as phishing. “That is why the training and educational piece is so important because it helps people just get a bit smarter when reflecting on what they should and should not be doing in terms of things like opening suspicious emails. The digital transformation journey the sector is on at the moment also increases the need to protect data and systems.

“I would encourage any care provider to realise that cyber-attacks are an absolute threat and need to be properly recognised. If you do get attacked you might not be able to view someone’s care records, their dietary or medicine information might not be available, for example, which could cause serious, potentially lifethreatening issues. What Care Protect can do is help support your organisation and mitigate the impacts of a cyber attack.”

The CCoE is also carrying out pilots to optimise Care Protect Packages for other sectors and industries. It has recently concluded a parish pilot, is in progress with a school pilot and is now also starting a small business pilot.

• Find out more about the Care Protect Package by contacting Care England at info@careengland.org.uk or the CCoE at enquiries@ccoe.org.uk