Supporting providers with data and cyber security

Councils and clinical commissioning groups (CCGs) could consider organising provision of specialist data and cyber security information, advice and services for adult care providers.

How to support providers with data and cyber security

Councils and clinical commissioning groups (CCGs) could consider organising (e.g. in conjunction with local care associations) the provision of specialist data and cyber security information, advice and guidance and/or services for adult care providers. This support could be presented as a ‘menu’ of support, and potentially provided on a charged for basis. It is acknowledged that local authorities and CCGs will have differing amounts of resources available to them. In offering information, advice and guidance to providers, this section is arranged in order of priority, with highest priority activities for commissioners to consider listed first:

Signposting, advice and awareness training

Signposting by commissioners helps to raise awareness of data and cyber security within the sector. The following are recommended:

Awareness of data and cyber security

Digital social care is a website dedicated to providing advice and support to social care providers on technology and data protection. It has a range of resources, and accessible information, to help those who are still getting to grips with data and cyber security including an Introduction to Cyber Security The National Cyber Security Centre (NCSC) has an accessible Cyber Security: Small Business Guide

Awareness training on data and cyber security

Training events on data and cyber security organised by the council and/or CCG and/or in conjunction with the local care association e.g. on a charged for basis. This includes training events provided by the private sector but only with the proviso that the training has been evaluated by the council/CCG as being suitable for the sector. Private companies who do not understand the sector well can provide inappropriate and/or unnecessary advice and solutions. For information about materials and online training courses see also Data and cyber security training materials: their suitability for social care staff and NCSC Stay Safe Online: Top Tips for Staff.

Guidance to manage three common risks

Guidance to manage the three most common data and cyber security risks that have been identified for careproviders (IPC, 2019)

  1. Backups (regular and recent backups to store important information and that can be restored. 
    The National Cyber Security Centre provides advice on backups and cloud backup options to mitigate against ransomware
  2. Smartphone security (safe and secure use of mobile phones in care)
    The National Cyber Security Centre provides advice on smartphone security 
  3. Passwords (preventing unauthorised access to devices which store important data) 
    Download guidance on how to choose password manager software

Cyber security and tailored advice

Commissioners could consider providing cyber security advice ‘surgeries’ for example, with the Council’s Data Protection Officer or cyber security lead in attendance.

Information Commissioner’s Office (ICO) registration

Non-registration can result in a significant fine. You should check whether your providers are registered (and alert them if they are not) by searching the register.

Providers should register here.

Your use of secure email

Providers need assurance that emails sent by your organisation are secure (by being encrypted) – however this is not always made clear. If you are not using an obviously secure system such as Egress (where a password is needed) ensure that your email footer for example includes a statement about encryption.

Ways to communicate information

Ways to communicate the information above include through:

  • your regular provider email and written communications.
  • data and cyber security training and signposting ‘packs’ for small or local services that are entering or new to the market
  • provider contract monitoring meetings
  • provider forums. Discussion helps to engage providers in the subject matter from a practical perspective and helps ‘bring it to life’. Providers with greater knowledge and experience than others can be very effective in supporting these conversations
  • encouragement of the data champion role in each provider organisation. Provide a ‘safe space’ for provider-led exchanges.
  • local care provider associations and partnerships. Evidence has shown that engagement through these types of route can be particularly effective.

To keep the subject ‘live’, communications should be conducted on a periodic and ongoing basis. Face-to-face including one-to-one support are often the most effective routes, because these facilitate discussion and reflection. During this period of remote working under COVID-19 and for large and rural areas, video conferencing and webinars can be useful alternatives.

Contract and contract monitoring requirements

Data and cyber security good practice should be required through provider contracts containing clauses which specify evidence for safe and secure handling of information. Councils and CCGs should check the data and cyber security contractual or tendering requirements (that they ask of service providers) with other parts of the council (e.g. children’s services) and neighbouring/regional councils and CCGs, with the aim of achieving a consistent approach.

There are broadly three options here and key characteristics of each approach are set out for comparison in Appendix 1: Contract and contract monitoring requirements – options for specifying evidence.

Of the different approaches, the Data Security and Protection Toolkit (DSPT) is recognised as the most practical option. DSPT is more tailored, and relevant, to social care, is already mandatory for some contracts, and it is free, and whilst not currently audited, does cover some of the same cyber aspects as Cyber Essentials at the ‘standards met’ level. In addition, DSPT is increasingly being used by providers as evidence for CQC.

It is therefore recommended that commissioners consider building into contracts with providers the requirement to complete the DSPT.

Support to complete the Data Security and Protection Toolkit (DSPT)

The Data Security and Protection Toolkit (DSPT) is a self-assessment tool on the safe and secure handling of information for health and social care providers. Information about the Toolkit is provided by Digital Social Care.

The DSPT is already mandatory for contracts with the NHS, and prior to COVID-19 had been a precursor for providers to access NHSMail, which is a secure email system. It is also increasingly being used as evidence in CQC inspections. Elsewhere in this document the Toolkit is recommended as a standard approach within contracts, and as part of encouraging providers to comply, councils should consider supporting providers to complete the toolkit to standards met level, which includes both data and cyber security.

Support for providers to complete the Toolkit can be achieved through a number of different ways; suggestions for these include:

  • Assign the role of local Toolkit champion. One or more members of staff are given responsibility for understanding Toolkit requirements and how to use it online (including how to access NHSMail); the Toolkit champion then raises awareness of the Toolkit and provides training or other support.
  • Support providers jointly with health. Several CCGs and NHS England are already working with care homes to support them with the Toolkit and it is worth finding out about this via your NHS England regional lead.
  • Provide training and other support perhaps as part of an existing council or CCG training offer. There are resources available (see section on Signposting above) to support training offers, including with Toolkit registration. Training can be delivered in a group environment or as one-to-one support.

Nottinghamshire County Council, as part of the national programme to ensure safe use of technology in care services, is supporting care homes, domiciliary care and supported living providers within the county. Starting with raising awareness of data and cyber security, including business continuity planning, providers were then supported to complete the DSPT to Standards Met level, through a series of calls and on-site visits.

Wiltshire CCG provided one-to-one support for nursing homes across Bath and North East Somerset, Swindon and Wiltshire to complete the DSPT to meet the standards required for NHSMail prior to COVID-19. Support offered included one-to-one consultations, advice and access to resources and guidance. Following an initial on-site visit, ongoing support via email/phone was provided.

Tips for effective DSPT training and support are included in the Adult Social Care Data and Cyber Security Programme 2019/20 Report published by the Institute of Public Care.

Critical friend support

Commissioners could consider offering critical friend support including on-site visits to chat through individual provider arrangements, in order to raise awareness of any risks and to develop an action plan and provide signposting. This can be done through:

Conversations with providers should be led by a member of staff who is sufficiently familiar with the subject area and knowledgeable about sources of further help and support, e.g. the ‘Toolkit champion’ mentioned above. 

Crucially, this type of supportive intervention, conducted outside of any contract monitoring arrangements, can help providers to think ‘in depth’ about their arrangements for data and cyber security with encouragement to make improvements, without the worry of being judged or penalised in some way. 

Business continuity plans and disaster recovery testing

Most providers will have a business continuity plan in place. Traditionally this type of document will cover areas such as fire or bad weather; but it may not cover access to the critical data needed to continue to provide people’s care, should the means to access that data be lost (e.g. through power cut, internet failure, or computer breakdown or other IT problems). Without such a plan in place there is the risk of personal data becoming unavailable or lost. 

Councils can support providers to have effective business continuity plans for data and cyber security through:

  • Raising awareness of the importance of including data access in business continuity plans
  • Sharing and promoting use of a business continuity plan (data) template. An example business continuity plan template is available from Digital Social Care

Once plans are in place these need to be tested – otherwise it will not be clear whether the plans would work in practice i.e. when they are really needed. This could result in data needed for providing care not being available in an emergency situation. Commissioners could support providers to test their plans through:

  • Raising awareness about the importance of providers testing their plans
  • Running simulated ‘tests’ with providers including of:
    • Cyber attacks such as ransomware
    • Internet failure
    • Power failure

Results from any tests conducted as above or using the National Cyber Security Centre Exercise in a Box should be discussed with the provider and any improvements should be included in an action plan drawn up by the provider and followed up by the council.

Support to obtain IT services

Small and medium providers are less likely to have internal IT departments and therefore need to commission this type of service externally. Knowing what to look for in an IT support company can be a daunting prospect for providers who may have little knowledge of the subject area. However, securing an effective IT service is important for providers to keep data safe, by minimising risk of threats and consequential service disruption, and for keeping costs down – reputable IT providers should provide proportionate solutions and not overcharge for their services.

Ways in which commissioners could consider helping providers to find suitable IT services include:

  • providing advice as to what to look for in an IT support company
  • offering a service to evaluate an IT company on behalf of a provider (this could be a charged for service) utilising the above advice
  • facilitating word of mouth recommendations, as part of signposting as above.

A note on links to other sites

Where the LGA does not maintain a site provided as a link it assumes no responsibility for its contents nor does any link constitute an endorsement of any other site, its sponsor or its contents. The LGA cannot guarantee links will permanently work and has no control over the availability of linked pages.