Not-for-profit quality care for over 25 years
Close this search box.

How to increase cyber security in your care home

to reduce the risk of PII data breaches

When GDPR came into effect in 2018, organisations in the health and social care sector were given much stricter guidelines than others on the collection, processing, and storage of personal data. It included increased protection of care home residents’ personal data due to the sensitive nature of it.

Despite these changes taking place, many businesses operating in the health and social care field do so with modest cyber security budgets and use potentially outdated IT systems. As funds are often directed towards operational necessities rather than improving cyber security processes, many care homes are vulnerable targets for cyber criminals.

Why would cyber criminals want to target care homes?

Care providers have access to a vast wealth of personal data which is very sensitive. Some of this data is ‘personally identifiable information’ (PII) which cannot be changed. Examples of this include National Insurance numbers, passport number, driver’s license number, place of birth or race. This type of data is very valuable for cyber criminals as it may be utilised for identity theft, fraudulent activities, or malicious intent.

If a cyber-criminal manages to breach your systems, unlike other sectors, they pose a health and safety risk to individuals living in your care home, not just financial loss, business interruption or reputational damage.

What can you do to increase cyber security in your care home?

At all times, there should be appropriate measures in place to ensure that (PII) is handled securely.

Take a moment to review the following and ask yourself – am I helping protect service users and staff data?

  • Passwords – Ensure that all information for both patients and staff is kept secure by using strong passwords so data and systems cannot be accessed freely.
  • Two-step verification – Where possible, add two-step verification or multi-factor authentication on all login devices that have this feature. This adds an extra layer of protection.
  • Control access – If a member of staff does not need to be privy to that data, then they should not be able to access that data. Regularly review access privileges so that only authorised individuals can view sensitive information.
  • Encryption – Some software will allow you to encrypt data into a code that can only become legible after it has been decrypted. If you are handling sensitive data, it is worth investigating if this can help you manage it more securely. This is particularly invaluable if working with PII.
  • Update devices – Ensure all device systems and applications are updated when required to ensure they are up to date with the latest software security measures.
  • Train staff on being cyber secure – Cyber security training should be included in your onboarding and year-round training schedule as a mandatory requirement. All staff should be trained to follow best practices and be aware of the risks associated with not following the rules.
  • Secure offline backups – Make sure that any offline copies including hard copies are adequately secured.
  • Create an Incident Response Plan – If you do find yourself in the position where you have been hacked, having a plan of action will help you deal with the situation as promptly as possible.

Cyber insurance with Towergate Insurance

To find out how Towergate Insurance could assist you, please call Richard Barnes on 07768 314 298 or email

You can also visit to find out more.

Share post...