Skip to content
360 Cyber Compliance

Cyber Essentials · 1 July 2026

Cyber Essentials for care providers: a practical guide

Care providers handle some of the most sensitive personal data there is — health records, medication details, care plans and family contacts. That makes cyber security a genuine safeguarding issue, not just an IT one. Cyber Essentials gives care homes and care providers a clear, recognised way to protect that data against the most common attacks. This guide explains why it matters in a care setting and how to approach it.

Why Cyber Essentials matters in care

Cyber Essentials is a UK government-backed scheme, delivered by IASME for the NCSC, built around five practical controls. For care providers there are several reasons it is worth pursuing:

  • Protecting people. A ransomware attack or data breach can put care records out of reach and expose residents’ personal information.
  • Meeting expectations. The CQC considers data security under the well-led domain, and commissioners increasingly ask providers to demonstrate good cyber hygiene.
  • Supporting your NHS data work. Cyber Essentials aligns closely with the technical side of the NHS Data Security and Protection Toolkit (DSPT), so effort spent on one supports the other.
  • Included cyber insurance. Eligible UK organisations that certify with the whole organisation in scope, and under the relevant turnover threshold, receive included cyber insurance.

How it fits with the DSPT and CQC

Many care providers already complete the DSPT to keep NHS data flows switched on. Cyber Essentials and the DSPT are separate schemes, but they reinforce each other: firewalls, secure configuration, access control, malware protection and updates all support DSPT assertions and evidence good practice for a CQC inspection. Achieving Cyber Essentials gives you an independent, dated marker that your technical controls are in place — something you can point to for families, commissioners and inspectors alike. Because the certification is valid for 12 months, it also gives you a natural annual rhythm for reviewing your security alongside your other compliance renewals.

The five controls in a care setting

The five controls apply just as they do in any organisation, but a few points come up often in care.

ControlWhat to watch in care settings
FirewallsHome-worker and community-staff devices; care-home Wi-Fi separated from resident networks
Secure configurationShared office PCs and tablets set up to a consistent, hardened build
User access controlIndividual logins for staff; prompt removal when people leave, given higher turnover
Malware protectionConsistent cover on all work devices, including mobiles used on visits
Security update managementRostering, care-planning and medication apps kept supported and updated

Shared and mobile devices

Care teams often share devices at a nurses’ station or use tablets on domiciliary visits. Each person should still have their own login, devices should auto-lock, and every device needs malware protection and prompt updates. Our guides to secure configuration and patch management cover how to keep these consistent.

Cloud care systems and MFA

Electronic care-planning, rostering and medication systems are usually cloud services, so Cyber Essentials requires multi-factor authentication on them. Turning MFA on for all users and administrators is one of the most valuable steps a care provider can take — see our MFA requirements guide.

Staff changes

Care can involve higher staff turnover and bank or agency workers. User access control expects accounts to be removed promptly when people leave and administrator rights kept to those who need them, so a reliable joiner-and-leaver process matters here more than most.

Avoiding common pitfalls

Care providers tend to trip on the same points as everyone else: incomplete scope that misses mobile or home-worker devices, unsupported software, missing MFA, and default passwords on routers. Our guide to the common reasons Cyber Essentials applications fail walks through each one, and the glossary explains any unfamiliar terms.

Getting started in a busy care service

Care teams rarely have a dedicated IT or information-governance lead, so the practical challenge is often finding the time rather than the technology. A manageable order of work usually looks like this:

  1. Define your scope. List the devices, users and cloud services that handle care data, including staff mobiles and home-worker laptops.
  2. Deal with the quick wins. Turn on MFA for cloud care systems, change any default passwords, and confirm automatic updates are enabled.
  3. Tidy up accounts. Give each staff member their own login, review who holds administrator rights, and check leavers have been removed.
  4. Check your software. Make sure operating systems and care applications are still supported and up to date.
  5. Complete the self-assessment so it reflects what you genuinely have in place.

Taken step by step, none of this requires deep technical knowledge — and much of it strengthens your DSPT position at the same time.

Going further

Once you hold Cyber Essentials, Cyber Essentials Plus adds an independent technical audit — vulnerability scans and device sampling — usually taken within three months of your base certification, which can offer commissioners extra assurance. Providers building a broader information-security programme may also consider IASME Cyber Assurance or ISO 27001.

How we can help

We support care providers through Cyber Essentials with a clear, transparent delivery process, in plain English and mindful of how care organisations actually work — shared devices, mobile staff and busy teams. We help you define a sensible scope, work through the five controls, and prepare a self-assessment that reflects what you genuinely have in place. If you would like practical support, see our Cyber Essentials service or get in touch.

Need help in practice? See our Cyber Essentials service.

Need a hand with this?

Book a free, no-obligation readiness check.