Your System Provider Isn’t Your Shield: Why Cyber Risk Still Falls on You
🧠 Blog 1 of 7 in our Cyber Resilience series for social care providers
💡 Think your digital care system keeps you safe from cyber threats? Think again. Whether you use Birdie, CarePlanner, Nourish, or another platform, you are still responsible for protecting people’s data — and ensuring services continue during an outage or attack.
To strengthen your tender narrative, explore our resources on cyber security and resilience and how secure digital care planning underpins safe, continuity-ready delivery.
This shift reflects a wider move towards integrated digital care platforms and data-driven service models that underpin quality, oversight and continuous improvement.
💥 When the System Goes Down, Who’s Accountable?
Commissioners, regulators, and safeguarding teams do not accept “it was our system provider’s fault” as an adequate explanation. Under UK data protection law and CQC regulations, the registered provider remains accountable for governance, data security, and safe delivery — regardless of who hosts the platform.
If your digital care planning system becomes unavailable due to ransomware, server failure, supplier insolvency, or a national outage, the expectation is clear: you must continue delivering safe care.
Cyber risk is no longer just an IT problem. It is a business continuity issue, a safeguarding issue, a governance issue, and a reputational risk.
🚨 Why Social Care Is a Growing Target
Small and mid-size care providers are increasingly targeted because:
- They often lack in-house cyber specialists
- They store large volumes of sensitive personal and health data
- They rely heavily on digital systems for rotas, MAR charts, risk assessments, and care notes
- They cannot easily pause operations during disruption
Threat actors understand that care providers are under pressure. Ransomware attacks exploit urgency, knowing providers may feel forced to pay quickly to restore access.
The consequences can include:
- Care delivery disruption if access to medication records or risk plans is lost
- Regulatory breaches under Regulation 17 (Good Governance) and Regulation 12 (Safe Care and Treatment)
- ICO reporting requirements and potential fines
- Loss of commissioner confidence in competitive frameworks
- Reputational damage with families and staff
🛡️ You Cannot Outsource Responsibility
Using a reputable care software platform is good practice — but it is not a shield. You must demonstrate:
- Due diligence on suppliers (security certifications, penetration testing, data hosting arrangements)
- Clear contractual data processing agreements
- Your own internal risk assessments
- Documented business continuity and disaster recovery plans
Even where systems are cloud-hosted, you remain the Data Controller. Commissioners expect assurance that you understand this distinction.
📋 What a Robust Cyber Resilience Plan Includes
Cyber resilience is not a single policy document. It is a structured, layered approach that includes:
- Regular data backups (segregated and tested)
- Multi-factor authentication on all critical systems
- Staff cyber awareness training covering phishing and password hygiene
- Incident response procedures with clear escalation routes
- Offline or paper-based contingency packs for immediate activation
- System restoration protocols with defined recovery time objectives
Plans should not sit in a folder unread. They must be tested, rehearsed, and reviewed.
🧾 Business Continuity: The Overlooked Link
Many providers treat cyber security and business continuity as separate topics. In reality, they are intertwined.
If your system fails, can you:
- Access medication information safely?
- Verify risk assessments and safeguarding alerts?
- Contact staff and redeploy rotas?
- Communicate clearly with families and commissioners?
Commissioners want to see that you have thought through these scenarios — and documented the response.
🗂️ Where to Evidence Cyber Resilience in Tenders
Cyber resilience should appear in multiple sections of a bid, including:
- Business Continuity and Emergency Planning
- Information Governance and Data Protection
- Digital Maturity or Technology Questions
- Quality Assurance and Governance
- Safeguarding and Risk Management
When answering, go beyond listing your software provider. Demonstrate:
- The specific systems you use (e.g. Birdie, CarePlanner, Nourish)
- Your internal controls and oversight mechanisms
- How often contingency plans are tested
- Staff training frequency and compliance rates
- Board-level review of cyber risk
Commissioners want your assurance, not a supplier’s marketing statement.
🔐 Governance and Leadership Responsibility
Cyber resilience must be owned at leadership level. Registered Managers and Directors should:
- Review cyber risks at governance meetings
- Monitor incident logs and learning outcomes
- Ensure adequate insurance cover
- Maintain a clear audit trail of improvements
This demonstrates maturity and aligns with regulatory expectations around oversight and accountability.
💬 Final Reflection
Digital care systems are powerful tools. They improve documentation, communication, and oversight. But they also introduce risk.
The question commissioners will quietly ask is simple: If your system fails tomorrow, can you still deliver safe care?
Your answer must be operational, tested, and credible.
📚 Explore the Full Cyber Resilience Blog Series:
- 🛡️ 1. Your System Provider Isn’t Your Shield: Why Cyber Risk Still Falls on You
- ⚠️ 2. What Happens If You Ignore the Cyber Risk in Social Care?
- 🧱 3. How to Build Cyber Resilience into Your Service
- 🗣️ 4. What to Say in Tenders About IT & Systems Resilience
- 🚀 5. Cyber Resilience: Staying One Step Ahead in Social Care
- 💡 6. Digital Resilience in Social Care: Why You Can’t Afford System Failures
- 🔐 7. Cybersecurity in Social Care: Why It’s a Business Continuity Issue