Managing a cyber incident impacting adult social care services
Use this module if your cyber incident involves activity such as provision of care services, safeguarding, managing risks to sensitive data, and engagement with care providers and other relevant external partners.
Adult social care relies heavily on digital systems to manage care, share information securely between multiple agency systems, and make day-to-day decisions for people with care and support needs. These systems hold highly sensitive personal data and are critical to safe service delivery.
A serious cyber incident can immediately disrupt adult social care services and lead to shutting down of IT services, potentially for an extended period of time. During this time, there would be likely no access to IT services, including email, case management systems, or shared databases. Potential impacts include:
no access to care plans, risk assessments or safeguarding records
delays to assessments, reviews, referrals and safeguarding enquiries
disruption to commissioning, provider payments and direct payments
reduced ability to monitor high-risk individuals
risk of exposure or compromise of sensitive personal data
reduced ability to communicate, share information and work effectively across in-house services and with external partners such as the NHS and commissioned adult social care services
risk of second-order clinical impacts in the wider adult social care system arising from disruption to council systems and dependent services such as hospital discharge.
Your key strategic actions
These are the critical actions to keep in focus throughout your response and recovery work. (Note: these are a strategic guide, not an exhaustive list of every action you should take.)
Do not assume a rapid return to normal; prepare for digital systems to be offline for weeks or potentially months.
Establish and implement a command-and-control structure with clearly defined roles and designated leads, supported by a 24/7 rota, to ensure rapid decision-making and continuous communication, with arrangements in place to deploy back-up staff if needed.
Set clear business continuity priorities, so staff and providers know where to focus efforts, particularly regarding the most at-risk and live cases for vulnerable adults.
Identify secure, alternative ways to reach staff (for example, if email or MS Teams are down) and establish a single point of contact for external partners like the NHS and police.
Act on the assumption that sensitive health and safeguarding data has been stolen, involve your DPO and Caldicott Lead immediately to assess risk.
Maintain critical access by ensuring physical or telephone routes remain open for urgent safeguarding issues if digital referral systems (like the Emergency Duty Team) are compromised.
Identify if payment systems for personal allowances or providers are impacted and set up emergency manual methods to ensure they are paid.
Establish consistent arrangements for recording case activity while systems are down to ensure data quality when it is eventually migrated back.
Provide frequent, transparent updates to the public, partners, and residents to reduce panic and support staff wellbeing.
Learning from previous incidents
Other councils who have experienced serious cyber incidents have found that:
Setting clear priorities for adult social care business continuity helps officers and providers focus effort during disruption.
Close coordination with children’s services and other services that share systems or data is essential to manage interdependencies.
Partnership working is often disrupted, particularly where normal data sharing, referrals or secure communications with health and other partners are affected.
Commissioned providers can be significantly impacted, especially where they rely on council systems and processes (e.g. payments or safeguarding workflows).
Maintaining clear senior leadership oversight helps manage risks to safeguarding, service delivery and data security.
Tailoring communications to different audiences, and being transparent about impacts, helps maintain trust and avoid damaging relationships with partners.
Guidance across the different time stages
Establish a command-and-control structure as soon as possible, in line with your business continuity plan. Ensure within the structure that there are clearly defined roles and responsibilities, and teams are on a 24/7 rota, so that any decisions can be made quickly at any given time.
Specifically consider how you will communicate with staff and frontline social workers if usual lines of communication (email, MS Teams) are shut down. See the ‘Informing and Supporting’ section of the grab bag for further guidance.
Identify key external partners (e.g. NHS, providers, police), nominate a single point of contact within the council, and initiate direct outreach to establish coordination and information-sharing.
Begin to understand and determine the scale and scope of what is impacted. What systems are impacted or shut down? What services will be impacted? This will inform key partners, providers and organisations that will you need to communicate with.
Assess the risk of lateral movement of the cyber incident, for example, between the council and external partners through shared IT systems or databases. Identify and mitigate these risks while proactively and transparently communicating with partners to prevent the incident from spreading or escalating.
Remain mindful that the perpetrators may remain digitally present to take advantage of any information made available through comms. Therefore ensure that your comms, leadership and technical teams are working together on determining the right messages to distribute.
Assume data has been accessed and potentially stolen. Start to assess the risks and how you plan to respond without delay. This could include sensitive health and safeguarding data, and you should prepare for mitigations against these data breaches and only stepping them down if they are no longer needed.
Activate your business continuity plans, identifying the council’s most at risk and live cases for vulnerable adults (i.e. highest priority cases). Workarounds may need to be created at pace if you cannot access your case management system.
Establish recording arrangements for all case activity to a consistent standard whilst systems are down or impacted.
Consider how you can make sure critical referral routes into the Emergency Duty Team (CDT) and Central Access Service (CAS) remain open and accessible. If this shut down, ensure there is physical or telephone route for adults in crisis or urgent safeguarding issues to still come in.
Continue to assess whether data has been exfiltrated and/or encrypted. Reach out to your DPO and Caldicott as soon as possible with this assessment and for their advice. If there is a suspected data breach, follow the guidance in ‘Protecting Data’ section of the grab bag, report to the ICO and inform your local police force.
If you share social care systems with other councils, identify who is the data controller. This is essential for legal reporting and understanding the liability if there has been a data breach.
Understand if your payment systems are impacted. If so, you will need to understand firstly where your different contracts(s) are in the payment cycle, and secondly if personal allowances payments to vulnerable adults are impacted. If they are impacted and payments are set to roll, emergency work arounds will need to be setup to ensure these are made.
Work closely to with your council’s comms team to provide transparent and reassuring updates both to the public but also to partners.
Identify the most at risk cases from the data breach, for example, domestic violence or abuse cases or those at risk from criminal gangs. Consider what safeguarding measures that need to be put in place to protect these individuals.
Create a Red-Amber-Green (RAG) rating for providers based on who is most at risk if a payment is delayed. Make emergency payments route to most-at risk providers and residents through workarounds or manual methods.
If your case management system is offline, you may be unable to access user’s financial records and unable to calculate charges. Create a workaround to estimate the loss of income from not being able to do this.
Provide reassurance and frequently communicate with providers and residents to reduce their feeling of panic.
Actively work to support staff wellbeing.
Working with your teams and IT, focus on a phased approach to bringing systems back online. Think what can only be done digitally, versus what can be done manually for longer, and work to establish a sustainable, consistent rhythm. You may initially help to distinguish between minimum viable recovery and full recovery.
Expect a potentially long process, possibly lasting beyond the incident, to identify compromised data and notify those affected.
When migrating manually recorded data back into systems, ensure it is uploaded accurately and consistently (using agreed formats and checks) to preserve data quality.
Key contacts
Up to date and accessible contact details for staff, providers partners.
Up to date and accessible contact details for vulnerable families.
Up to date and accessible contact details for community / voluntary groups.