There is a door in almost every care home in England that is, metaphorically speaking, wide open. It is not the front entrance, those are increasingly well-managed, with keypad codes and visitor logs. The open door is digital: the shared login, the never-changed password, the former employee whose system access was never revoked. Staff identity and access management is the unglamorous, under-discussed backbone of care sector cybersecurity and for most providers, it remains dangerously underdeveloped.
The Shared Password Problem
Ask any care home manager how staff log into their digital care records system and the answer is often the same: a shared username and a password that has been the same since the system was installed. It is not laziness. It is pragmatism born of pressure, when a carer has thirty seconds between tasks, the last thing they need is a forgotten password standing between them and a medication record. But the consequence is that when something goes wrong, a data breach, an unauthorised record access, a safeguarding incident, there is no audit trail. No way of knowing who did what, or when.
This is not a hypothetical risk. The Information Commissioner’s Office has repeatedly cited care providers for data breaches linked to inadequate access controls. The NHS has spent years learning this lesson the hard way. Social care is now being asked to catch up — fast.
What Good Looks Like, and Why It Feels Out of Reach
Proper staff identity and access management means, at minimum, individual named accounts for every user, role-based permissions that limit access to only what each person needs, and a clear offboarding process that removes access the moment someone leaves. In more mature organisations, it means single sign-on (SSO) across multiple platforms, multi-factor authentication (MFA) for remote access, and regular access reviews that flag dormant accounts.
None of this is technically complex. The tools exist, many of them are affordable, and several digital care record providers now support SSO and individual user accounts as standard. The barrier is not technology, it is culture, time, and the persistent belief that cybersecurity is something that happens to NHS trusts, not to a 40-bed residential home in Shropshire.
That belief is wrong, and the evidence is mounting. Ransomware attacks on care providers have increased sharply since 2022. Phishing campaigns targeting care staff are now routine. And the attack surface has expanded dramatically as providers have adopted more digital tools, each new platform is another potential entry point if access is not properly managed.
The Regulatory Pressure Is Building
The Data Security and Protection Toolkit (DSPT), the NHS-aligned framework that care providers are increasingly expected to complete, includes specific requirements around user authentication, access control, and leavers processes. For providers seeking to integrate with NHS systems, including Shared Care Records and GP Connect, DSPT compliance is not optional. It is the price of entry.
CQC’s evolving quality framework also places growing weight on data governance and information security as components of well-led services. Inspectors are beginning to ask questions that would have seemed niche five years ago: How do you manage staff access to digital systems? What happens when someone leaves? Who has administrator rights, and why?
Providers who cannot answer these questions confidently are not just failing a compliance test. They are carrying a genuine operational risk; one that could result in a data breach, a safeguarding failure, or a reputational crisis that no amount of good care can easily recover from.
The Practical Starting Point
For most small and medium providers, the journey to robust identity management does not require a large IT budget. It requires three things: a decision to take it seriously, a conversation with existing software suppliers about what access controls are already available, and a simple process for managing joiners, movers, and leavers.
- Audit every system your organisation uses and list who has access to what
- Eliminate shared logins. Most modern care platforms support individual accounts at no extra cost
- Implement a leavers checklist that includes digital access revocation on the day of departure
- Enable MFA for any system accessible outside the building
- Assign a named person, even in a small organisation, who owns the access management process
None of this is glamorous. It will not feature in a CQC Outstanding report as a headline innovation. But it is the kind of foundational work that separates providers who are genuinely digitally mature from those who have simply bought the software without building the governance around it.
The Deeper Question
There is a harder conversation underneath all of this. The care sector has spent years arguing, rightly, that it is underfunded, understaffed, and under-supported in its digital journey. That argument remains valid. But it cannot be used indefinitely as a reason to defer the basics of information security. Residents’ data is sensitive. Their care records contain information about their health, their finances, their family relationships, their mental capacity. The people who hold that data have a duty, legal, ethical, and professional, to protect it properly.
Identity and access management is not a luxury for well-resourced providers. It is the minimum standard of care for the data that underpins everything else. The door needs closing.
