14 February 2026 · 8 min read · Arviteni
A plain-language guide to Cyber Essentials certification for care homes, covering the five controls, common pitfalls, and why commissioners and insurers increasingly expect it.
Care homes handle some of the most sensitive personal data in any sector: medical records, care plans, medication records, safeguarding reports, mental capacity assessments, and financial information. A breach does not just create a regulatory problem. It has real safeguarding implications for the people in your care.
Cyber Essentials is a UK Government-backed certification scheme designed to protect organisations against the most common cyber attacks. It is not complex, it is not expensive, and it is increasingly expected by commissioners, insurers, and NHS partners. Here is what care home managers need to know.
Cyber Essentials is a cybersecurity certification scheme designed by the National Cyber Security Centre (NCSC), part of GCHQ. It is administered by IASME, the accreditation body that manages the certification process and the assessor network.
The scheme focuses on five technical controls that, when properly implemented, protect against around 80% of common cyber attacks. It has been running since 2014 and is already mandatory for UK Government contracts that involve handling sensitive or personal data.
There are two levels:
For most care homes, the basic Cyber Essentials certification is what commissioners and insurers ask for. Cyber Essentials Plus provides a higher level of assurance and is worth considering if your organisation wants to demonstrate a stronger security commitment.
Cyber Essentials is built around five areas. None of them are exotic or expensive to implement. They represent the fundamentals of good cybersecurity.
Every device that connects to the internet must be protected by a properly configured firewall. This includes the hardware firewall at your network boundary (typically your router) and software firewalls on individual devices. Default admin passwords on network equipment must be changed, and the firewall should block unauthenticated inbound connections by default.
Computers and network devices must be configured to reduce vulnerabilities. This means removing or disabling unnecessary software and services, changing default passwords, and ensuring that only necessary applications are installed. The goal is to reduce the attack surface, the number of ways an attacker could get in.
Every user must have their own account. No shared logins. Admin privileges should only be granted to those who genuinely need them, and standard user accounts should be used for everyday work. Passwords must meet minimum length requirements, and multi-factor authentication (MFA) is now required for cloud services and admin accounts.
Anti-malware software must be installed and kept up to date on all devices. For most care organisations, this means antivirus or endpoint detection and response (EDR) software running on every computer and tablet. The software must be configured to scan automatically and update its definitions regularly.
All software must be kept up to date. Security patches rated critical or high must be applied within 14 days of release. Any software that has reached end of life and no longer receives security updates must be removed or replaced. This covers operating systems, applications, firmware, and browser plugins.
The drivers for Cyber Essentials in care are practical and growing.
Commissioner and tender requirements. Local authority commissioners increasingly require Cyber Essentials, or equivalent evidence of cybersecurity, as part of tender and framework requirements. NHS commissioners and Integrated Care Boards may require it for providers who handle NHS data. Without it, care homes are at a competitive disadvantage when bidding for placements and contracts.
Insurance. Cyber insurance providers increasingly require Cyber Essentials certification or offer premium discounts for certified organisations. Some insurers will not quote cyber cover at all without it as a baseline.
Data sensitivity. Care homes handle special category data under UK GDPR, including health records, safeguarding information, and mental capacity assessments. The consequences of a breach go beyond regulatory fines. They have direct safeguarding implications.
CQC expectations. While the CQC does not explicitly mandate Cyber Essentials, inspectors assess data security governance under the "Safe" and "Well-led" key questions. Having certification provides clear, independently recognised evidence of a structured approach to cybersecurity.
NHS data sharing. Any care provider that accesses NHS systems, whether NHSmail, shared care records, or proxy GP access, needs to demonstrate data security compliance. Cyber Essentials complements the DSPT by providing independently verified technical controls.
We see the same issues come up repeatedly when care homes go through the certification process.
Shared accounts. This is the most common failure point in care settings. Staff share login credentials for shift handovers, medication systems, or simply because it is easier. Cyber Essentials requires every user to have their own account. Breaking the habit of shared accounts is one of the hardest cultural changes, but it is non-negotiable for certification.
Unpatched and unsupported devices. Care homes often run old computers with operating systems that no longer receive security updates. Specialist care software sometimes requires older systems, creating a conflict. The 14-day patching requirement is challenging when there is no dedicated IT staff monitoring updates.
Personal devices. Care workers frequently use personal phones to access work email, Teams, or care management systems. These devices may be unpatched, unencrypted, or shared with family members. Under current Cyber Essentials requirements, any personal device that accesses organisational data is in scope.
Admin privilege overuse. Staff often have administrator rights on their devices because nobody restricted them during setup. Care managers sometimes have global admin access to Microsoft 365 because they needed to do something once and the permissions were never reduced.
Home working. Since the pandemic, some care administrative staff work from home. Home routers and networks are now in scope if they are used to access organisational data. Many care organisations have not addressed this.
Consumer-grade network equipment. Smaller care homes often rely on domestic routers with default settings, no separate guest Wi-Fi, and port forwarding rules left open from old CCTV or remote access setups.
The DSPT and Cyber Essentials serve different but complementary purposes.
The DSPT is broader, covering staff training, data handling processes, business continuity, and leadership accountability across 10 standards. Cyber Essentials is narrower, focusing specifically on five technical controls. But there is significant overlap in areas like patch management, access control, and malware protection.
Standard 9 of the DSPT explicitly references Cyber Essentials as an example of a suitable cyber security framework. If you are doing the work for Cyber Essentials, much of the evidence supports your DSPT submission too. Conversely, the DSPT covers areas that Cyber Essentials does not, like staff training and incident response planning.
Doing both together is more efficient than treating them as separate projects. The technical remediation work for Cyber Essentials directly addresses the DSPT technology standards (8, 9, and 10), and the evidence can be reused across both.
Cyber Essentials certification fees are set by IASME based on organisation size. For most single-site care homes (under 50 employees), the assessment fee is around £300 plus VAT.
Cyber Essentials Plus is more expensive because it involves hands-on testing by a qualified assessor. Typical costs range from £1,500 to £2,500 for a single-site care home.
The bigger investment is not the assessment fee itself. It is the remediation work needed to get your environment into a state that will pass: updating devices, configuring firewalls, resolving patching gaps, and removing unsupported software. For care homes that have never had a structured approach to IT security, this is where the real effort sits.
Certification is valid for 12 months and requires annual renewal, which aligns with the DSPT's annual submission cycle and CQC's ongoing inspection readiness expectations.
The first step is understanding where you currently stand against the five controls. If you already have an IT provider, ask them to assess your readiness. If the answer is vague or noncommittal, that may tell you something about whether they have the expertise to support you through certification.
For care homes across the East Midlands, our managed IT service includes Cyber Essentials support as part of our ongoing partnership. We assess your current position, carry out the remediation work, and support you through the certification process, building it into a repeatable annual cycle rather than a one-off project.
Cyber Essentials is not about ticking a box. It is about putting a genuine security baseline in place that protects the people whose data you hold. For care homes, that means protecting residents, their families, and the staff who look after them.