24 February 2026 · 11 min read · Arviteni
Care organisations cannot rely on perimeter security when staff work across homes, community settings, and offices. This guide explains zero trust in plain language, why the old model fails for care providers, and what practical implementation looks like using Microsoft 365.
The traditional approach to cybersecurity was built for organisations where everyone works in the same building, on the same network, behind the same firewall. That model was never designed for care. Care workers log in from residential homes, from service users' own homes, from community settings, from their cars between visits, and occasionally from home. They use shared tablets on medication trolleys, personal phones on the move, and office desktops when they are at head office.
The idea that there is a single, defensible perimeter around your organisation's data stopped being realistic the moment your first care worker checked email from a personal device. This is why zero trust matters for care. Not as a buzzword, not as a product to buy, but as a way of thinking about security that actually reflects how your organisation works.
For decades, the dominant security model was what the industry calls "castle and moat." You build strong defences at the boundary of your network (the moat), and once someone is inside (the castle), they are trusted. Firewalls protect the perimeter. VPNs extend the perimeter to remote workers. Everyone inside the walls can access systems freely.
This model has two critical assumptions: that threats come from outside, and that being on the network is a reliable indicator of trustworthiness. Both assumptions are wrong.
Compromised credentials, phishing attacks, and insider threats mean that attackers frequently operate from inside the perimeter. A care worker who clicks a convincing phishing link hands their credentials to an attacker who is now, as far as the castle and moat model is concerned, a trusted insider with access to care plans, medical records, and safeguarding notes.
For care organisations, the perimeter problem is even more acute. Your staff are almost never behind a corporate firewall. A domiciliary care worker visiting six service users in a day connects from six different locations on personal or shared devices. A care home manager splits time between the home, the regional office, and working from home. Agency staff arrive with their own devices and need immediate access to systems. The castle has no walls. The moat dried up years ago.
Zero trust is not a product. It is a security model built on one principle: never trust, always verify.
Instead of assuming that anyone on your network should be trusted, zero trust treats every access request as if it comes from an untrusted source. Every time someone tries to access your organisation's data, the system asks three questions:
If the answers are satisfactory, access is granted. If not, the request is blocked or additional verification is required. This happens every time, for every user, from every device and location.
The key shift is from implicit trust to continuous verification. In the old model, passing the perimeter check once (logging in to the network) granted ongoing trust. In zero trust, trust is never assumed and is always being re-evaluated.
Every sector handles sensitive data. But care organisations face a combination of factors that make the traditional security model particularly unsuitable.
Care staff do not sit at desks. Residential care workers move between floors, homes, and shifts. Domiciliary care workers travel between service users' homes throughout the day. Supported living staff work in community settings. Head office staff split time between the office and remote working. There is no single location to defend, no perimeter to protect.
Care organisations hold medical records, care plans, mental capacity assessments, safeguarding reports, and personal information for some of the most vulnerable people in society. A data breach in care is not just a regulatory incident. It has direct safeguarding implications for people who may not be able to protect themselves from the consequences.
Care has some of the highest turnover rates of any sector, with annual rates between 25% and 35%. Agency and bank staff rotate through regularly. Each new starter needs access quickly, and each leaver's access needs revoking promptly. The old model, where access is granted broadly at onboarding and rarely reviewed, creates a growing pool of excessive permissions and accounts that should have been disabled weeks ago.
Care homes commonly use shared tablets on medication trolleys, shared desktops at nurse stations, and shared devices in reception. Multiple staff access the same device across shifts. This is a legitimate operational need, but it means you cannot assume that the person using a device is the same person who last authenticated on it.
The DSPT requires care organisations to demonstrate strong access controls, device management, and incident response capabilities. Cyber Essentials certification requires access control, secure configuration, and malware protection across all devices accessing organisational data. Both frameworks align naturally with zero trust principles. Implementing zero trust is not a separate project from compliance: it is the technical foundation that makes compliance achievable and sustainable.
Zero trust sounds abstract until you see what it looks like in a real care environment. For organisations running Microsoft 365, the tools to implement it are already included in Business Premium licensing. You do not need to buy additional security products. You need to configure what you already have.
Every user gets their own account. No shared logins, no generic accounts like reception@ or nurse-station@. Multi-factor authentication (MFA) is enforced on every account, requiring a second form of verification beyond a password. Microsoft reports that MFA blocks 99.9% of account compromise attacks.
Conditional Access policies evaluate each sign-in before granting access. You can require MFA for all users, block sign-ins from countries outside the UK, and enforce additional verification for sign-ins that Microsoft's machine learning flags as risky based on location, device, or behaviour patterns.
For care organisations, this means that even if a care worker's password is compromised through phishing, the attacker cannot access systems without also passing the MFA challenge. The single biggest vulnerability in the old model, a stolen password granting full access, is eliminated.
Every device that accesses organisational data must be enrolled in Microsoft Intune and meet compliance requirements. This means BitLocker encryption enabled, current security patches applied, supported operating system, screen lock active, and antivirus running. Devices that do not meet the baseline are blocked from accessing sensitive data until they are brought into compliance.
For shared tablets in care homes, Intune manages the device itself rather than relying on individual user sessions. The tablet meets the compliance baseline regardless of who is currently using it. For personal devices, Intune can manage just the organisational data without controlling the entire phone, protecting care data while respecting personal privacy.
When a device is lost or stolen, it can be remotely wiped instantly. A tablet that falls behind a sofa in a service user's home, a phone left at a petrol station between visits: the data can be removed before anyone has time to access it.
Continuous evaluation means that access is not a one-time decision. Sessions expire after defined periods of inactivity. Sign-ins from unusual locations or at unusual times trigger additional verification. If a care worker who normally signs in from Nottinghamshire suddenly appears to be signing in from Eastern Europe, the system blocks the access and alerts administrators.
Least-privilege access ensures that each role has access only to what it genuinely needs. A care worker can access care plans and visit schedules but not financial systems or HR records. A finance team member can access invoicing but not resident medical records. Even if an account is compromised, the damage is contained to what that specific role could access. In the old model, a compromised account could potentially access everything. In zero trust, the worst case is limited to a narrow set of data and systems.
The most common concern we hear from care managers is: will this slow down my care workers? The answer, when implemented properly, is no.
MFA is typically a single tap on a phone notification. Conditional Access decisions happen in the background: if the user, device, and behaviour all check out, the experience is seamless. The verification is invisible when everything is in order.
Where staff do notice a difference is when something is wrong. A care worker who tries to access care plans from an unmanaged personal device will be prompted to enrol it or use a managed device instead. A user whose account shows signs of compromise will be asked to re-verify. These interventions are the system working as intended, catching the scenarios that the old model would have let through.
For shared devices in care homes, the experience can actually improve. Properly configured shared device mode means care workers sign in to a managed tablet, access what they need, and sign out. The next user gets a clean session. No lingering data from the previous user, no confusion about whose account is active.
"Our care workers are not technical." They do not need to be. The security decisions are made by the system, not the user. Care workers approve an MFA prompt and carry on with their work. The complexity is in the configuration, not the daily experience.
"We have shared devices that multiple staff use." This is expected and accounted for. Intune's shared device mode is designed for exactly this scenario. The device itself is compliant, and individual users authenticate against it.
"We use agency staff who bring their own devices." Conditional Access can handle this. Agency staff access a limited set of applications through a web browser on their own device, without that device needing to be fully managed. They get enough access to do their job, but sensitive data is not downloaded to an unmanaged device.
"This sounds expensive." If you are already paying for Microsoft 365 Business Premium, the tools are included in your licence. Conditional Access, Intune, Defender, MFA: all included. The investment is in the expertise to configure it properly, not in additional software. We have seen care organisations with Secure Scores as low as 16% transform their security posture using features they were already paying for.
Zero trust is not an overnight transformation. It is a direction of travel that you implement in phases. The practical starting point for most care organisations is:
Each of these steps directly supports your DSPT submission and Cyber Essentials certification. They are not separate workstreams. They are the same work, viewed through different lenses.
We have helped care organisations implement zero trust architecture across complex, multi-site environments, achieve Cyber Essentials certification from a standing start, and transform Microsoft 365 security postures using tools that were already licensed and paid for. The pattern is consistent: the technology is available, the licensing is in place, and the configuration is what makes the difference.
Zero trust is a technical concept, but the reason it matters in care is not technical at all. Care organisations hold deeply personal information about some of the most vulnerable people in society. Medical records, mental capacity assessments, safeguarding reports, end of life care plans. These are the intimate details of people's lives, entrusted to you because those people, or the families who advocate for them, believe you will keep that information safe.
The old security model asked you to defend a perimeter that no longer exists. Zero trust asks you to verify every access, protect every device, and limit every permission to what is genuinely needed. It is not about distrusting your staff. It is about building a system that protects the data even when something goes wrong.
For care organisations across the East Midlands, our managed IT service includes zero trust implementation as part of our ongoing security partnership. We configure the tools your licence already includes, phase the rollout so care delivery is never disrupted, and maintain the policies as your organisation grows and changes.
The people in your care trust you with their most sensitive information. Zero trust is how you make sure that trust is justified.