January 28th 2026
The Care Software Providers Association (CASPA) has published a new suite of cyber security guidance for care technology suppliers.
Developed by CASPA’s Cyber Security Working Group, the guidance focuses on three priority risk areas:
- secure software development lifecycle (SDLC) practices,
- effective management of third-party software dependencies, and
- protection against supply chain attacks.
Together, these areas address some of the most common causes of cyber incidents affecting health and care technology, with practical steps designed to strengthen resilience without slowing innovation.
Martin Lowthian, Chair of the CASPA Cyber Security Working Group, said:
“Care software is already sophisticated and deeply embedded in day-to-day care delivery. Our members care enormously about the sector they serve and understand that trust is hard won and easily lost. This guidance is about protecting that trust – ensuring digital systems remain safe, reliable and worthy of the confidence placed in them by providers, regulators and the people who rely on care services.”
The guidance also supports CASPA’s work with the NHS on the Social Care Interoperability Platform (SCIP), the national programme to enable safe, consistent data sharing between social care systems and the wider health and care ecosystem. Strong cyber security and supply chain assurance are essential foundations for interoperability, ensuring that increased connectivity enhances outcomes without introducing new risks.
“Over the next few years care software will increasingly be linking up with other systems both within social care and with health. It is therefore crucial that systems are built on solid foundations of safety and security. Effective cyber security will be a prerequisite for linking systems together and I would expect cyber standards to only be enhanced over time.”
Peter Skinner, Programme Director for Digitising Social Care, NHS England.
“Digital Care Hub welcomes this clear guidance for tech suppliers. We know that cyber security needs a multi-pronged approach, so it is great to see CASPA’s guidance reflecting many of the key issues that care providers raise with us – especially supply chain attacks. We know that attacks on software that is embedded within tech systems can go unnoticed, until it impacts on everyone involved – including care providers and the people they support. Like CASPA, we strongly recommend that suppliers and care providers develop clear service level agreements around supply chain issues, and a business continuity plan covering who will do what if things go wrong.”
Michelle Corrigan, Chief Executive Officer, Digital Care Hub.
The guidance has been developed collaboratively by CASPA members, reflecting a shared recognition that cyber threats cut across individual organisations and require collective responsibility. By setting clear, proportionate expectations, CASPA aims to raise the security baseline of care technology and support continued confidence in the quality and integrity of the sector’s digital platforms.
The documents are available to CASPA members as part of CASPA’s wider work to support digital maturity, interoperability and safe innovation in adult social care.
Further information
The Care Software Providers Association (CASPA), is an independent association representing the views and interests of social care software providers.
Visit www.caspa.care
Contact [email protected]
View all News