11 March 2026 · 12 min read · Arviteni
Most care homes either have no IT support, a generic MSP, or one overstretched internal person. This guide covers what to look for in a care-sector IT provider and the red flags to watch for.
Most care homes are in one of three IT situations. The first is no formal support at all: problems get fixed by whoever is most confident with technology, which is often a manager's relative or a senior carer who has become the accidental IT person. The second is a generic managed service provider (MSP) that knows how to run a help desk but has never heard of the Data Security and Protection Toolkit. The third is a single internal IT person trying to cover everything for a twenty, thirty, or forty-site organisation with a budget built for one.
None of these situations is unusual. Care providers grew up without IT infrastructure, and the digital transformation agenda has arrived faster than the sector's ability to build the expertise to support it. The result is that technology decisions get made by people who are experts in care, not in IT, and IT decisions get made by people who know nothing about care.
This guide is for operations directors, registered managers, and finance leads who need to make a better decision about IT support. It covers what to look for, what questions to ask, and what answers should make you walk away.
The care sector has been pushed toward digital faster than most sectors realise. NHS England's target for 80% of care homes to have a digital social care record system in place, combined with the Digitising Social Care programme, means that IT is no longer optional infrastructure. It is a regulatory expectation.
At the same time, the sector carries structural constraints that make IT harder. Thin operating margins leave little room for technology investment. High staff turnover, typically 25 to 35% annually, means that devices, accounts, and access rights need constant management. Shift patterns run across seven days and twenty-four hours, which means IT problems do not confine themselves to office hours. And care homes handle some of the most sensitive personal data there is: medical records, care plans, safeguarding information, and financial details for residents who are often highly vulnerable.
Generic IT providers do not understand any of this. They understand servers, networking, and support tickets. That is not the same thing.
The consequence is that care homes either limp along with inadequate support, or they pay for IT services that are technically delivered but completely misaligned with their compliance obligations and operational realities.
An MSP that serves solicitors, estate agents, and a couple of care homes is not a care sector IT provider. They are a general IT provider that happens to have some care clients. There is an important difference, and it shows up in several specific ways.
DSPT compliance is unknown territory. The Data Security and Protection Toolkit is the NHS's annual self-assessment framework that most care homes are required to complete. It covers data security policies, staff training, technical controls, and incident management. A care-sector IT provider should know what the DSPT is, which assertions require technical evidence, and how their services directly support your submission. A generic MSP will give you a blank look. If your IT support cannot help you complete your DSPT submission, you are doing it unsupported, which is where most care homes fall over.
Shared device environments are misunderstood. Care homes use shared tablets on medication trolleys, shared devices at nurses' stations, and communal equipment that dozens of staff touch each week. Configuring Microsoft 365 for this environment, managing shared device identities, applying the right Intune policies, and meeting DSPT requirements for individual accountability requires specific knowledge. Generic MSPs configure accounts as if every person has their own dedicated device, which is not the reality in care.
Microsoft 365 frontline licensing is ignored. Most care homes are massively over-spending on Microsoft licensing because their IT provider has put everyone on Business Premium. A typical care home with 60 frontline care workers and 10 admin staff should use a mixed licensing model: Business Premium or Business Standard for management and admin, and F1 or F3 licences for frontline workers. F1 licences cost around £1.70 per user per month compared to £16.60 for Business Premium. That difference across 60 frontline workers is over £10,000 per year. Generic MSPs do not know this model exists because their other clients do not need it.
CQC expectations around technology are invisible. The Care Quality Commission's inspection framework includes questions about how providers manage confidential information, how they use technology to support care delivery, and whether their digital systems are fit for purpose. These expectations inform what good IT governance looks like for a care provider. An IT partner that has never read a CQC report does not have this context.
Cyber Essentials requirements are treated as optional. The government has been clear that Cyber Essentials certification is the baseline for organisations handling NHS data. For care homes on the Digitising Social Care programme, it is a formal requirement. Many generic MSPs have never pursued Cyber Essentials for themselves, let alone guided clients through the process. A care-sector IT provider should hold Cyber Essentials Plus certification and be able to certify you.
Multi-site complexity is underestimated. A care group running ten sites has ten networks, potentially hundreds of devices, multiple managers with different access needs, and IT requirements that compound at scale. Thin margins mean that IT investment needs to be efficient, not just technically correct. An IT partner that has only ever supported single-site organisations will struggle with the operational complexity of a care group, particularly when an incident at one site needs remote resolution without pulling engineering resources across the whole estate.
When you are evaluating IT providers for your care home or care group, these are the things that actually matter.
DSPT expertise. Ask the question directly: can you help us complete our DSPT submission? Can you evidence the technical controls you put in place against specific DSPT assertions? The right answer is yes to both, with specifics. If the provider asks you what DSPT stands for, end the meeting.
Microsoft 365 security configuration experience. Managed IT is not just break-fix support. The most important work is configuration: making sure Conditional Access policies are in place, that Intune is managing your devices, that Defender for Office 365 is configured, and that your Microsoft Secure Score reflects a properly hardened tenant. Ask providers to describe how they would configure a new Microsoft 365 tenant for a care home. The answer should include MFA, Conditional Access, Intune policies for shared devices, and Defender. If it doesn't, their Microsoft 365 practice is not mature enough.
Cyber Essentials Plus certification. Cyber Essentials Plus is not just a credential the provider should hold. It is evidence that they have gone through the process themselves and understand what it requires technically. A provider that holds Cyber Essentials Plus can guide you through certification because they have done it. Ask whether they can certify your organisation and what that process looks like.
Multi-site management capability. If you run more than one site, ask how the provider manages the separation of networks and data between sites, how they handle incidents across multiple locations, and what their onboarding process looks like for adding a new site. The answers reveal whether they have built tooling and processes for scale or whether they are managing everything manually.
Out-of-hours support that matches your shift patterns. Care does not stop at 5pm on Friday. If a medication management system goes down at 11pm on a Sunday, your staff need help now, not on Monday morning. Ask providers what their out-of-hours coverage looks like, what the escalation path is, and whether out-of-hours support costs extra. A provider that only covers standard business hours is not suited to care operations.
Understanding of shared device environments. Ask how they manage shared tablets and shared devices. Ask how they handle shared device identities in Microsoft 365 alongside the DSPT requirement for individual user accountability. Ask about their Intune configuration for shared devices specifically. These are not trick questions. They are standard operational requirements for care. A provider that cannot answer them has not worked in care before.
Patch management process. Ask how they manage software updates and security patches across managed devices. A provider with a mature patch management process will be able to tell you their patch cycle, how they handle devices that miss a patch window, how they report on patch compliance, and what exceptions process they use. Vague answers mean patching is happening inconsistently, which is both a security risk and a Cyber Essentials requirement.
Some answers are not just insufficient. They are signals that the provider is not the right fit for a care organisation.
No knowledge of DSPT. If the provider cannot explain what the DSPT is or how their services support your submission, they have never had a care client with adequate IT governance. This is a disqualifying gap.
One-size-fits-all pricing. A provider that quotes a single per-device or per-user price without asking about your organisation's size, site count, staff turnover rate, or compliance requirements is not scoping your needs. They are selling a product, not a service. Care IT support needs to reflect the specifics of your operation.
No Cyber Essentials certification. A provider that holds no Cyber Essentials certification and cannot explain how they would get you certified is behind the minimum standard the government expects for care organisations handling NHS data. This is not an optional requirement.
Cannot explain their patch management process. Inconsistent patching is one of the most common causes of security incidents. If a provider cannot describe their patch management process clearly, including what happens to devices that go offline, how they handle exceptions, and how they report compliance to you, their security practice is not mature.
No experience with Intune or device management. Microsoft Intune is the standard platform for device management in Microsoft 365 environments. A provider that does not use Intune, or that manages devices through manual processes instead, is not equipped for the shared device complexity and remote management requirements of care.
Generic contract terms with no care-sector provisions. Read the service level agreement. If it contains no reference to your data security obligations, no provisions for DSPT support, and no acknowledgement that you operate in a regulated sector, the contract was written for a different client base.
The Digitising Social Care programme has moved IT from an operational nicety to a funded priority. Local authorities and NHS integrated care systems are actively supporting care providers to adopt digital social care records, medication management systems, and workforce management platforms. The government's target is 80% of care homes using a digital social care record.
With digital adoption comes digital risk. More systems, more data, and more connectivity mean more attack surface. The National Cyber Security Centre has specifically identified health and social care as a high-priority sector for cyber threats. Ransomware attacks on care organisations have increased, and the consequences are severe: encrypted resident records, disrupted medication management, and regulatory investigation.
This is the context in which care homes need IT support. Not the context of a small business with a file server and a broadband connection, but a regulated organisation handling special category data with a duty of care to vulnerable people and a compliance framework that carries legal weight.
The IT support you choose needs to reflect that context.
Before committing to any managed IT provider, work through this list:
The answers to these questions will tell you more about whether a provider is right for care than any case study on their website.
Choosing IT support is one of the most consequential technology decisions a care provider makes. The wrong partner leaves you exposed on compliance, underserved on support, and disconnected from the tools that would make your operation more resilient. The right partner becomes part of your infrastructure, not just a help desk you call when things break.
Our managed IT service is built exclusively for care providers. We work with care homes and care groups across the East Midlands on DSPT compliance, Microsoft 365 configuration, Cyber Essentials certification, device management, and out-of-hours support. We are not a generic MSP with a care division. Care is the only sector we work in.
If you are not confident that your current IT support is meeting your compliance obligations or supporting your teams the way they need, it is worth a conversation. You can find out more about what we offer and how we work at our managed IT page.
The sector's IT requirements are only going to increase. Making the right choice now saves significantly more than it costs.