Skip to main content

Cyber threat intelligence

NHS England’s National Cyber Security Operations Centre (CSOC) provides an array of healthcare-specific cyber threat intelligence services designed to equip decision makers and network defenders with critical intelligence to better defend health and social care systems against cyber attacks.  

About our cyber threat intelligence services

NHS England provides a variety of central threat intelligence services for health and social care organisations.

Cyber threat intelligence (CTI) plays a critical role in defending organisations across the health and social care system against cyber threats. CTI ensures decision makers are kept informed of the latest threats and that network defenders are empowered to detect and respond to events as they occur. Without a view of the cyber threat landscape organisations run the risk of defending against too little, or trying to constantly defend against too much without a view of which are the most relevant threats.

Our CTI services use NHS England’s National CSOC’s advanced healthcare telemetry, which processes over 33 billion security signals daily, as well as integrating centrally procured threat intelligence from suppliers like CrowdStrike Falcon Intelligence, Microsoft Defender Threat Intelligence, Health-ISAC, and many more. This extensive intelligence is distributed into both national and local security systems, and now also offered directly to network defenders across the system through the robust suite of services described below.


Service descriptions

Below are the details of the different CTI services provided by NHS England National CSOC. You can expand them to find out more.

Threat Intelligence Sharing Platform

The Threat Intelligence Sharing Platform (TISP) provides real-time information, enabling healthcare organisations to rapidly receive and share threat intelligence to enable an informed cyber threat response. Users will be able to access threat intelligence from NHS England’s CSOC, our commercial providers and partners, and share threat intelligence to the centre through a single central platform. The TISP can be accessed by users to access a suite of written intelligence products and query our indicators of compromise (IOCs).

TISP acts as a central hub where local, regional and national threat intelligence is gathered, curated, and redistributed seamlessly across the health and social care system. Our platform is your go-to repository for indicators of compromise, written human-readable intelligence reports and alerts, and two-way intelligence sharing.

NHS Cyber Alerts

NHS England’s threat intelligence team triages threat intelligence concerning newly exploited and critical vulnerabilities, carrying out comprehensive assessments of the threat to healthcare and releasing detailed cyber alerts that outline appropriate actions and severity levels. Discover NHS Cyber Alerts.

Cyber threat monitoring

NHS England's Cyber Threat Monitoring (CTM) proactively monitors the dark web, social media and other platforms criminals use for:

  • VIP information
  • sensitive data theft
  • compromised credentials
  • ransom demands
  • domain impersonations
  • critical supplier risk
  • threats to IT infrastructure

These and many other cyber threats are comprehensively monitored for health and social care organisations in its scope. NHS England’s CSOC Incident Management team then validates the information and notifies organisations about the threat and suggests actions to address it.

Curated Indicators of Compromise (IOC) feed

The NHS England threat intelligence team curates threat intelligence feeds from internal telemetry, open source intelligence (OSINT), commercial intelligence sources, and other intelligence partners into a prioritised feed of threats known to target health and social care. This provides organisations with a curated, high-confidence indicator feed that can be shared via the latest intelligence sharing standards, including STIX 1.x, 2.x, and TAXII 2.x. 

NHS England threat intelligence IOCs are already submitted to national services, but organisations can now subscribe directly to NHS England central TAXII servers to take advantage of our curated threat intelligence feeds in other security tooling.

Threat intelligence reporting

NHS England’s threat intelligence team provides a suite of threat intelligence products to meet tactical, operational and strategic intelligence requirements. Informed by internal incident telemetry, commercial sources, open-source intelligence and government partners, these products include:

  • regular written threat briefings and webinars
  • bespoke products covering notable events in the cyber threat landscape
  • guidance on relevant threat actors and how best to defend against them
  • threat hunting reports with practical detection methodology and logic
  • long form strategic assessments of critical threats to health and social care
Cyber Associates Network

Complementing NHS England threat intelligence services, health and social care organisations can become members of the Cyber Associates Network (CAN): a network of cyber security expertise across public sector health and care.

CAN members can discuss and collaborate on threat intelligence products and services delivered by NHS England.

Members also have the chance to influence national cyber security across the system by supporting NHS England in developing new products, services, policies and strategies.


Benefits

The benefits of using our threat intelligence include:







This service is for organisations across health and social care

NHS England’s threat intelligence services are available to organisations across health and social care in line with the Data Security Centre Services Directions 2020 specification.

NHS England’s threat intelligence team publishes cyber alerts on NHS England’s public facing website and are therefore available to everyone. Organisations can also receive our cyber alerts through an RSS feed.

All health and social care organisations within NHS England CSOC’s scope can also sign-up to access our national Threat Intelligence Sharing Platform, where you can access our written intelligence products and IOC feeds scoped to your organisation.

If you are a public sector or healthcare organisation, or critical supplier, register your interest to access our threat intelligence services by emailing [email protected]. We will respond with what services are available or register the demand.


How to register with NHS England CTI services

To request access to threat intelligence services, email [email protected].

Organisations subscribed to the Cyber Associates Network (CAN) Threat Intelligence Service page can access our threat intelligence services through a streamlined experience.


How this service aligns with the Cyber Assessment Framework

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).

Objective B: Defending systems against cyber attack

The organisation builds resilience against cyber-attack into the design, implementation, operation and management of systems that support the operation of essential functions.

B5.a Resilience preparation

You are prepared to restore the operation of your essential function(s) following adverse impact.

Principle C2 Proactive security event discovery

The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature-based security prevent/detect solutions (or when standard solutions are not deployable).

C1.d Identifying security incidents

You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.

C2.a System abnormalities for attack detection

You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.


Alignment with Cyber security strategy for health and social care: 2023 to 2030

The CTI services delivered by NHS England have been designed to directly support the 'Defend as One' pillar described in the A cyber resilient health and adult social care system in England: cyber security strategy to 2030 policy paper, which includes the following desired outcomes:

  1. Health and social care organisations work in partnership on their cyber security, sharing data, learning and resources to improve sector-wide resilience.
  2. Threat intelligence and detection across the NHS is co-ordinated nationally for rapid response and alerting.

Last edited: 8 January 2025 11:20 am