Skip to main content

Respond to an NHS cyber alert

This web-based service will enable NHS organisations to receive information about cyber security threats and vulnerabilities, and respond effectively and safely to them.

When there is a high severity cyber alert, NHS Digital's Data Security Centre (DSC) alerts relevant NHS organisations. These organisations are then required to use the service to record their remediation status against the cyber alert within 48 hours.

CareCERT Collect is closing

All responses can now only be submitted via the respond to an NHS cyber alert service.

URL changed at the end of July

The URL for accessing the service changed at the end of July 2020. Service can now be accessed at:

MFA needed to access the service

All users will need to have Multi Factor Authentication (MFA) enabled on their NHSMail email account. To get MFA enabled, email your request to There can be a 10-day turnaround completing these requests.

Benefits of the service

The respond to an NHS cyber alert service is due to replace the CareCERT Collect portal, offering greater

  • accessibility
  • usability
  • security. 

NHS organisations are mandated by NHS England and NHSX to respond to these cyber alerts within 48 hours from when they are issued by the DSC. This new service will make the experience easier and more user friendly. 

Check if your organisation needs to use the service

Check this spreadsheet to find out if your organisation should be using the service to provide a response to high severity alerts.

If your organisation is not listed you do not need to register for access.

Registering to use the service

If you are responsible for cyber alerts in an NHS Trust, Foundation Trust, Clinical Commissioning Group (CCG) or Commissioning Support Unit (CSU) and would benefit from having to access to this service you should follow these steps

  • contact your local administrator for the service. If you're not sure who this is, please contact your Senior Information Risk Owner (SIRO) who will be able to provide this information
  • if your organisation doesn’t have anyone registered on this service, your SIRO should contact, with the nominee's organisation ODS code, organisation name and the NHSmail email address of the person who will be the lead administrator for the organisation
  • once we have received your lead administrator nomination, we will inform them when their account has been registered

Accessing the service for the first time

To access the service you need to have multi-factor authentication (MFA) enabled on your account. Follow the below steps to set up your account with MFA and then access the service for the first time.

  1. email with your request to enable MFA on your email address. You can request multiple enablements at the same time, so if you want to add other users to the service, this is a good opportunity to get them all done at the same time
  2. you will then receive an email confirmation saying when the MFA will be enabled
  3. when MFA has been enabled you will receive an email from NHS Mail to your email address explaining what you need to do to set-up your MFA
  4. when you have successfully set-up your MFA come to this page
  5. use the login link and enter your NHS Mail credentials
  6. you will then be prompted to provide verification. Depending on the method you have set-up you will verify using a text message code, a telephone call or the authenticator app
  7. once verified you will access the service and be able to respond to high severity alerts and manage users for your organisation.

High severity alert process

NHS Digital's Cyber Security Operations Centre (CSOC) raise a high severity cyber alert

  • cyber alert details and remediation instructions will be added to the NHS Digital website cyber alert page
  • a cyber alert email will be sent to registered users on the service
  • NHS trusts, CCGs, and CSUs, who are mandated to respond by NHS England and NHSX, will have 48 hours to respond to the cyber alert, providing details of actions being taken
  • NHS England and NHSX will report on organisation responses
  • NHS England will follow-up with organisations who have not responded within the 48-hour time frame
  • NHS trusts, CCGs, and CSUs, should then use the service to provide ongoing updates on the status of their remediation efforts until remediation against the cyber alert has been satisfactorily completed, or shown to not be applicable for their organisation.

Responding to an alert

Every organisation needs to acknowledge high severity cyber alerts within 48-hours by recording their remediation status on the service.

This service will allow (lead) organisations to respond on behalf of multiple organisations at the same time, if there is an existing agreement in place. For example, where there is an outsourced IT provider.

Organisations will be asked to provide their current status of remediation, which can be

  • remediation under investigation or in progress
  • remediation complete
  • remediation is not necessary as alert is not applicable
  • not able to implement remediation. 

Organisations will then be asked to give further information depending on the response they provide. 

Using the service


We have provided recommendations for different roles to help you manage an NHS cyber alert 

  • administrators can provide responses, add/remove users, and approve/deny access requests for their organisation(s)
  • responders can provide responses for their organisation(s) but cannot perform any user management
  • auditors are NHS England or NHSX users who can view reports of organisation responses.
Responding to an alert

The response a user can provide for organisation(s) they have been given access to respond on behalf of can be either

  • a unique response for each organisation
  • a bulk response for all, or a subset, of their organisations.
Requesting access to respond on behalf of another organisation

All responders and administrators are able to request access to respond on behalf of other organisations from the ‘manage access to organisations’ page.

Administrators are responsible for approving or denying these access requests for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.

Adding or removing users from your organisation

Administrators can add or remove administrators and responders for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.

Contact details

If you have questions about the respond to an NHS cyber alert service you can email or telephone our customer service centre on 0300 303 4034.

Our customer service centre is open 9 am to 5 pm, Monday to Friday, except on public holidays.

Last edited: 29 July 2020 3:29 pm