Respond to an NHS cyber alert

This service replaced CareCERT Collect in 2020. The service is continuously being improved based on the needs of its users. We aim to release new functionality, design changes, security improvements and technical enhancements every 2 weeks.

Find out about new functionality.

If you are registered on the service then you will automatically receive high severity alert emails to your NHSmail address as soon as an alert is issued.

Signing in to the service provides a wider range of options for receiving these alerts.

All registered users can choose to get high severity alerts sent to alternative email addresses or by SMS to mobile numbers. Go to ‘Manage contact preferences’ once signed in to add email addresses and mobile numbers.

Users with administrator permissions can add extra contacts to receive high severity alerts without needing to provide access to the response service. Go to ‘Manage access to organisations’ to add these extra alert recipients.

If your organisation is not registered on the service then we recommend subscribing to the cyber alerts RSS feed to get regular updates about new cyber alerts.

When NHS England issues a high severity cyber alert, details and remediation instructions will be added to our cyber alerts page. An email and SMS for the alert will be sent to registered users.

Each organisation should sign in to the ‘Respond to an NHS cyber alert’ service to acknowledge the alert as soon as possible. This should be done within 48 hours of the alert being issued.

Organisations are then expected to complete their response within 14 days of the alert being issued.

NHS England will report on organisation responses. They will make contact where additional details are required or if the 48 hour or 14 day deadline is missed.

If your organisation is in our list of registered organisations, but you have not been given access, you should request access through your lead administrator for the service, or your organisation’s senior information risk owner (SIRO).

If you're unsure who to contact, please fill in this enquiry form and someone from our team will verify your request with your organisation’s administrator or SIRO.

If it's agreed that you should have access, you will be registered as either a responder or an administrator. Check which role is appropriate for you.

Once you have multi-factor authentication (MFA) enabled, follow these steps to access the service for the first time. If you don't have MFA enabled, there are instructions listed below.

1. Open the 'respond to an NHS cyber alert' service and enter your NHSmail credentials.
2. Verify who you are using the MFA method you have set up. This will be either a text message code, a telephone call or an authenticator app.
3. Once verified, you will be logged in to the service and you will be able to respond to cyber alerts.

Find out more about using MFA with your NHSmail account.

There are 4 types of role that people can have in the ‘Respond to a cyber alert’ service: administrators, responders, auditors and service administrators.

If you need to respond for your organisation but are unable to identify your administrator, contact us using the access request form.

if you need auditor access to the service, contact our helpdesk at [email protected].

The 'respond to an NHS cyber alert' service has been designed to be accessible so that it can be used by as many people as possible that need to use it. Here is a link to our full accessibility statement.

We will continue to design and test all new functionality with accessibility needs in mind. If you have accessibility needs and would like to share your views, please email [email protected].