Skip to main content
Respond to an NHS cyber alert

This web-based service provides NHS organisations a secure and effective way to respond to high severity cyber alerts. It also offers the ability for these organisations to sign-up to receive information about the latest high severity cyber security threats and vulnerabilities by email or SMS.

When there is a high severity cyber alert, NHS Digital's Data Security Centre (DSC) will inform relevant NHS organisations of the remediation actions they should be taking. These organisations are then required to use this service to record their remediation status for the alert within 48 hours.

Service availability

The service will be unavailable from 5:00 PM on 28 October 2021 for approximately 5 minutes whilst we deploy essential updates.

Benefits of the service

The respond to an NHS cyber alert service has replaced the CareCERT Collect portal, offering greater:

  • accessibility
  • usability
  • security

This new service should make the experience easier and more user friendly for all organisations that need to respond to cyber alerts.

How to receive high severity alert notifications

If you are registered on the service then you will automatically receive high severity alert emails to your NHSmail address as soon as an alert is issued.

Signing into the service provides a wider range of options for receiving these alerts.

All registered users can:

  • Go to ‘contact preferences’ once signed in to add an alternative email address for receiving high severity alert emails and reminders.
  • Go to ‘contact preferences’ once signed in to add a mobile number for receiving a high severity alert text message.

Users with administrator permissions can:

  • Go to ‘manage access to organisations’ > ‘manage’ to add organisation contacts for receiving the high severity alert without needing to provide access to the service to respond.

If your organisation is not registered on the service then we recommend subscribing to the cyber alerts RSS feed to get regular updates about new cyber alerts.

Best practice for responding to an alert

This guidance will help you respond to high severity alerts effectively and efficiently. It offers suggestions for providing the right type of information for any stage of remediation. This will help you produce a robust response plan for any cyber alert.

By following this advice you will also be helping NHS England, NHS Digital and NHSx prioritise support to organisations that most need it. 

We want to continue improving this content, so please contact us if you have any suggestions.

What to do when you first receive an alert

As soon as you receive the high severity alert email or SMS you should access the service immediately and set your status to in progress to acknowledge receipt of the alert.

You are not expected to provide lots of detail at this stage, but if you are able to provide any of the following information without slowing down your ability to acknowledge straight away then please do so.

This information can then feed into your response plan:

  • what you have already done
  • what you are going to do
  • how many systems are affected (Workstations, Servers, Firewalls, etc...)
  • what your barriers to remediating might be
  • what management sign-offs are required
  • when you expect to complete remediation.

If you are fairly confident that an alert is not applicable for your organisation, it is still helpful to provide a response plan, even if you then change your status shortly after.

What to do whilst you are remediating

Whilst remediation is still in progress you should continue to provide regular updates until all recommended remediation steps have been completed or deemed unnecessary. You should include:

  • what you have done since your previous update
  • what you are going to do before your next update
  • how many systems are still affected  (Workstations, Servers, Firewalls, etc...)
  • what your barriers to remediating might be
  • what management sign-offs are required
  • when you expect to complete remediation.

What to do when you complete remediation

When you have completed all necessary remediation you should immediately change your status to complete and provide details about:

  • what you did
  • who signed off anything that needed signing off
  • when you did it.

What to do when you are not able to implement remediation

If remediation is not possible you should provide a Not able to implement status.  Your update should include:

  • details about alternative mitigations that have been put in place 
  • confirmation that your SIRO or CEO has accepted any associated risks.

What to do when remediation is not applicable

If remediation is not necessary provide a Not applicable status. You'll be prompted to give additional information about why the alert is not applicable for your organisation. For example, you do not use the software or hardware affected by the vulnerability.

Check if your organisation needs to use the service

Check this spreadsheet to find out if your organisation should already be using the service to provide a response to high severity alerts.

If your organisation is not listed you do not need to register for access.

Please contact us if you think your organisation could benefit from using the service. We are especially interested in hearing from Designated Private Providers and Out of Hours Providers.

Registering to use the service

If your organisation is in our list of registered organisations, but you have not been given access, you should request access through your lead administrator for the service, or your organisation’s Senior Information Risk Owner (SIRO).

If you're unsure who to contact, please fill out this enquiry form and someone from our team will verify your request with your organisation’s administrator or SIRO.

If it's agreed that you should have access, you will be registered as either a responder or an administrator. Check which role is appropriate for you.

Enabling multi-factor authentication

All users need to have multi-factor authentication (MFA) enabled on their NHSmail account.

You can now self-enrol for MFA by following this guidance.

If you run into any problems please contact your Local Administrator (LA) for NHSmail.

If you are unsure who your LA is, NHSmail have provided guidance for how to find this out.

If you are an LA this guidance will help you enable MFA for users at your organisation.

Accessing the service for the first time

Once you have MFA enabled, follow these steps to access the service for the first time. If you don't have MFA enabled, follow the instructions above.

  1. Open the respond to an nhs cyber alerts service and enter your NHSmail credentials.
  2. Verify who you are using the MFA method you have set up. This will be either a text message code, a telephone call or the authenticator app.
  3. Once verified, you will be logged into the service and you will be able to respond to cyber alerts.

Find out more about using MFA with your NHSmail account.

High severity alert process

Here's what happens when NHS Digital's Cyber Security Operations Centre (CSOC) raises a high severity cyber alert:

High severity alert process
  • Cyber alert details and remediation instructions will be added to the NHS Digital website cyber alert page, and an email and SMS will be sent to registered users.

  • Organisations with access to the service should acknowledge receipt immediately. Any acknowledgment must be made no later than 48 hours after the alert has been initially sent.

  • Organisations should provide ongoing updates on the status of their remediation efforts until remediation against the cyber alert has been satisfactorily completed, or shown to not be applicable.

  • Organisations are then expected to have completed remediation, shown the remediation to be not applicable, or accepted the risk of not mitigating within 14 days of the alert being issued.

  • NHS England. NHS Digital and NHSX will report on organisation responses and make contact where additional details are required or the 48 hour or 14 day deadline is missed.

Using the service

Use this guidance to understand more about the service.


We have provided recommendations for different roles to help you manage an NHS cyber alert: 

  • administrators can provide responses, add and remove users, and approve or deny access requests for their organisation(s)
  • responders can provide responses for their organisation(s), but cannot perform any user management
  • auditors are NHS England or NHSX users who can view reports of organisation responses

Responding to an alert

The response a user can provide for the organisation(s) they have been given access to respond on behalf of can either be:

  • a unique response for each organisation
  • a bulk response for all, or a subset, of their organisations

Requesting access to respond on behalf of another organisation

All responders and administrators are able to request access to respond on behalf of other organisations from the ‘manage access to organisations’ page.

Administrators are responsible for approving or denying these access requests for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.

Adding or removing users from your organisation

Administrators can add or remove administrators and responders for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.

Reporting on responses to a high severity alert

Auditor users can view two reports on the service. Both reports will show the latest response status and any comments provided by organisations within their region(s).

  • The all alerts report shows responses for every alert on the service. This is only downloadable as a CSV
  • The latest status report only shows the responses for a particular alert. This is viewable from within the service and is downloadable as a CSV.
  • It is possible to filter the latest status report by 'response status' and 'organisation type' when using the user interface to check responses.

All organisation types are retrieved from ODS, so you may find that the groupings are not what you are expecting. For example, for NHS Trusts, you'll need to select both 'Care Trusts' and 'NHS Trusts' to show all Trusts.

Contact details

If you have questions about the respond to an NHS cyber alert service you can email or telephone our customer service centre on 0300 303 4034.

Our customer service centre is open 9 am to 5 pm, Monday to Friday, except on public holidays.

Last edited: 13 October 2021 7:21 am