Skip to main content

Respond to an NHS cyber alert

This web-based service provides NHS organisations a secure and effective way to respond to high severity cyber alerts. It also offers the ability for these organisations to sign-up to receive information about the latest high severity cyber security threats and vulnerabilities by email or SMS.

When there is a high severity cyber alert, NHS England's Cyber Security Operations Unit (CSOU) will inform relevant NHS organisations of the actions they should take. These organisations are then required to use the ‘Respond to an NHS cyber alert’ service to record their response to the alert.

Service availability

This service is currently available.

The service was last unavailable between 5:00pm and 5:05pm on Thursday 11 April 2024 whilst we deployed system updates.

If you do run into problems accessing the service please check for known issues on the organisation's service status hub:

System changes and release notes

This service replaced CareCERT Collect in 2020. The service is continuously being improved based on the needs of its users. We aim to release new functionality, design changes, security improvements and technical enhancements every 2 weeks.

Find out about new functionality.

How to receive high severity alert notifications

If you are registered on the service then you will automatically receive high severity alert emails to your NHSmail address as soon as an alert is issued.

Signing in to the service provides a wider range of options for receiving these alerts.

All registered users can choose to get high severity alerts sent to alternative email addresses or by SMS to mobile numbers. Go to ‘Manage contact preferences’ once signed in to add email addresses and mobile numbers.

Users with administrator permissions can add extra contacts to receive high severity alerts without needing to provide access to the response service. Go to ‘Manage access to organisations’ to add these extra alert recipients.

If your organisation is not registered on the service then we recommend subscribing to the cyber alerts RSS feed to get regular updates about new cyber alerts.

How to respond to an alert

When NHS England issues a high severity cyber alert, details and remediation instructions will be added to our cyber alerts page. An email and SMS for the alert will be sent to registered users.

Each organisation should sign in to the ‘Respond to an NHS cyber alert’ service to acknowledge the alert as soon as possible. This should be done within 48 hours of the alert being issued.

Organisations are then expected to complete their response within 14 days of the alert being issued.

Read our guidance for responding to an NHS cyber alert. Our guidance includes suggestions for what to include at each stage of remediation and will help you to produce a robust response plan for any cyber alert.

NHS England will report on organisation responses. They will make contact where additional details are required or if the 48 hour or 14 day deadline is missed.

Check if your organisation needs to use the service

Check this spreadsheet to find out if your organisation should already be using the service to provide a response to high severity alerts.

If your organisation is not listed you do not need to register for access.

Please email us at [email protected] if you think your organisation could benefit from using the service. We are especially interested in hearing from designated private providers and out of hours providers.

Registering to use the service

If your organisation is in our list of registered organisations, but you have not been given access, you should request access through your lead administrator for the service, or your organisation’s senior information risk owner (SIRO).

If you're unsure who to contact, please fill in this enquiry form and someone from our team will verify your request with your organisation’s administrator or SIRO.

If it's agreed that you should have access, you will be registered as either a responder or an administrator. Check which role is appropriate for you.

Accessing the service for the first time

Once you have multi-factor authentication (MFA) enabled, follow these steps to access the service for the first time. If you don't have MFA enabled, there are instructions listed below.

  1. Open the 'respond to an NHS cyber alert' service and enter your NHSmail credentials.
  2. Verify who you are using the MFA method you have set up. This will be either a text message code, a telephone call or an authenticator app.
  3. Once verified, you will be logged in to the service and you will be able to respond to cyber alerts.

Find out more about using MFA with your NHSmail account.

Enabling multi-factor authentication

All users need to have multi-factor authentication (MFA) enabled on their NHSmail account. You can now self-enrol for MFA.

If you run into any problems please contact your local administrator (LA) for NHSmail. NHSmail has provided guidance for finding your LA if you are unsure who yours is.

If you are an LA this guidance will help you enable MFA for users at your organisation.

User roles

There are 4 types of role that people can have in the ‘Respond to a cyber alert’ service: administrators, responders, auditors and service administrators.


Administrators can provide responses to alerts and can manage user roles for their organisations,

Using the ‘Manage access to organisations’ page, administrators can:

  • add and remove responders
  • add and remove administrators
  • approve or deny access requests 

Responders can provide responses for their organisations but cannot manage user roles.

Responders have access to the ‘Manage access to organisations’ page where they can request access to respond on behalf of organisations.


Auditors are users who can view reports of organisation responses.  Auditors cannot provide responses and cannot manage user roles.

Auditors can view 3 reports on the service: an 'All alerts' report, an 'Overdue actions' report and a 'Latest status' report.

All reports show the latest response status and any comments provided by organisations within their regions.

The ‘All alerts’ report shows responses for every alert on the service. This is only downloadable as a CSV file and cannot be viewed online.

The 'Overdue actions' report shows organisations which have not acknowledged an alert or have not provided an update on the date they said they would. This report is downloadable as a CSV.

The ‘Latest status’ report shows the responses for a particular alert. This report can be viewed from within the service and is also downloadable as a CSV.

It is possible to filter the latest status report by various criteria to check responses. If you filter by organisation type, please note that this information is retrieved from Organisation Data Service, so you may find that the groupings are not what you are expecting. For example, for NHS trusts, you'll need to select both 'Care trusts' and 'NHS trusts' to show all trusts.

Service administrators

Service administrators are NHS Digital users who can manage access requests for administrator, responder, and auditor roles. Service administrators cannot provide or view responses.

If you need to respond for your organisation but are unable to identify your administrator, contact us using the access request form.

if you need auditor access to the service, contact our helpdesk at [email protected].

Accessibility statement

The 'respond to an NHS cyber alert' service has been designed to be accessible so that it can be used by as many people as possible that need to use it. Here is a link to our full accessibility statement.

We will continue to design and test all new functionality with accessibility needs in mind. If you have accessibility needs and would like to share your views, please email [email protected].

Contact details

If you have questions about the 'respond to an NHS cyber alert' service, you can email [email protected] or telephone our customer service centre on 0300 303 4034.

Our customer service centre is open 9am to 5pm, Monday to Friday, except on public holidays.

Last edited: 12 April 2024 2:36 pm