When there is a high severity cyber alert, NHS Digital's Data Security Centre (DSC) alerts relevant NHS organisations. These organisations are then required to use the service to record their remediation status against the cyber alert within 48 hours.
All users will need to have Multi Factor Authentication (MFA) enabled on their NHSMail email account. To get MFA enabled, email your request to firstname.lastname@example.org. There can be a 10-day turnaround completing these requests.
Benefits of the service
The respond to an NHS cyber alert service is due to replace the CareCERT Collect portal, offering greater
NHS organisations are mandated by NHS England and NHSX to respond to these cyber alerts within 48 hours from when they are issued by the DSC. This new service will make the experience easier and more user friendly.
Accessing the service
If you are responsible for cyber alerts in an NHS Trust, Foundation Trust, Clinical Commissioning Group (CCG) or Commissioning Support Unit (CSU) and would benefit from having to access to this service you should follow these steps
- contact your local administrator for the service. If you're not sure who this is, please contact your Senior Information Risk Owner (SIRO) who will be able to provide this information
- if your organisation doesn’t have anyone registered on this service, your SIRO should contact email@example.com, with their organisation ODS code, organisation name and the NHSmail email address of the person who will be the lead administrator for the organisation
- once we have received your lead administrator nomination, we will inform them when they are able to access the service
- providing the user has MFA enabled they will then be able to login to the service and start responding to alerts for their organisation. They will also be able to start adding additional users for their organisation using the 'manage access to organisations' section of the service.
High severity alert process
NHS Digital's Cyber Security Operations Centre (CSOC) raise a high severity cyber alert
- cyber alert details and remediation instructions will be added to the NHS Digital website cyber alert page
- a cyber alert email will be sent to registered users on the service
- NHS trusts, CCGs, and CSUs, who are mandated to respond by NHS England and NHSX, will have 48 hours to respond to the cyber alert, providing details of actions being taken
- NHS England and NHSX will report on organisation responses
- NHS England will follow-up with organisations who have not responded within the 48-hour time frame
- NHS trusts, CCGs, and CSUs, should then use the service to provide ongoing updates on the status of their remediation efforts until remediation against the cyber alert has been satisfactorily completed, or shown to not be applicable for their organisation.
Responding to an alert
Every organisation needs to acknowledge high severity cyber alerts within 48-hours by recording their remediation status on the service.
This service will allow (lead) organisations to respond on behalf of multiple organisations at the same time, if there is an existing agreement in place. For example, where there is an outsourced IT provider.
Organisations will be asked to provide their current status of remediation, which can be
- remediation under investigation or in progress
- remediation complete
- remediation is not necessary as alert is not applicable
- not able to implement remediation.
Organisations will then be asked to give further information depending on the response they provide.
Using the service
We have provided recommendations for different roles to help you manage an NHS cyber alert
- administrators can provide responses, add/remove users, and approve/deny access requests for their organisation(s)
- responders can provide responses for their organisation(s) but cannot perform any user management
- auditors are NHS England or NHSX users who can view reports of organisation responses.
Responding to an alert
The response a user can provide for organisation(s) they have been given access to respond on behalf of can be either
- a unique response for each organisation
- a bulk response for all, or a subset, of their organisations.
Requesting access to respond on behalf of another organisation
All responders and administrators are able to request access to respond on behalf of other organisations from the ‘manage access to organisations’ page.
Administrators are responsible for approving or denying these access requests for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.
Adding or removing users from your organisation
Administrators can add or remove administrators and responders for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.
If you have questions about the respond to an NHS cyber alert service you can email firstname.lastname@example.org or telephone our customer service centre on 0300 303 4034.
Our customer service centre is open 9 am to 5 pm, Monday to Friday, except on public holidays.