Skip to main content

Respond to an NHS cyber alert

This web-based service provides NHS organisations a secure and effective way to respond to high severity cyber alerts. It also offers the ability for these organisations to sign-up to receive information about the latest high severity cyber security threats and vulnerabilities by email or SMS.

When there is a high severity cyber alert, NHS Digital's Data Security Centre (DSC) will inform relevant NHS organisations of the actions they should take. These organisations are then required to use the ‘Respond to an NHS cyber alert’ service to record their response to the alert.

Service availability

This service is currently available and is next expected to be unavailable between 5pm and 5:10pm on 02 June 2022 whilst we deploy essential system updates.

The service was last unavailable between 5:05pm and 5:10pm on 24 May 2022 whilst we deployed system updates.

System changes and release notes

This service replaced CareCERT Collect in 2020. The service is currently in public beta and is continuously being improved based on the needs of its users. We aim to release new functionality, design changes, security improvements and technical enhancements every 2 weeks.

Find out about new functionality.

How to receive high severity alert notifications

If you are registered on the service then you will automatically receive high severity alert emails to your NHSmail address as soon as an alert is issued.

Signing in to the service provides a wider range of options for receiving these alerts.

All registered users can choose to get high severity alerts sent to alternative email addresses or by SMS to mobile numbers. Go to ‘Manage contact preferences’ once signed in to add email addresses and mobile numbers.

Users with administrator permissions can add extra contacts to receive high severity alerts without needing to provide access to the response service. Go to ‘Manage access to organisations’ to add these extra alert recipients.

If your organisation is not registered on the service then we recommend subscribing to the cyber alerts RSS feed to get regular updates about new cyber alerts.

How to respond to an alert

When NHS Digital issues a high severity cyber alert, details and remediation instructions will be added to our cyber alerts page. An email and SMS for the alert will be sent to registered users.

Each organisation should sign in to the ‘Respond to an NHS cyber alert’ service to acknowledge the alert as soon as possible. This should be done within 48 hours of the alert being issued.

Organisations are then expected to complete their response within 14 days of the alert being issued.

Read our guidance for responding to an NHS cyber alert. Our guidance includes suggestions for what to include at each stage of remediation and will help you to produce a robust response plan for any cyber alert.

NHS England and NHS Digital will report on organisation responses. They will make contact where additional details are required or if the 48 hour or 14 day deadline is missed.

Check if your organisation needs to use the service

Check this spreadsheet to find out if your organisation should already be using the service to provide a response to high severity alerts.

If your organisation is not listed you do not need to register for access.

Please email us at if you think your organisation could benefit from using the service. We are especially interested in hearing from designated private providers and out of hours providers.

Registering to use the service

If your organisation is in our list of registered organisations, but you have not been given access, you should request access through your lead administrator for the service, or your organisation’s senior information risk owner (SIRO).

If you're unsure who to contact, please fill in this enquiry form and someone from our team will verify your request with your organisation’s administrator or SIRO.

If it's agreed that you should have access, you will be registered as either a responder or an administrator. Check which role is appropriate for you.

Accessing the service for the first time

Once you have multi-factor authentication (MFA) enabled, follow these steps to access the service for the first time. If you don't have MFA enabled, there are instructions listed below.

  1. Open the 'respond to an NHS cyber alert' service and enter your NHSmail credentials.
  2. Verify who you are using the MFA method you have set up. This will be either a text message code, a telephone call or an authenticator app.
  3. Once verified, you will be logged in to the service and you will be able to respond to cyber alerts.

Find out more about using MFA with your NHSmail account.

Enabling multi-factor authentication

All users need to have multi-factor authentication (MFA) enabled on their NHSmail account. You can now self-enrol for MFA.

If you run into any problems please contact your local administrator (LA) for NHSmail. NHSmail has provided guidance for finding your LA if you are unsure who yours is.

If you are an LA this guidance will help you enable MFA for users at your organisation.

User roles

There are 4 types of role that people can have in the ‘Respond to a cyber alert’ service: administrators, responders, auditors and service managers.


Administrators can provide responses to alerts and can manage user roles for their organisations,

Using the ‘Manage access to organisations’ page, administrators can:

  • add and remove responders
  • add and remove administrators
  • approve or deny access requests 

Responders can provide responses for their organisations but cannot manage user roles.

Responders have access to the ‘Manage access to organisations’ page where they can request access to respond on behalf of organisations.


Auditors are users who can view reports of organisation responses. Auditors can be from NHS England and NHS Improvement, or from NHS Digital. Auditors cannot provide responses and cannot manage user roles.

Auditors can view 2 reports on the service: an 'All alerts' report and a 'Latest status' report.

Both reports will show the latest response status and any comments provided by organisations within their regions.

The ‘All alerts’ report shows responses for every alert on the service. This is only downloadable as a CSV file and cannot be viewed online.

The ‘Latest status’ report shows the responses for a particular alert. This report can be viewed from within the service and is also downloadable as a CSV.

It is possible to filter the latest status report by various criteria to check responses. If you filter by organisation type, please note that this information is retrieved from Organisation Data Service, so you may find that the groupings are not what you are expecting. For example, for NHS trusts, you'll need to select both 'Care trusts' and 'NHS trusts' to show all trusts.

Service managers

Service managers are NHS Digital users who can manage access requests for administrator, responder, and auditor roles. Service managers cannot provide or view responses.

If you need to respond for your organisation but are unable to identify your administrator, contact us using the access request form.

if you need auditor access to the service, contact our helpdesk at

Accessibility statement

The 'respond to an NHS cyber alert' service has been designed to be accessible so that it can be used by as many people as possible that need to use it. Here is a link to our full accessibility statement.

We will continue to design and test all new functionality with accessibility needs in mind. If you have accessibility needs and would like to share your views, please email

Contact details

If you have questions about the 'respond to an NHS cyber alert' service, you can email or telephone our customer service centre on 0300 303 4034.

Our customer service centre is open 9am to 5pm, Monday to Friday, except on public holidays.

Last edited: 24 May 2022 5:14 pm