Skip to main content

Respond to an NHS cyber alert

This web-based service provides NHS organisations a secure and effective way to respond to high severity cyber alerts. It also offers the ability for these organisations to sign-up to receive information about the latest high severity cyber security threats and vulnerabilities by email or SMS.

When there is a high severity cyber alert, NHS Digital's Data Security Centre (DSC) will inform relevant NHS organisations of the remediation actions they should be taking. These organisations are then required to use this service to record their remediation status for the alert within 48 hours.

Benefits of the service

The respond to an NHS cyber alert service has replaced the CareCERT Collect portal, offering greater:

  • accessibility
  • usability
  • security

This new service should make the experience easier and more user friendly for all organisations that need to respond to cyber alerts.

Best practice for responding to an alert

This guidance will help you respond to high severity alerts effectively and efficiently. It offers suggestions for providing the right type of information for any stage of remediation. This will help you produce a robust response plan for any cyber alert.

By following this advice you will also be helping NHS England, NHS Digital and NHSx prioritise support to organisations that most need it. 

We want to continue improving this content, so please contact us if you have any suggestions.

What to do when you first receive an alert

As soon as you receive the high severity alert email or SMS you should access the service immediately and set your status to in progress to acknowledge receipt of the alert.

You are not expected to provide lots of detail at this stage, but if you are able to provide any of the following information without slowing down your ability to acknowledge straight away then please do so.

This information can then feed into your response plan:

  • what you have already done
  • what you are going to do
  • how many systems are affected (Workstations, Servers, Firewalls, etc...)
  • what your barriers to remediating might be
  • what management sign-offs are required
  • when you expect to complete remediation.

If you are fairly confident that an alert is not applicable for your organisation, it is still helpful to provide a response plan, even if you then change your status shortly after.

What to do whilst you are remediating

Whilst remediation is still in progress you should continue to provide regular updates until all recommended remediation steps have been completed or deemed unnecessary. You should include:

  • what you have done since your previous update
  • what you are going to do before your next update
  • how many systems are still affected  (Workstations, Servers, Firewalls, etc...)
  • what your barriers to remediating might be
  • what management sign-offs are required
  • when you expect to complete remediation.
What to do when you complete remediation

When you have completed all necessary remediation you should immediately change your status to complete and provide details about:

  • what you did
  • who signed off anything that needed signing off
  • when you did it.
What to do when you are not able to implement remediation

If remediation is not possible you should provide a Not able to implement status.  Your update should include:

  • details about alternative mitigations that have been put in place 
  • confirmation that your SIRO or CEO has accepted any associated risks.
What to do when remediation is not applicable

If remediation is not necessary provide a Not applicable status. You'll be prompted to give additional information about why the alert is not applicable for your organisation. For example, you do not use the software or hardware affected by the vulnerability.

Check if your organisation needs to use the service

Check this spreadsheet to find out if your organisation should already be using the service to provide a response to high severity alerts.

If your organisation is not listed you do not need to register for access.

Please contact us if you think your organisation could benefit from using the service. We are especially interested in hearing from Designated Private Providers and Out of Hours Providers.

Registering to use the service

If your organisation is in our list of registered organisations, but you have not been given access, you should request access through your lead administrator for the service, or your organisation’s Senior Information Risk Owner (SIRO).

If you're unsure who to contact, please fill out this enquiry form and someone from our team will verify your request with your organisation’s administrator or SIRO.

If it's agreed that you should have access, you will be registered as either a responder or an administrator. Check which role is appropriate for you.

Accessing the service for the first time

Once you have MFA enabled, follow these steps to access the service for the first time. If you don't have MFA enabled, follow the instructions above.

  1. Open the respond to an nhs cyber alerts service and enter your NHSmail credentials.
  2. Verify who you are using the MFA method you have set up. This will be either a text message code, a telephone call or the authenticator app.
  3. Once verified, you will be logged into the service and you will be able to respond to cyber alerts.

Find out more about using MFA with your NHSmail account.

High severity alert process

Here's what happens when NHS Digital's Cyber Security Operations Centre (CSOC) raises a high severity cyber alert:

  1. Cyber alert details and remediation instructions will be added to the NHS Digital website cyber alert page.
  2. A cyber alert email will be sent to registered users on the service.
  3. NHS trusts, CCGs, CSUs and ALBs who are mandated to respond by NHS England and NHSX, will have 48 hours to respond to the cyber alert, providing details of actions being taken.
  4. These organisations are then expected to have completed remediation, shown the remediation to be not applicable, or accept the risk of not mitigating within 14 days of the alert being issued.
  5. NHS England and NHSX will report on organisation responses.
  6. NHS England regional heads of digital technology will follow-up with organisations who have not provide an initial response within the 48-hour time frame.
  7. NHS trusts, CCGs, CSUs and ALBs should use the service to provide ongoing updates on the status of their remediation efforts until remediation against the cyber alert has been satisfactorily completed, or shown to not be applicable for their organisation.

Using the service

Use this guidance to understand more about the service.


We have provided recommendations for different roles to help you manage an NHS cyber alert: 

  • administrators can provide responses, add and remove users, and approve or deny access requests for their organisation(s)
  • responders can provide responses for their organisation(s), but cannot perform any user management
  • auditors are NHS England or NHSX users who can view reports of organisation responses
Responding to an alert

The response a user can provide for the organisation(s) they have been given access to respond on behalf of can either be:

  • a unique response for each organisation
  • a bulk response for all, or a subset, of their organisations
Requesting access to respond on behalf of another organisation

All responders and administrators are able to request access to respond on behalf of other organisations from the ‘manage access to organisations’ page.

Administrators are responsible for approving or denying these access requests for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.

Adding or removing users from your organisation

Administrators can add or remove administrators and responders for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.

Reporting on responses to a high severity alert

Auditor users can view two reports on the service. Both reports will show the latest response status and any comments provided by organisations within their region(s).

  • The all alerts report shows responses for every alert on the service. This is only downloadable as a CSV
  • The latest status report only shows the responses for a particular alert. This is viewable from within the service and is downloadable as a CSV.
  • It is possible to filter the latest status report by 'response status' and 'organisation type' when using the user interface to check responses.

All organisation types are retrieved from ODS, so you may find that the groupings are not what you are expecting. For example, for NHS Trusts, you'll need to select both 'Care Trusts' and 'NHS Trusts' to show all Trusts.

System changes and release notes

This service is currently in Public BETA and is continuously being improved based on the needs of its users. We aim to release new functionality, design changes, security improvements and technical enhancements every 2-weeks.

Read a summary of all of the recent changes to the service.

Contact details

If you have questions about the respond to an NHS cyber alert service you can email or telephone our customer service centre on 0300 303 4034.

Our customer service centre is open 9 am to 5 pm, Monday to Friday, except on public holidays.

Last edited: 6 April 2021 9:43 am