Skip to main content

Respond to an NHS cyber alert

This web-based service will enable NHS organisations to receive information about cyber security threats and vulnerabilities, and respond effectively and safely to them.

When there is a high severity cyber alert, NHS Digital's Data Security Centre (DSC) will inform relevant NHS organisations of the remediation actions they should be taking. These organisations are then required to use this service to record their remediation status for the alert within 48 hours.

Service availability

The service will be unavailable for a short period of time from 17:00 on 15 October 2020 whilst we release the following functionality:


  • Automated emails for newly registered users
  • Automated emails for administrators when an access request is made by a user at another organisation who wants to respond on behalf of their organisation
  • Clearer system generated messages to help users experiencing problems logging into the service


We're always looking for ways to improve the service, so if you have any suggestions, please email and we'll look to see what we can do.

CareCERT Collect has closed

All responses can now only be submitted via the respond to an NHS cyber alert service.

Benefits of the service

The respond to an NHS cyber alert service has replaced the CareCERT Collect portal, offering greater:

  • accessibility
  • usability
  • security

NHS organisations are mandated by NHS England and NHSX to respond to these cyber alerts within 48 hours from when they are issued by the DSC. This new service will make the experience easier and more user friendly. 

Check if your organisation needs to use the service

Check this spreadsheet to find out if your organisation should be using the service to provide a response to high severity alerts.

If your organisation is not listed you do not need to register for access.

Registering to use the service

If your organisation is in our list of registered organisations, but you have not been given access, you should request access through your lead administrator for the service, or your organisation’s Senior Information Risk Owner (SIRO).

If you're unsure who to contact, please fill out this enquiry form and someone from our team will verify your request with your organisation’s administrator or SIRO.

If it's agreed that you should have access, you will be registered as either a responder or an administrator. Check which role is appropriate for you.

Enabling multi-factor authentication

All users need to have multi-factor authentication (MFA) enabled on their NHSmail account.

To enable MFA, email your request to NHSmail at If you want to add other users, you can include them in your request.

You'll receive an email about when your MFA will be enabled, along with instructions on how to set it up.

It can take up to 10 days to complete requests.

Accessing the service for the first time

Once you have MFA enabled, follow these steps to access the service for the first time. If you don't have MFA enabled, follow the instructions above.

  1. Open the cyber alerts page and enter your NHSmail credentials.
  2. Verify who you are using the MFA method you have set up. This will be either a text message code, a telephone call or the authenticator app.
  3. Once verified, you will be logged into the service and you will be able to respond to cyber alerts.

Find out more about using MFA with your NHSmail account.

High severity alert process

Here's what happens when NHS Digital's Cyber Security Operations Centre (CSOC) raises a high severity cyber alert:

  1. Cyber alert details and remediation instructions will be added to the NHS Digital website cyber alert page.
  2. A cyber alert email will be sent to registered users on the service.
  3. NHS trusts, CCGs, and CSUs, who are mandated to respond by NHS England and NHSX, will have 48 hours to respond to the cyber alert, providing details of actions being taken.
  4. NHS England and NHSX will report on organisation responses.
  5. NHS England will follow-up with organisations who have not responded within the 48-hour time frame.
  6. NHS trusts, CCGs, and CSUs should then use the service to provide ongoing updates on the status of their remediation efforts until remediation against the cyber alert has been satisfactorily completed, or shown to not be applicable for their organisation.

Responding to an alert

Every organisation needs to acknowledge high severity cyber alerts within 48-hours by recording their remediation status on the service.

This service will allow (lead) organisations to respond on behalf of multiple organisations at the same time, if there's an existing agreement in place. For example, where there is an outsourced IT provider.

Organisations will be asked to provide their current status of remediation, which can be:

  • remediation under investigation or in progress
  • remediation complete
  • remediation is not necessary as the alert is not applicable
  • not able to implement remediation

Organisations will then be asked to give further information depending on the response they provide. 

Using the service


We have provided recommendations for different roles to help you manage an NHS cyber alert: 

  • administrators can provide responses, add and remove users, and approve or deny access requests for their organisation(s)
  • responders can provide responses for their organisation(s), but cannot perform any user management
  • auditors are NHS England or NHSX users who can view reports of organisation responses
Responding to an alert

The response a user can provide for the organisation(s) they have been given access to respond on behalf of can either be:

  • a unique response for each organisation
  • a bulk response for all, or a subset, of their organisations
Requesting access to respond on behalf of another organisation

All responders and administrators are able to request access to respond on behalf of other organisations from the ‘manage access to organisations’ page.

Administrators are responsible for approving or denying these access requests for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.

Adding or removing users from your organisation

Administrators can add or remove administrators and responders for their organisation(s) from the ‘manage’ section of the ‘manage access to organisations’ page.

Contact details

If you have questions about the respond to an NHS cyber alert service you can email or telephone our customer service centre on 0300 303 4034.

Our customer service centre is open 9 am to 5 pm, Monday to Friday, except on public holidays.

Last edited: 13 October 2020 3:00 pm