Skip to main content

Guidance for responding to an NHS cyber alert

How to use the 'Respond to an NHS cyber alert' service after an alert has been issued.

This guidance will help you respond to high severity alerts effectively and efficiently. We have included suggestions for providing the right type of information at each stage of remediation. This will help you produce a robust response plan for any cyber alert.

By following this guidance, you will also be helping NHS England to prioritise support to organisations that most need it. 

If you are responsible for more than one organisation, you can respond in one of 2 ways. You can provide a unique response for each organisation, or you can provide a bulk response for all, or a subset, of your organisations.

The stages of your response

For each alert, you must first acknowledge the alert and state whether the alert is applicable to your organisations.

If you have determined that the alert is applicable, you must continue to provide regular updates and close your response in the service once you have finished your remediation work.

Acknowledge the alert

As soon as you receive a high severity alert you should access the service to acknowledge it.

For an alert that has not yet been acknowledged, you will see a button labelled ‘Provide acknowledgement’. After you click this button, choose which of your organisations you are providing an update for and then proceed to acknowledge the alert. Your status for the alert will be set to ‘in progress’.

You will be asked to provide an update on your response to the alert within 3 days. A due date for this update will automatically be set. You can change the due date for your next update in the ‘Remediation actions’ task.

Provide applicability

After you have acknowledged the alert, you should determine whether the alert is applicable to your organisation and inform appropriate colleagues. Give your response in the ‘Alert applicability’ task.

You should then provide further relevant information and create a response plan if an alert is applicable.

If an alert is applicable

If your organisation is vulnerable to the threat outlined in the alert, you should provide details of actions that are being taken, or will be taken. Use the ‘Remediation actions’ task for this. Include details of the number of systems affected by the vulnerability if this information is available.

If you are aware of any barriers that could affect your ability to remediate all your affected systems, provide details in the ‘Barriers to remediation’ task.

Provide a date for when you expect to give your next update. Also provide a target date for when you expect to complete remediation of all affected systems at your organisation.

If an alert is not applicable

If your organisation is not vulnerable to the threat outlined in the alert, provide details of why the alert is not applicable using one of the available options.

Your organisation’s response status will be changed to ‘not applicable’, and you will not need to provide any more information for this alert.

Provide regular updates

Where an alert is applicable for an organisation, you should provide regular updates until all recommended remediation steps have been completed or deemed unnecessary.

A reminder will be sent to all registered email addresses at the organisation on the day the next update is due. If an update is not provided, further reminders will be sent at regular intervals.

Update items in the task list to provide these regular updates.

The tasks you will need to update are:

  • remediation actions
  • barriers to remediation - where new barriers emerge or existing barriers are removed
  • target date for completion - if this date changes

Formally accept residual risk

When it is not possible to fully remediate affected systems, your organisation should utilise the ‘Residual risk acceptance’ task to provide details about this. This is especially important when it is more than 14-days since an alert was issued.

Organisations should continue attempting to fully remediate its systems and provide regular updates after formally accepting any risk until they are able to close their response with a completed status.

Your organisation should use the fields provided for this task to provide the name, email address, job role or title, and date of formal risk acceptance.

To assist with assuring that any residual risk is being satisfactorily controlled you should provide:

  • Details of mitigating controls that have been put in place alongside remediation.
  • Timescales and plans for monitoring and reducing risk in the future.

NHS England cyber teams will assess the information provided by organisations that have formally accepted risk and may request additional information to better assess these risks have been appropriately reduced.

Close your response to the alert

Once you have completed your response to an alert, you should use the “Provide a final status” task to close your response.

If your organisation has remediated against the threat outlined in the alert, you should change your status to ‘Complete’. Do this by choosing ‘We have completed remediation’.

If your organisation has not been able to remediate your affected systems or mitigate risks through other controls, you should change your status to ‘Not able to implement’. Do this by choosing ‘We are not able to implement remediation’.

Sharing threat intelligence

As of 21 March 2024, all alerts issued will contain a traffic light protocol (TLP) rating indicating how the information provided therein can be shared. The following guidance is repeated in any HSA emails you receive.

TLP: CLEAR - Sharing this information is not restricted. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse. There is no limit on disclosure, following applicable rules and procedures for public release. Subject to standard copyright rules, these alert details can be shared without restriction. This alert is published on our public-facing website.

TLP: GREEN - This information is limited to sharing within your organisation, suppliers and closed groups. Technical instructions for remediation, open source intelligence that has had a high-level healthcare or NHS lens applied to it, and weekly briefings will be included in this rating. These items should not be distributed on any public-facing platform or held for any longer than 12 months. Any 3rd part supplier that needs access to this intelligence can apply for access to the CAN form by emailing [email protected].

TLP: AMBER - This intelligence is limited to sharing within your organisation and suppliers with a need to know. This information is likely to be more time-sensitive. It may include details about an organisation’s exposure to vulnerabilities, a more detailed assessment of threats to the NHS or details of specific, targeted attacks. Organisations should only retain TLP:AMBER information for as long as necessary.

TLP: AMBER+STRICT - Sharing of this intelligence is limited to within your organisation and should not be shared with suppliers unless explicitly stated by the source. There are no publicly available versions of this alert. Organisations should only retain TLP:AMBER+STRICT information for as long as necessary.

Feedback

We want to continue improving this content, so please email us at [email protected] if you have any suggestions.

Last edited: 18 March 2024 1:10 pm