Cyber Guidance for GP Practices

Provided by NHS England SWL IT to provide cyber guidance notes for practices

Date published:
Date last updated:
Next review date:

You should

  • Ensure all devices are switched on regularly, left on during the day (at least once per week) and rebooted when asked.  If it is safe, leave on overnight to reduce daytime bandwidth.
  • Ensure your Business Continuity is in place and tested. 
  • Remind staff to not open attachments received from personal emails. 
  • Ensure your locums are briefed on cyber security. 
  • Ensure your business software is updated by the practice regularly or the ICB engaged (via the Service Desk) to assist with automated patching. 
  • Ensure key messages around cyber security are shared with all new staff and locums. 
  • Ensure staff and locums have undertaken regular training. 
  • Ensure staff and locums understand they should only navigate to appropriate sites. 
  • Staff and locums should not use administrative accounts. 
  • Have strong passwords and accounts are not shared. 

You should not

  • Store devices in cupboards for months on end unused.
  • You must not open suspicious emails. 
  • You must not plug phone systems, Medical Devices or 3rd party devices into the network without engaging with your ICB via the Service Desk first. 

In the event of a cyber issue at the practice 

  • Print your clinic lists. 
  • Look for email updates via mobile devices as these are less likely to be impacted. 
  • Look for unusual activity and report any concerns to the Service Desk. 
  • Do not install any software if asked to do so by unknown vendors or at the request of cold callers. 
  • Be prepared to shut devices down if requested to do so by IT or if the practices notice multiple infections. 
  • Act quickly on instructions from either the ICB or NHS England Teams. 
  • Ensure that an emergency mobile, known by the ICB, is always charged and monitored during an incident.

The ICB response in the event of a cyber-attack 

The ICB will:

  • Provide regular updates to the GPs via our Incident Response Comms plans, which includes cascading to practices.
  • Provide incident advice on our website. 
  • Update your Windows and anti-virus software and OS Patching. 
  • Update NHSE on posture and compliance. 

CareCERT Alert or Notification

If your practice receives a CareCERT Alert or Notification sends the CareCERT Notification to the ServiceDesk. 

The following process will apply:

  • The ServiceDesk triages and sends to the ICB Cyber Security Team for detailed assessment.
  • Depending on the assessment, this will be passed to the relevant operational team to resolve as appropriate.
  • The operational team resolves the Cyber issue (or escalates) and closes the call as normal. 
  • If the triage suggests the alert is a bigger issue the Service Desk may call a Major Incident (MI) and the MI process will start and the Practice will be notified that there is a MI and any action that they may need to take. 

CareCERT Bulletin

What to do if your Practice receives a Cyber Bulletin: 

  • GP Practice receives a CareCert Bulletin. 
  • There is no need for the practice to take any action as the Service Desk receives these and they are for information purposes only.