Skip to main content

Technical remediation

Our centrally funded technical remediation service offers support to commissioned health and social care organisations to help review and improve their cyber security.

Page contents

Help us to improve

We would like to find out how you use our website to get the information you need on cyber and data security.

Complete our survey.

About technical remediation

Our technical remediation service is designed to help health and social care organisations to reduce the risk of ransomware and malware attacks by identifying and improving weaknesses within their systems.

The aim is to ensure your solution follows the National Cyber Security Centre (NCSC) guidelines and adheres to the core principles:

The work is delivered by our specialist supplier. The effort required from your organisation will vary depending on your needs. The intention is to keep your involvement to a minimum to make it as easy as possible.

Any requests that we cannot currently meet will be captured as business demand and evaluated to determine if a new offering can be scoped and provided in the future.

Technical remediation is available to arm's length bodies, integrated care boards (ICBs) and commissioning support units (CSUs).

Benefits

Technical remediation is a critical part of any cyber security strategy as it ensures weaknesses are quickly identified and resolved. By undertaking technical remediation, your organisation will:

improve security and cyber resilience at no cost to your organisation. Technical remediation is a centrally funded service

reduce the risk of your essential services being taken offline, which has potentially life-threatening impact to patients

have greater confidence that you understand the risks specific to your organisation and what steps you can take to reduce them

improve confidence at board level that current issues are being practically resolved

get independent reports that will support a business case for investment

What we offer

Our specialist supplier will work with your organisation to provide technical remediation.

Your NHS cyber security regional lead will support this work. Email [email protected] if you do not know your cyber regional lead or you would like them to get in touch with you.

Secure Backup Review

Assessment of your organisation's existing backup and recovery solution to identify security risks, highlighting gaps between your infrastructure and the NCSC guidelines, and providing remediation recommendations.

Secure Backup Review is available for organisations to consume once every 3 years. If you have had an engagement before, we will ask what improvement actions have been taken since your original engagement based on the recommendations of your original report.

How it works

Intelligence has indicated that healthcare and public sector organisations are being targeted with ransomware and malware attacks designed to gain access to backup solutions and encrypt the backup data as a precursor to a wider-scale ransomware attack.

This places utmost importance on implementing a robust backup solution that can resist targeted cyber-attacks and to allow the organisation to recover from an attack when needed.

1. A remote project kick-off with all stakeholders focuses on gathering information about the organisation.

2. A workshop will ascertain whether the current backup and recovery function is suitable for, and adheres to, the guidelines given by the NCSC to mitigate risk against a cyber-attack.

3. Data discovery exercise to obtain data to guarantee that all critical systems are covered in the existing design. This will take the form of an active scan against the environment to identify all live hosts and the volume of data for backup.

4. A report providing a detailed alignment or non-alignment, and recommendations on how align with industry best practice, will be sent to you.

This will take 9 to 12 weeks. The effort required from your organisation will vary depending on needs.

Next steps

Following the report, an output of the review should be discussed with your NHS cyber security regional lead to discuss follow-on remediation and next steps.

More information can be found on the technical remediation hub.

Active Directory Review

Assessment of your organisation’s active directory deployment to identify security risks, highlight gaps between your infrastructure and the NCSC guidelines and provide remediation recommendations.

Active Directory Review is available for organisations to consume once every 3 years. If you have had an engagement before, we will ask what improvement actions have been taken since your original engagement based on the recommendations of your original report. 

How it works

The review highlights the most common critical issues that directly affect security and operations. These are the issues which, when remediated correctly, will greatly increase the security of the active directory itself, its host platform, and the infrastructure that it serves.

1. A remote project kick-off with all stakeholders focuses on gathering information about the organisation.

2. A security review examines misconfigurations and security concerns. The security scope breaks down into multiple smaller scopes starting with the largest security realm (the forest) and ultimately focusing on a few small but crucial endpoint settings.

3. A report providing a detailed alignment or non-alignment will be sent to you, providing recommendations for critical and high-risk findings for both security and functional issues on how to align with industry best practice.

This will take 6 to 9 weeks. The effort required from your organisation will vary depending on need.

Next steps

Output of the review should be discussed with your NHS cyber security regional lead to discuss follow-on remediation and next steps.

More information can be found on the Cyber Associated Network (CAN) Active directory remediation hub.

Multi Factor Authentication (MFA) review

Assessment of your organisation’s use of Multi Factor Authentication (MFA), highlighting gaps between your infrastructure and the NCSC guidelines and providing remediation recommendations.

How it works

MFA is widely recognised as one of the most effective ways to protect data and accounts from unauthorised access.

A national multi-factor authentication policy has been defined and should be adopted and enforced by organisations. Most organisations will have an MFA solution but there are often low proportions of applications and systems onboarded. Gaps therefore exist between national and local policies that are a significant risk.

1. A discovery exercise to complete a full gap analysis against national & local policy and process mapping with an 'exemplar policy'.

2. Authentication methodology is mapped to applications and against risk to build a complete picture of the current state and a plan for remediation activity.

3. Remediation and support of technical control adoption, relevant to the organisation's specific context, will be advised and a plan given to the organisation to work with. Where services are present that do not support MFA, recommendations will be given to reduce the risk of compromise.

4. Estimated end-to-end duration is 6 weeks. Low effort required from your organisation.  

Next steps

Organisations will have clear view of their gaps against best practice and advice on what to do to close. Improved local policy and high-level plan for process and technical control adoption.

More information can be found on the technical remediation hub/

Bespoke Remediation Package

Organisations can request consultancy support and expertise to scope and deliver remediation support following a secure backup review or active directory review, as well as support for bespoke remediation.

Find out more

Reconfigure existing systems to bring them into alignment with NCSC guidelines. Provide consultancy to help implement changes that address the root causes of identified risks to reduce the likelihood of reoccurrence, in areas such as design, deployment, configuration, upgrades and health.

Remediation is scoped on an individual basis.

Timeline: the effort required from your organisation will vary depending on your needs.

Technical Remediation Hub

Through the Cyber Associates Network (CAN), you can access our Technical Remediation Hub, where you will find:

  • a series of webinars on a range of technical subjects
  • technical guides and videos covering topics such as legacy authentication and encryption protocols, group policy object configurations and role-based architecture
  • access to on-hour informal consultancy sessions with a subject matter experts. Get in touch with your cyber regional lead to discuss this offering further

The CAN is available to all NHS and social care organisations and provides a range of support. You will need to register to access the technical remediation hub, as well as other membership benefits.

Discover more and register for the CAN

How to apply

To apply for the services offered as part of technical remediation, register for the customer portal. When you're logged in, follow the instructions below.

  1. Select 'Submit a Case'
  2. Select the 'Cyber and Data Security' drop down on the left side.
  3. Select 'Technical Remediation'.
  4. Choose the service offering on the right side list of forms and fill in your organisation's details and requirements.

If you need help accessing the customer portal use the NHS Digital Portal user guide

How this service aligns with the Cyber Assessment Framework

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).

Objective A: Managing security risk

A1.b Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.

A2.a Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.

A2.b You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.

Objective B: Defending systems against cyber attack

B2.a You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.

B2.c You closely manage privileged user access to networks and information systems supporting the essential function.

B3.a You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also applies to third parties storing or accessing data important to the operation of essential functions.

B3.c You have protected stored soft and hard copy data important to the operation of the essential function.

B4.d You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function.

B5.b You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.

B5.c You hold accessible and secured current backups of data and information needed to recover operation of your essential function

Objective D: Minimising the impact of cyber security incidents

D1.c Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.

Last edited: 20 April 2026 12:09 pm