Mobile devices now sit at the centre of everyday NHS practice, supporting clinicians in documenting care, accessing records, communicating across teams and delivering services in the community. But as reliance grows, so too does risk exposure, particularly when devices run outdated software, fall outside governance, or handle patient data without consistent safeguards.
To understand how NHS organisations can strengthen mobile security and meet rising regulatory expectations, Adam Boynton, Senior Security Strategy Manager EMEIA at Jamf, explains how the Data Security and Protection Toolkit (DSPT) can help trusts build resilient, compliant mobile environments.
Why is DSPT the best framework for addressing mobile device vulnerabilities in NHS organisations?
The DSPT stands out because it reflects what NHS organisations are actually dealing with day to day. It gives trusts a clear, outcome-driven way to understand how secure their mobile environments really are.
This also means it reflects the realities of modern, mobile-driven healthcare rather than being a generic security checklist. It’s built around protecting patient data, keeping systems available during busy clinical periods, and making sure information is being used safely. Mobile devices now play a part in all of that, yet they can easily slip outside the governance applied to desktops.
The other strength of the DSPT is its focus on evidence. It’s no longer enough to say you have the right policies. You need to show that devices are patched, encrypted, monitored and managed consistently. That approach is essential in mobile environments, where device states can change quickly and risks evolve rapidly.
And with the Cyber Security and Resilience Bill on the horizon, DSPT also gives trusts a solid foundation for meeting future regulatory expectations around healthcare’s status as critical national infrastructure. The recent updates to the DSPT to better align it with National Cyber Security Centre’s Cyber Assessment Framework (CAF) are also helpful here.
What are the most common security gaps you see in how healthcare workers currently use mobile devices, and how could DSPT help close them?
One of the biggest issues we see is the number of devices running outdated operating systems. More than half of the devices used in professional settings we see fall into that category, and that’s an easy win for attackers. In healthcare, where devices move between wards, shifts and sites, it’s perhaps even easier for them to fall off the IT team’s radar.
We also see a lot of well-intentioned workarounds. Staff might use a consumer messaging app because it’s quick or connect to public Wi-Fi because it’s the only option on a community visit. These may seem harmless in the moment, but they introduce risks that can be difficult to track or control.
Bring Your Own Device (BYOD) policies add another layer of complexity. Personal devices are now part of everyday clinical communication, but they don’t always receive the same security oversight as corporate devices.
This is where the DSPT is particularly helpful. It pushes organisations to get a full picture of every device accessing NHS systems and to prove that controls like encryption, patching, authentication are being applied consistently. Mobile Device Management (MDM)-based policies that can enforce security and privacy settings for work devices are important here. There is an overall push to make mobile activity part of the wider monitoring picture, so unusual behaviour is picked up early.
By applying this structure to all mobile endpoints, DSPT helps trusts close the security gaps that naturally appear in busy clinical environments.
What practical steps can NHS organisations take to strengthen mobile security and improve cyber resilience to better protect patients and support clinical workflows?
A good first step is simply knowing what you have. Getting real-time visibility of every mobile device – its OS version, configuration, app behaviour and compliance status – gives organisations a foundation to work from. Without that, it’s incredibly hard to manage risk.
From there, consistency is key. Trusts should make sure devices are enrolled in MDM so they can enforce policies around encryption, passcodes, app installation and remote wipe. These are basic controls, but when they aren’t applied uniformly, vulnerabilities creep in quickly.
Secure access routes are another important piece. Devices should default to NHS Wi-Fi, and anything sensitive should go through VPN or Zero Trust Network Authentication (ZTNA) so both the user and device are verified. This helps stop non-compliant or unfamiliar devices from slipping into clinical systems unnoticed.
It’s also important to bring mobile into the trust’s wider monitoring efforts. Feeding device telemetry into the Security Information and Event Management (SIEM) means unusual activity, like a suspicious profile or odd app behaviour, gets attention straight away.
And finally, staff education makes a huge difference. Simple guidance on phishing, safe clinical photography, secure messaging and what to do if a device is lost can prevent many incidents. The message should always be that mobile security is part of protecting patients, not an administrative add-on.
How can NHS trusts ensure ongoing compliance with DSPT as mobile technology and cyber threats evolve?
The key is to treat DSPT compliance as a continuous process rather than something that happens once a year. Mobile environments change constantly. Devices are upgraded, staff rotate, and new apps are adopted quickly, so security controls need to evolve alongside them.
Automating as much as possible really helps. Regular patch checks, OS version enforcement and automatically isolating non-compliant devices can take a lot of manual burden off digital teams. It also means vulnerabilities are caught before they cause disruption.
BYOD must be included in this too. If personal devices are part of the clinical workflow, they should meet the same standards as corporate ones. Clear onboarding processes and conditional access policies can make this manageable without adding friction for staff.
Embedding mobile governance into the trust’s broader cyber and clinical risk processes is also vital. When mobile is considered alongside desktops, infrastructure and clinical systems, it becomes much easier to maintain consistent standards.
And ultimately, trusts benefit from making continuous cyber hygiene part of everyday culture. When teams understand why mobile security matters – and how it directly affects patient safety – ongoing DSPT compliance becomes far more sustainable.
Adam Boynton, Senior Security Strategy Manager EMEIA at Jamf
