From tablets and smartphones to specialist medical tech, mobile devices have become indispensable tools for healthcare staff, streamlining access to patient records, improving communication, and supporting remote monitoring.
However, with these advancements come heightened security risks. Mobile devices store and transmit vast amounts of sensitive patient data, making them prime targets for cybercriminals.
Suzan Sakarya shares her expertise on how NHS Trusts can manage and secure healthcare mobile devices effectively to protect both patient data and quality of care.
What unique challenges do NHS Trusts face in securing healthcare mobile devices?
Mobile security tends to be a struggle across most sectors, but healthcare faces some unique issues that ramp up the challenge. NHS Trusts are extremely busy environments, with huge numbers of patients and staff coming and going around the clock. With most of them having at least one mobile device on their person, this represents a myriad of devices connecting to the network in addition to the mobile devices healthcare personnel routinely rely on for patient care.
Budget and operational constraints also mean that healthcare providers tend to hang on to outdated legacy devices for longer than other fields, increasing the chances of vulnerable devices that can be exploited by attackers. This is exacerbated by the widespread use of unpatched and potentially vulnerable software.
It’s common for devices to run multiple instances of third-party software, which means keeping them secure relies on the vendor providing regular updates and security patches. Vendors overlooking this duty and leaving devices vulnerable is a common root cause of security breaches.
Trusts also face a difficult balancing act in handling sensitive data. Protecting patient information is essential, but any security measure must also account for the continuity of care, as any delay in device access could disrupt treatment. Balancing the need for quick, seamless access to devices with stringent security requirements is an ongoing challenge.
Why are healthcare organisations, especially NHS Trusts, attractive targets for cybercriminals?
Healthcare organisations hold a wealth of sensitive data, making them high-value targets for cybercriminals.
Patient health information is particularly valuable on the black market, often selling for more than financial data due to its permanence and the opportunities it offers for identity theft and fraud. This data includes both medical histories and personal identification details, making it extremely profitable for attackers.
Criminal groups have also proven themselves increasingly willing to threaten patient well-being as leverage for disruptive ransomware attacks. While it’s never ideal, most businesses can survive a day-long outage. For Trusts, even a brief incident of unplanned downtime can have huge consequences. Groups will often combine data exfiltration with encryption to increase the pressure on meeting payment demands.
The fact that so many healthcare organisations operate under strict resource constraints also makes implementing robust security measures more challenging. Attackers know this and may perceive healthcare providers as softer targets compared to other industries with higher security budgets.
The complex and often unmonitored array of devices continually joining the network and accessing resources also provides an enticing pathway to access the broader IT infrastructure and critical health data.
What steps can NHS Trusts take to gain greater visibility and control over mobile devices to protect sensitive patient data?
Effective mobile security relies on comprehensive visibility into each device connected to the network. Implementing Mobile Device Management (MDM) solutions is a foundational step, as these tools enable IT teams to monitor device access, enforce security policies, and track any unauthorised attempts to access sensitive data. Real-time visibility is critical, as it allows Trusts to detect and respond to threats swiftly.
Enforcing consistent security policies across devices is equally important. By demanding measures such as regular software updates, and multi-factor authentication, NHS Trusts can significantly reduce the risk of unauthorised access. Implementing strict policies around encryption also ensures that even if a device is lost or stolen, patient data remains protected.
Finally, fostering a security-aware culture among healthcare staff is essential. Training employees to recognise potential threats, such as phishing emails or insecure app installations, empowers them to act as a frontline defence. The healthcare environment is fast-paced and often stressful, but educating staff on safe device usage ensures that security doesn’t fall by the wayside in daily operations.
Are there examples of how NHS Trusts are implementing these strategies successfully?
Keeping healthcare secure can feel like a decidedly uphill battle, but we’ve witnessed first hand what can be achieved with the right approach.
One strong example is Gloucestershire NHS Trust, which runs Gloucester Royal Hospital and Cheltenham General Hospital. The Trust was struggling with a huge increase in data usage due to remote working, going from 400GB a month to over 3.2TB. At the same time, it needed to ensure that mobile workers were as secure as those using the on-premises Wi-Fi.
They overcame these challenges by setting precise data caps and restricting non-essential apps on mobiles and SIM-enabled laptops, reducing costs and securing patient data while ensuring devices remained functional for care delivery.
Another strong case is Oxford Health NHS Trust, which implemented MDM to secure and streamline their use of Apple devices for community healthcare. By enabling real-time oversight and managing device configurations, the Trust ensured secure access to sensitive data, supporting their mobile health strategy while protecting patient confidentiality.
These Trusts highlight that a balanced approach – combining technology with staff education – can yield significant results. By prioritising visibility, control, and training, NHS Trusts can better protect sensitive data and improve the security of mobile devices against increasingly aggressive threat actors.
By Suzan Sakarya, Senior Manager of EMEIA Security Strategy at Jamf