By Adam Boynton, senior security strategy manager at Jamf
Mobile devices have become the NHS’s most quietly transformative tools.
Whether on a ward round, at a community visit, or during an emergency response, clinicians now rely on phones and tablets as instinctively as they once reached for a penlight.
These endpoints carry clinical messaging, access patient histories, document photographs for safeguarding and wound care, and support real-time decision-making.
But the more essential these devices become, the more consequential their weaknesses are.
Mobile introduces risk in every industry, yet healthcare faces a uniquely unforgiving combination of factors: relentless operational pressure, sensitive data in every exchange, staff stretched thin, and a growing mix of corporate, shared and personal devices that are often difficult to govern.
Our research found that more than half of mobile devices used for work run on outdated or vulnerable operating systems — an ideal starting point for cybercriminals.
In a clinical setting, that risk does not remain abstract. A compromised device means delayed care, misdirected treatment, or the exposure of deeply personal information.
This is why mobile security can no longer be considered an add-on to NHS cyber strategy. It is now foundational to clinical safety.
The Data Security and Protection Toolkit (DSPT), particularly in its updated CAF-aligned form, provides the structure to raise mobile from “best effort” to “verifiable assurance”.
The challenge is ensuring the framework reaches every corner of an increasingly complex mobile ecosystem.
Adam Boynton
A rapidly expanding attack surface
The speed of mobile adoption has outpaced traditional security governance.
Many devices sit outside IT’s field of view, running unsupported OS versions or receiving patches only intermittently. BYOD has become normalised out of necessity, but personal devices handling patient data without appropriate controls introduce uncertainty that no trust can afford.
NHS guidance is explicit: any device accessing systems supporting essential functions must fall within an organisation’s assurance scope.
This principle is set to strengthen under the forthcoming Cyber Security and Resilience Bill, which focuses directly on securing critical national infrastructure such as healthcare.
Yet the reality on the ground is uneven. Mobile fleets grow weekly.
Staff rotate rapidly. Clinical photography, messaging apps and digital workflows evolve faster than central security policies can keep up.
The latest DSPT update exists precisely because the assurance gap between desktop and mobile has widened.
The toolkit now asks for evidence — not intent — that controls are active, effective, and applied across all endpoints.
What DSPT compliance truly expects from mobile environments
The DSPT, aligned with the UK’s Cyber Assessment Framework, reframes security assurance around outcomes.
It requires trusts to demonstrate capability across five areas: managing risk, protecting against attack, detecting incidents, minimising impact, and using and sharing information appropriately.
For mobile devices, this means:
- A complete, trusted inventory: Every device interacting with NHS systems — corporate, shared or personal — must be visible and accounted for.
- Supported and up-to-date operating systems: Unsupported OS versions should not be permitted to access sensitive systems. Patch compliance becomes a clinical requirement, not an IT aspiration.
- Verification of both user and device identity: Compromised, lost or stolen devices must be isolated or wiped immediately to prevent further exposure.
- Governance that applies equally to BYOD: Personal devices used for clinical communication, photography or system access fall under the same compliance expectations as managed endpoints.
- Evidence that controls work in practice: Policies alone are no longer enough. Trusts must prove that encryption, patching, authentication, isolation and incident response are consistently enforced.
This is the shift from “compliance as documentation” to “compliance as observable security”.
Applying DSPT principles to the real world of mobile in healthcare
To operationalise the DSPT in a mobile environment, organisations need to treat smartphones and tablets as critical clinical infrastructure.
The starting point is visibility.
Without real-time insight into device status, OS versions, application behaviour and compliance posture, risk management becomes guesswork.
Protection against attack relies on consistency. Devices must be encrypted, locked down, patched on schedule and capable of secure remote wipe.
IT teams must be able to govern data flows — from local storage to app-to-app interaction — to ensure clinical photography, messaging and documentation remain controlled.
Detection and response must extend to mobile with the same seriousness applied to desktops.
Device telemetry should integrate with wider monitoring so early warning signs — privilege misuse, rogue profiles, anomalous behaviour — trigger timely intervention.
A device that can be quarantined in minutes is a device that cannot harm patients.
And then there is behaviour. Safe data handling depends on clear policies, reinforced expectations, and a culture where staff understand that mobile discipline is part of protecting patients, not an administrative burden.
The CAF-aligned DSPT expects trusts to demonstrate that these controls function continuously — not once a year at submission time.
It raises the standard to something closer to operational cyber resilience.
DSPT-aligned mobile security is ultimately about patient safety
Cybersecurity in healthcare has always carried higher stakes.
A compromised mobile device isn’t merely an IT incident; it can alter clinical outcomes, delay time-critical care, or expose the most sensitive categories of personal data.
DSPT compliance strengthens resilience by ensuring that the mobile systems clinicians rely on remain secure, available and trustworthy.
This aligns closely with GDPR’s principles of minimisation and accountability, and with the NHS’s growing focus on digital clinical safety.
In an environment where even small interruptions can influence patient care, mobile security is no longer simply a technology matter — it is part of safe, modern healthcare delivery itself.
The organisations that embrace this view now will be the ones best prepared for the next evolution of national cyber standards, the rising threat landscape, and the ever-increasing clinical reliance on mobile.
