Mobile security and DSPT: a guide for NHS Trusts

As threats become more prevalent and complex, so our cybersecurity strategies must adapt. With this sentiment in mind, the UK Data Security and Protection Toolkit (DSPT) changed to align with the National Cyber Security Centre's (NCSC) Cyber Assessment Framework (CAF). This means that NHS trusts, foundation trusts, integrated care boards, commissioning support units and arm's length bodies of the Department of Health and Social Care need to ensure their cybersecurity strategy meets CAF standards.

While the DSPT doesn't just apply to mobile devices, we'll focus on them here. In this blog, we'll:

• Explain what DSPT is
• List DSPT requirements for mobile
• Offer ways Jamf can help secure mobile devices

Let's begin.

What is the DSPT?

The DSPT is an online tool organisations can use to measure their performance against the UK National Data Guardian's ten data security standards. Any and all organisations that access NHS patient data and systems are required to use this toolkit to ensure proper cybersecurity and data protection practices. This way, the NHS joins all UK government bodies for consistent regulation.

Organisations are required to prove they have the policies, staff training, secure system access, data breach protocols and compliance standards that meet UK GDPR regulations. The DSPT helps organisations check if they meet these standards — larger ones may opt for third-party audits as well.

DSPT requirements for mobile devices

Healthcare workers use mobile devices for a host of applications: patient care, charting, communication and more. These devices access sensitive private information protected by GDPR. As such, this data — and devices — needs to be protected. Here are some requirements listed by DSPT:

• Device security: encryption, passcodes, remote wipe capability, registration and asset tracking
• Mobile Device Management (MDM): device enrollment and MDM-enforced security policies like allowing only approved apps and preventing user removal of profiles
• Secure network access: devices automatically join secure NHS Wi-Fi, data access only allowed via VPN and secure data cannot move over public Wi-Fi
• Authentication and access controls: multifactor authentication mandated, staff logins are managed effectively
• User training: staff recognises mobile threats like phishing and know how to report a lost, stolen or compromised device
• Monitoring: usage logs are monitored to assess risk and security incidents are logged and reported

Jamf helps Trusts align with DSPT standards

Worried about how to meet these new requirements? Jamf offers tools that help get you on the right track.

Network and web security: Jamf blocks malicious traffic and phishing attacks. And with content filtering capabilities, Jamf keeps devices away from unapproved, malicious or inappropriate websites. With Zero Trust Network Access (ZTNA), devices connect to sensitive resources like patient records securely. If the device isn't compliant or the user's identity isn't verified — access denied. With continuous verification, ZTNA prevents attackers from accessing data as soon as a threat is identified.

App vetting: Jamf highlights approved apps and analyses others, checking that they are safe for use. If an app's version is vulnerable or it requests strange permissions, Jamf will let you know.

Logging and reporting: Device compliance is a constantly moving target. Jamf helps you keep it in your sights by listing potential risks, like old operating systems, configuration vulnerabilities, incidents and more. Integrated with your SIEM, you get insight into your security status.

Integration with Microsoft Intune: Jamf integrates with Intune, helping secure your mobile devices with web security, content filtering and secure remote access.