Shared devices create more access risk because the device persists while the user context changes repeatedly. If the previous session is not closed cleanly, the next clinician may inherit access state, cached credentials, or unclear attribution. The governance problem is therefore not the device itself but the transition between users.
Why Shared Devices Increase Access Risk
Shared devices raise access risk because identity and session state must be reset perfectly every time the user changes. A single missed logout, cached token, browser autofill entry, or lingering local session can let the next user inherit access they should never see. That makes shared-workstation governance a transition problem, not just an endpoint-hardening problem.
Security teams often underestimate this because the device appears compliant while the session boundary is not. The Ultimate Guide to NHIs notes that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage. In a shared-device workflow, similar failures can happen through cached credentials, copied tokens, or poorly cleared application state, especially when the device is used for clinical handoffs, shift changes, or hot-desking. Current guidance suggests treating every user transition as a security event. In practice, many security teams encounter misuse only after a clinician sees the wrong chart or an audit trail becomes impossible to trust.
How the Risk Emerges During User Handoffs
Single-user devices usually rely on one person, one profile, and one long-lived trust relationship. Shared devices break that assumption. The next user does not just inherit hardware, they inherit whatever the previous session left behind: open browser tabs, cached authentication, local application state, saved network shares, or a forgotten authenticated remote session. That is why the main control objective is not “secure the device once,” but “prove the previous user is fully detached before the next user begins.”
Practitioners reduce this risk by combining session controls, identity controls, and endpoint hygiene:
- Enforce time-bound sign-out and screen lock at every handoff.
- Use app-level reauthentication for sensitive records rather than trusting the device session alone.
- Disable credential autofill, persistent cookies, and local token storage where possible.
- Separate shared-device accounts from individual user identities so attribution remains clear.
- Prefer short-lived access tokens and rapid revocation over reusable credentials.
This aligns with the broader access-governance direction in the OWASP Non-Human Identity Top 10 and the NIST Cybersecurity Framework 2.0, both of which emphasize least privilege, authenticated access, and recovery from control failures. The same principle appears in the 52 NHI Breaches Analysis: when credentials or session state persist longer than intended, compromise becomes easier to reuse and harder to detect. These controls tend to break down in fast-paced environments with frequent patient turnover because staff optimise for speed and the handoff steps get skipped under pressure.
Common Failure Points and Operational Tradeoffs
Tighter handoff controls often increase friction, so organisations must balance confidentiality against workflow speed. That tradeoff is especially visible in clinical settings, where staff may need rapid access during emergencies, but broad, reusable access creates avoidable exposure. Best practice is evolving, and there is no universal standard for every environment, but the direction is clear: shared devices should minimise persistent state and make the next-user boundary explicit.
Common failure points include shared browser profiles, generic device logins that obscure accountability, and “temporary” workarounds that become permanent. Another weak spot is remote application access, where a device logout does not end the backend session. In those cases, the user may appear signed out locally while the application remains active elsewhere. Organisations should also watch for print queues, clipboard leakage, and locally cached documents, because the risk is not always credential theft. Sometimes the more serious issue is accidental disclosure through residual session content.
Shared devices are safest when paired with role-specific application controls, automatic session timeout, and logging that can reconstruct who accessed what and when. Where privacy rules are strict, some organisations add privacy screens, rapid profile reset, or kiosk-style configurations to reduce residue between users. The key point is simple: the more people touch the same device, the more the organisation must invest in hard session boundaries, because shared hardware otherwise becomes shared access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Shared devices need authenticated, bounded access at each user handoff. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Persistent credentials on shared devices increase reuse and exposure risk. |
| NIST AI RMF | Risk governance should address identity state persistence across changing users. |
Define and monitor shared-device handoff controls as an operational AI and identity risk.
