They increase risk because the device can remain signed in after one clinician finishes, then carry access into the next interaction. If credentials are shared or sessions persist, the organisation loses certainty about who is using the device, which creates exposure to data misuse, compliance gaps, and workflow errors.
Why This Matters for Security Teams
shared mobile device are often treated as a workflow convenience, but in healthcare they become an identity boundary problem. When a device stays signed in, shifts from one clinician to another, or carries cached app tokens between tasks, the organisation can no longer trust that the person at the screen is the person authorised for that record. That weakens accountability, increases the chance of accidental disclosure, and makes audit trails far less reliable. Guidance in the NIST Cybersecurity Framework 2.0 treats identity assurance and access control as core security functions, not optional hygiene. NHIMG research on the Ultimate Guide to NHIs — Why NHI Security Matters Now shows that persistent access and weak lifecycle controls are recurring causes of exposure across identity types. In practice, many healthcare teams encounter misuse only after a device has already been handed off between shifts and a record or app session has been exposed.
How It Works in Practice
The risk comes from identity persistence, not the hardware itself. Shared devices often combine several exposure paths: auto-login, remembered sessions, cached messages, locally stored files, and app tokens that remain valid after a clinician leaves the device. If mobile device management is not paired with strong session control, the next user may inherit access that was never intended for them. That is especially dangerous in emergency care, ward rounds, and float pools, where devices move quickly and access needs to change just as quickly.
The safer pattern is to make access short-lived, task-bound, and easy to revoke. Healthcare organisations should combine device controls with identity controls so that each handoff requires fresh authentication or a tightly bounded re-authentication step. Current guidance suggests:
- Use per-user sign-in, not shared credentials, even if the device is shared.
- Force session timeout or lock on task completion and shift change.
- Separate clinical apps from email, messaging, and admin portals on the same device.
- Use least-privilege access so a device can do only what the current role needs.
- Log who accessed what, when, and from which device to preserve auditability.
For mobile workflows that store tokens or embedded secrets, NHIMG’s IOS app secrets leakage report is a useful reminder that mobile convenience can create silent credential exposure if apps are not designed for secure handoff. Security teams should also align mobile access reviews with the Top 10 NHI Issues where token lifecycle, secret hygiene, and monitoring are already proven failure points. These controls tend to break down when devices are used in high-speed clinical environments with poor network coverage, because teams rely on persistent sessions to avoid workflow interruption.
Common Variations and Edge Cases
Tighter device and session control often increases friction for clinicians, so organisations must balance patient safety, speed, and access certainty. That tradeoff is real: if controls are too strict, staff may bypass them; if they are too loose, device sharing becomes an identity sprawl problem. There is no universal standard for this yet, but best practice is evolving toward context-aware access that changes by location, role, time of day, and patient-risk level.
A few edge cases matter:
- Emergency access may justify faster re-authentication, but it should still produce a strong audit trail.
- Shared workstations with attached mobile peripherals can inherit trust from a previously authorised session, so logout must be explicit.
- Bring-your-own-device programmes need stronger containerisation because the boundary between personal and clinical use is thinner.
- Offline wards and poor connectivity can delay revocation, so short-lived tokens matter more, not less.
The main operational mistake is assuming device ownership equals identity assurance. In healthcare, the safer model is to trust the authenticated person, not the device history, and to treat every handoff as a potential control failure unless the session is deliberately reset.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Shared devices weaken identity assurance at the point of access. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Persistent sessions and reused tokens create NHI lifecycle risk. |
| NIST AI RMF | AI RMF is relevant where mobile workflows include automated clinical decision support. |
Apply governance, traceability, and monitoring to any mobile AI-assisted access path.
