Shared hospital mobile access is amplifying healthcare identity risk

At a glance

What this is: This is an Imprivata analysis of shared mobile devices in UK healthcare and the identity and access risks they introduce, with credential sharing and signed-in devices standing out as the core governance problem.

Why it matters: It matters because shared devices turn everyday clinical access into a governance issue for NHI, human identity, and lifecycle controls, especially where speed, accountability, and patient data protection must coexist.

By the numbers:

• 54% of organisations experienced a data breach due to unauthorised access via employees’ mobile devices.
• 77% of respondents admitted to sharing credentials, while 74% said devices were frequently left signed in after use.
• 2025 Imprivata State of Shared Mobile Devices in, s in Healthcare Report found that hospitals with shared mobile programs save an average of £522,000 annually.

👉 Read Imprivata's analysis of shared mobile devices and healthcare access risk

Context

Shared mobile devices in healthcare are a workforce identity problem as much as a device problem. When clinicians share endpoints, credentials, or persistent sessions, the boundary between convenience and access control disappears, and the programme shifts from user experience to identity governance.

UK hospitals are operating under tighter operational and regulatory pressure while adding more vendors, contractors, and connected devices. The result is a wider attack surface where mobile access, session persistence, and accountability all have to be managed at clinical speed, not just at policy speed.

Key questions

Q: How should hospitals secure shared mobile devices without slowing clinicians down?

A: Hospitals should make access fast for the individual clinician and strict for the device state. That means separate user identities, automatic session termination, passwordless or SSO where appropriate, and audit trails that survive shift changes. If staff can move quickly without inheriting someone else’s signed-in state, security improves without forcing unsafe workarounds.

Q: Why do shared credentials create more risk in healthcare than in many other sectors?

A: Shared credentials weaken attribution in environments where timing, responsibility, and patient safety all matter. In healthcare, staff hand off devices across shifts, contractors enter and leave quickly, and the same endpoint may touch sensitive records many times a day. That combination makes reuse and persistence especially dangerous because the identity trail becomes unreliable.

Q: What breaks when mobile devices stay signed in after clinical handoff?

A: When devices stay signed in, the next user may inherit access without re-authenticating, which undermines accountability and can expose patient data to the wrong person. It also confuses incident response, because logs may show a legitimate account while the actual operator changed. That is a governance failure, not just a usability issue.

Q: What should identity and security teams review when hospitals expand shared mobile programmes?

A: They should review session timeout behaviour, per-user attribution, contractor access, and whether mobile devices are included in access reviews. Shared programmes fail when they are managed as endpoint deployments only. They need the same lifecycle discipline applied to any other access path that can expose patient data.

Technical breakdown

Why shared sign-ins break clinical access control

Shared-use devices are often treated as harmless workflow tools, but the technical issue is persistent authentication state. If a device remains signed in after use, the next user inherits the previous session or can act under the wrong identity. That creates audit ambiguity, weakens non-repudiation, and blurs who approved or performed a sensitive action. In healthcare, that is not just a usability flaw. It is a control-plane failure that undermines access governance, session management, and data accountability across bedside and mobile workflows.

Practical implication: enforce per-user session separation and automatic sign-out on shared clinical devices.

Credential sharing on mobile devices creates standing access risk

Credential sharing turns mobile access into standing privilege by another name. Instead of each clinician authenticating as an individual, the environment starts to rely on reusable secrets and informal access handoffs. That makes it harder to prove who accessed patient data, who changed orders, or who approved a workflow step. It also weakens recertification because the entitlement on paper no longer matches the access in practice. The more the device is shared, the more the credential model drifts away from trustworthy identity boundaries.

Practical implication: remove shared credentials from clinical workflows and tie mobile access to individually attributable identities.

Why single sign-on and passwordless reduce friction without removing governance

Single sign-on and passwordless authentication can reduce friction, but only if they are paired with device and session governance. In a shared environment, the goal is not to eliminate authentication steps altogether. It is to make authentication fast enough that staff do not bypass it through credential sharing or session reuse. Done properly, the model improves accountability, supports better audit trails, and helps align access with clinical roles and shift-based work. The key is to reduce unsafe workarounds, not to weaken verification.

Practical implication: deploy friction-reducing authentication only alongside device controls, role-based access, and strong session enforcement.

Threat narrative

Attacker objective: The attacker or opportunistic insider gains unauthorised access to patient data and clinical systems by exploiting weak mobile identity controls.

1. Entry occurs through shared-use mobile devices that remain signed in or are accessed with shared credentials, letting the wrong person inherit active access.
2. Escalation follows when those credentials or sessions are reused across clinical workflows, giving broader access to patient data and internal systems than intended.
3. Impact shows up as unauthorised access to data, weakened auditability, operational disruption, and reduced trust in mobile-enabled care delivery.

Breaches seen in the wild

• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Shared clinical devices have become an identity governance problem, not just a mobility problem. The article shows that access, accountability, and patient trust all collapse when a device is treated as a shared convenience layer rather than an attributable identity endpoint. That is a governance failure because the identity model no longer matches the way work is actually performed. Practitioners should treat shared mobile programmes as part of access governance, not endpoint hygiene.

Credential sharing is a standing-privilege pattern disguised as operational efficiency. Once staff reuse credentials or remain signed in, the access state persists beyond the person who originally authenticated. That breaks the assumption that mobile access is always individually attributable at the moment of use. The implication is that recertification and audit evidence must account for session persistence, not just account ownership.

Clinical workflow speed and strong identity controls are not opposing goals. The report’s savings and adoption data show why hospitals keep expanding shared mobile use, but the same model also increases the cost of weak session and credential discipline. The field-level lesson is that identity governance has to be embedded into the device workflow, or clinical convenience will continue to outpace control.

Shared mobile access exposes a lifecycle gap across joiner, mover, and leaver controls. Shared devices and contractor-heavy environments work because access is temporary, role-bound, and highly contextual, yet many programmes still manage them as if entitlements were durable. That assumption fails when staff rotate quickly across shifts or devices stay signed in after handoff. The implication is that lifecycle governance must follow the clinical session, not the staffing chart.

Digital transformation in healthcare is widening the identity blast radius of every unmanaged device. More vendors, more contractors, and more connected endpoints mean more opportunities for one weak mobile control to affect patient data, operations, and compliance simultaneously. That is why mobile identity governance now sits alongside broader NHI and human access controls. Practitioners should plan for a wider blast radius, not just a larger endpoint estate.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities -- 46% confirmed, 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly access-control weakness can repeat once governance breaks down.
• For a broader view of identity failure patterns, see The 52 NHI breaches Report for case-based analysis of how identity exposure turns into operational impact.

What this signals

Shared mobility is now part of the identity perimeter. Hospital programmes that treat mobile endpoints as a convenience layer will miss the real failure mode, which is persistent identity state across users. The operational question is no longer whether clinicians can move faster, but whether the programme can preserve attribution when they do. The 54% breach figure in Imprivata's research shows why this is becoming a mainstream governance issue rather than a corner case.

If shared devices remain signed in after handoff, the resulting audit gap behaves like a control debt that accumulates across shifts. That means access reviews, incident response, and patient-data governance all need a device-state view, not only an account view. For teams building out mobile access programmes, this is the point where lifecycle management and session governance start to converge.

The strongest forward signal is that healthcare security is moving toward friction-aware controls rather than friction-free access. Practitioners should expect more pressure to combine SSO, passwordless access, and device enforcement in the same workflow, because any one of those controls alone leaves a gap. The governance model has to follow the clinical session, not just the clinician profile.

For practitioners

• Enforce per-user session termination Require automatic sign-out and session reset on every shared clinical device so the next user never inherits the previous identity state.
• Remove shared credentials from ward workflows Replace shared usernames and passwords with individually attributable authentication so access can be tied to a named clinician in audit and incident review.
• Map shared devices into access reviews Include shared mobile endpoints in recurring access recertification, with special attention to contractor use, shift handoffs, and any device that persists across users.
• Pair passwordless with device controls Use passwordless and SSO to reduce friction, but keep strict device state checks, session expiry, and role-based boundaries in place.
• Measure sign-in persistence as a control signal Track how often devices remain signed in after handoff, because that metric is a direct indicator of whether mobile governance matches clinical reality.

Key takeaways

• Shared mobile devices create an identity attribution problem when credentials are reused or sessions persist across users.
• The article ties mobile access failures to real operational harm, including breaches, patient-data exposure, and measurable hospital disruption.
• Hospitals need identity, session, and lifecycle controls working together if they want secure clinical mobility at scale.

Key terms

• Shared-use mobile device: A device used by more than one person across shifts or tasks, often in a fast-moving operational setting. In identity terms, the risk is not the hardware itself but the possibility that one user’s session, credentials, or permissions remain active for the next user.
• Session persistence: The condition where an authenticated session remains active after the original user stops using the device. In shared environments, session persistence creates attribution gaps, increases the chance of unintended access, and weakens incident investigation because logs may not match the actual operator.
• Credential sharing: The practice of using one account, secret, or login across multiple people or tasks. It is a governance failure because it collapses accountability, undermines auditability, and makes access reviews unreliable, especially where clinical work depends on rapid handoffs.
• Identity attribution: The ability to tie an action, access event, or data change to a specific person or system at the moment it occurred. When attribution is weak, security teams cannot confidently distinguish legitimate activity from misuse, which makes both compliance and incident response harder.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Tech and Innovation Improve Care and Deliver Tangible Savings for UK Hospitals. Read the original.