TL;DR: Healthcare organisations are losing an average of 13 minutes per clinician shift to mobile device setup, with 87% reporting access challenges and 79% saying credentials are shared on devices, according to Imprivata's 2025 State of Shared Mobile Devices in Healthcare report. Shared mobile works only when identity, device readiness, and auditability are managed as one workflow.
At a glance
What this is: This is Imprivata's analysis of shared mobile device access in healthcare, showing that shift-start friction and security risk are both symptoms of weak identity-driven device governance.
Why it matters: It matters because mobile access patterns in clinical environments now affect human IAM, shared-device governance, and the controls that underpin auditability, session integrity, and patient data protection.
By the numbers:
- Clinicians waste an average of 13 minutes per shift just getting mobile devices ready to use.
- 87% report access challenges such as clinicians getting locked out of devices.
- 79% of respondents report that users share credentials on shared devices.
- 99% of leaders expect shared-use devices to increase over the next 12 to 24 months.
👉 Read Imprivata's analysis of shared mobile access in healthcare
Context
Shared mobile access is an identity and lifecycle problem, not just an endpoint logistics problem. In healthcare, the issue is whether the right clinician can get a ready, trustworthy device fast enough to support care without resorting to shared credentials, manual handovers, or unsafe workarounds.
The article shows that the real failure mode is the gap between device availability, user authentication, and session readiness. That makes this a human identity and shared-device governance issue at the same time, because access, accountability, and audit trails all have to survive rapid shift changes.
Key questions
Q: How should healthcare teams secure shared mobile devices without slowing clinicians down?
A: Use identity-driven checkout that binds the clinician, the device, and the session in one step. The key is to remove repeated credential entry, auto-load the right apps and settings, and terminate state on return so security improves speed instead of competing with it. That reduces workarounds and preserves accountability.
Q: Why do shared devices often create credential-sharing risk in clinical environments?
A: Because if device handoff is slow, clinicians will protect patient flow by reusing logins or passing devices with sessions still open. Shared credentials are usually a symptom of poor workflow design, not just poor discipline. Fix the access path, the reset process, and the readiness signal together, and the behaviour changes.
Q: What signals show that shared mobile access is not working properly?
A: Look for repeated lockouts, frequent help desk calls, devices left signed in, personal devices used as workarounds, and missing or low battery at handoff. Those are operational signs that identity, availability, and cleanup are not aligned. If users routinely bypass the approved process, the control model is failing.
Q: Who is accountable when a shared device still contains the prior user's access?
A: Accountability sits with the programme that owns device lifecycle, session termination, and access governance, not with the clinician who inherits the problem. Shared mobility requires an explicit owner for allocation, reset, and audit evidence. Without that ownership, compliance reports describe the issue without actually containing it.
Technical breakdown
Badge-tap authentication and session start
Badge-tap login replaces repeated username and password entry with a fast identity assertion tied to a trusted credential or badge. In shared mobile workflows, that matters because the device is not the identity, the clinician is. The system must bind a user session to a device, app set, and care context without forcing manual reauthentication at every handoff. Done well, the workflow reduces latency and supports a cleaner audit trail. Done poorly, it encourages credential sharing and signed-in persistence across users.
Practical implication: replace password-led shared mobile sign-on with a faster identity-bound checkout flow that creates an auditable user-device session.
Persona-based app profiles and mobile session control
Shared clinical devices need persona-based profiles so the next user receives the right apps, settings, and notifications without inheriting the prior user’s session state. This is a lifecycle control for mobile access, not a cosmetic customisation layer. The architectural challenge is to separate access enablement from session persistence, then reset state on return without breaking the clinician workflow. That is what turns shared mobility into governed mobility rather than device reuse with leftover risk.
Practical implication: automate profile loading and session termination so each checkout starts clean and each return removes residual access.
Chain of custody, location tracking, and battery readiness
In a shared mobile fleet, identity governance depends on knowing who had which device, when, and where, while also ensuring the device is fit for use. Chain-of-custody logging supplies accountability, but it only works if the device is actually ready to serve the next clinician. Battery health, availability, and return events are therefore part of the access control model. Without them, teams may have authentication, but they still do not have operational readiness.
Practical implication: combine checkout logs with device health checks so readiness and accountability are enforced together.
NHI Mgmt Group analysis
Shared mobile access is a human IAM governance problem disguised as device operations. The article is really about whether identity can keep pace with clinical movement across shift boundaries, device availability constraints, and user turnover. When access control is reduced to manual handover steps, the organisation gets both friction and weak accountability. The practitioner takeaway is that mobile fleets need identity governance, not just asset management.
Credential sharing on shared devices is a control failure, not a user preference. When 79% of respondents report credential sharing, the programme has already lost the boundary between authenticated person and reusable device. That failure weakens auditability, undermines non-repudiation, and makes session state unreliable for compliance. Practitioners should treat credential reuse as evidence of broken access design rather than an isolated policy violation.
Persona-based checkout is the named concept this category needs. A shared device should present a ready, role-aligned environment at the point of need, then return to a clean state after use. That changes the governance question from whether a device can be shared to whether the identity session can be safely reconstituted for the next clinician. The implication is that identity, apps, and device readiness must be managed as one lifecycle.
Immediate access and secure access are not competing goals in healthcare. The article shows that delays create workarounds, and workarounds create risk. If the authorised path is too slow, users will substitute personal devices, password reuse, or informal handovers. The practitioner conclusion is that security controls must be built around clinical time pressure, not layered on top of it.
Audit trails only matter if they are paired with cleanup. Logging who used a device is useful, but it does not solve residual access, leftover apps, or stale session state. The control gap here is not observability alone, but enforced reset at return and clean allocation at checkout. Practitioners should treat session termination as part of the access control boundary, not as an afterthought.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- For the wider operating model, see 52 NHI Breaches Analysis for how identity failures become security incidents across real-world environments.
What this signals
Persona-based checkout: Shared mobile programmes will increasingly be judged by how well they collapse identity, device readiness, and session reset into a single clinical workflow. The teams that succeed will treat handoff latency as an access-control metric, not just a service metric, and they will document the control boundary with the same discipline they use for human IAM.
Hospitals should expect personal-device workarounds to persist until the approved path is faster than the workaround. That means access design, audit evidence, and device health need to be managed together, with battery readiness and return-state enforcement included in the operating model. The governance question is shifting from whether devices are shared to whether shared access is provably clean at each handoff.
Teams running shared mobility at scale should align the workflow to the principles in the OWASP Non-Human Identity Top 10 where credential exposure, overprivilege, and weak rotation all map to the same practical failure: access that persists longer than intended. The lesson is not only to harden devices, but to reduce the lifetime of every reusable access state.
For practitioners
- Replace password-led shared mobile login with badge-tap checkout Use a fast identity assertion tied to a trusted credential so clinicians can start a session without repeated password entry. The goal is to make the authorised path faster than the workaround while keeping each device handoff auditable.
- Automate clean session return for every shared device Wipe app state, terminate the session, and re-lock the device on return so the next clinician does not inherit residual access. This is the control that prevents shared mobile from turning into shared authentication.
- Bind app access to clinician personas, not generic device pools Load role-appropriate apps, communication groups, and notification rules at checkout so the device is ready for the next task immediately. That reduces manual setup and removes the need for users to improvise.
- Track chain of custody alongside battery and availability health Record who used each device, when it moved, and whether it was charged enough for the next shift. If readiness data is missing, the allocation process is blind and clinicians will keep working around it.
Key takeaways
- Shared mobile access in healthcare fails when identity, device readiness, and session cleanup are treated as separate problems.
- The evidence points to a workflow issue, with 13-minute setup delays, 87% reporting access challenges, and 79% seeing credential sharing on shared devices.
- Healthcare teams should design for fast, auditable checkout and enforced reset, because clinicians will otherwise create their own unsafe shortcuts.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Shared mobile access depends on least-privilege session and device assignment. |
| NIST SP 800-63 | Badge-tap and passwordless access sit within human authentication design. | |
| NIST Zero Trust (SP 800-207) | PR.AC | Continuous verification and session control fit shared-device zero trust patterns. |
Use strong authenticators for clinician login and avoid reusable passwords on shared devices.
Key terms
- Shared Mobile Access: A shared mobile access model lets multiple users securely use a pooled device without carrying their own dedicated handset. In healthcare, the model only works when identity, session state, and device readiness are governed together so the next user starts cleanly and access remains attributable.
- Persona-Based Profile: A persona-based profile is a role-specific configuration that loads the right apps, settings, and notifications for the next user of a shared device. It reduces setup time and errors, but only if the profile is automatically removed or reset at return so no prior access persists.
- Chain Of Custody: Chain of custody is the record of who held a device, when it changed hands, and where it was used. In shared mobile programmes, it supports accountability and recovery, but it is only useful when paired with session termination and device health checks that prove the device is ready for reuse.
- Session Termination: Session termination is the process of ending active access and clearing state when a user finishes with a device. For shared mobile environments, it is a core control because it prevents inherited access, reduces credential sharing pressure, and makes the next checkout defensible.
Deepen your knowledge
NHI governance, identity lifecycle management, and workload identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
This post draws on content published by Imprivata: shared mobile access in healthcare and the 13-minute shift-start problem. Read the original.
Published by the NHIMG editorial team on 2025-09-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
