TL;DR: Australian hospitals could save an average of A$1.2 million annually through shared mobile device programmes, but Imprivata says more than half of clinical and IT leaders lack full confidence in patient-data protection because of credential sharing, unsecured logins, and inconsistent governance. The security problem is not the device itself, but the identity and access controls wrapped around shared clinical workflows.
At a glance
What this is: Imprivata examines how shared mobile devices can improve hospital efficiency while exposing identity and access control gaps in Australian healthcare.
Why it matters: For IAM, IGA, and PAM teams, the issue shows how shared-device convenience can turn into credential sharing, session persistence, and accountability gaps across human access programmes.
By the numbers:
- 83% of respondents report that users share credentials when accessing shared-use mobile devices.
- 77% admit these devices are often left signed in after use.
- 65% of nurses report high levels of stress.
👉 Read Imprivata's research on shared mobile devices and hospital identity risk
Context
Shared mobile devices in hospitals are a human identity and access problem as much as an operational one. When clinicians need rapid access to patient information, slow login flows, password fatigue, and inconsistent sign-in controls encourage workarounds that weaken accountability and increase the chance of data exposure.
The article’s core point is that efficiency gains do not remove governance requirements. In healthcare environments, shared access has to be designed around authentication, session control, and lifecycle accountability for every user who touches the device, because convenience without control simply shifts risk into the clinical workflow.
Key questions
Q: How should hospitals secure shared mobile devices without slowing clinical work?
A: Hospitals should combine fast authentication with strict session control. Per-user access, single sign-on, and automatic lock or sign-out at handoff reduce friction without sacrificing attribution. If the workflow still relies on users remembering to log out, the control is weak. The goal is to make secure behaviour the easiest behaviour in the clinical setting.
Q: Why do shared mobile devices create IAM risk in healthcare?
A: Shared mobile devices create IAM risk because one device can become multiple users’ access path if credentials are shared or sessions stay open. That breaks accountability, weakens auditability, and increases the chance of inappropriate patient-data access. The risk is not mobility itself, but the identity boundary becoming unclear during real clinical handoffs.
Q: What do security teams get wrong about passwordless access in hospitals?
A: They often treat passwordless access as a complete fix rather than one control in a larger governance model. Passwordless can reduce password fatigue, but it does not replace session management, device trust, or access review. Without those controls, clinicians can still inherit open sessions or use shared workflows that bypass accountability.
Q: How do you know shared-device governance is working in a hospital?
A: You know it is working when every patient-record access is attributable to a named clinician, signed-in sessions do not survive handoff, and access review can confirm who is authorised to use the device. If logs show persistent sign-ins or shared credentials, the programme is functioning as convenience-first access, not controlled identity governance.
Technical breakdown
Shared clinical devices and credential sharing
Shared-use mobile devices create a predictable authentication failure mode: if users cannot sign in quickly enough, they borrow credentials, reuse sessions, or leave devices open for the next person. In healthcare, that turns a device into a shared access path rather than a controlled identity boundary. The real weakness is not mobility itself, but the absence of enforceable user-to-session binding across fast-moving clinical workflows. Once that binding is lost, auditability, accountability, and patient-data protection all degrade at the same time.
Practical implication: require per-user authentication and fast session termination before any clinician can hand off a device.
Password fatigue, single sign-on, and session hygiene
Password fatigue is a governance signal, not just a usability complaint. When clinicians face repeated logins across EHRs and device layers, they adopt shortcuts that defeat policy, including shared credentials and persistent sign-in states. Single sign-on can reduce friction, but only if it is paired with strong device and session controls. Otherwise, SSO simply moves the trust boundary without improving it. For shared mobile environments, the authentication experience must be designed so that speed and assurance reinforce each other instead of competing.
Practical implication: pair SSO with enforced re-authentication rules and device-aware session controls, not convenience alone.
Identity governance for shared mobile access
Shared mobile programmes need governance across the full access lifecycle, not just at login. That means knowing who is allowed to use the device, how access is granted, how it is revoked, and how signed-in sessions are prevented from outliving the intended user. In identity terms, the issue sits at the intersection of IAM, recertification, and privileged workflow design. If the organisation cannot prove who used the device at the point of care, it cannot reliably prove who accessed the patient record.
Practical implication: build lifecycle controls for shared devices into access reviews, offboarding, and audit evidence generation.
NHI Mgmt Group analysis
Shared mobile device risk is fundamentally a human IAM failure, not a hardware problem. The article shows that credential sharing and lingering signed-in sessions are the real control failures, even when the devices themselves are intended to improve care delivery. That means the governance question is whether identity controls can keep pace with clinical speed. Practitioners should treat shared devices as a human access design issue, not a mobility project.
The hidden control gap is session accountability, not access availability. Hospitals can have the right user accounts and still lose control when one clinician’s session becomes the next clinician’s access path. This is where shared-device programmes break down: the environment assumes users will sign out, but the workflow does not enforce it reliably. The implication is that access policy must be measured in completed sessions, not just granted credentials.
Credential sharing in clinical environments creates an audit trail that looks complete but is not trustworthy. When 83% of respondents report shared credentials and 77% say devices are left signed in, the issue is systemic rather than anecdotal. That pattern undermines both compliance evidence and patient-data assurance. Practitioners need to recognise that high adoption of mobile workflows without strong identity controls produces scale, not control.
Shared-device governance should be evaluated as a lifecycle discipline across human identities. This is where IAM, IGA, and operational workflow design meet. The programme question is not whether clinicians need fast access, but whether the organisation can continually certify that access remains attributable, revocable, and reviewable. Hospitals that cannot answer that question are operating with a governance gap, not a productivity trade-off.
Shared mobile device programmes expose a new form of identity blast radius. One weak login pattern can propagate across multiple users, shifts, and patient interactions because the device remains a reusable access surface. The more the programme scales, the more important it becomes to define where accountability ends and the next user’s responsibility begins. Practitioners should assume the blast radius is organisational, not individual.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- Shared access decisions should be paired with the Ultimate Guide to NHIs , Key Challenges and Risks when teams need to compare credential sprawl and governance failure patterns across machine and human workflows.
What this signals
Identity blast radius: shared mobile devices concentrate risk where one poorly controlled login can affect many clinicians, many shifts, and multiple patient interactions. Hospitals should watch whether session cleanup, user attribution, and access review evidence stay intact as adoption scales, because convenience can mask a widening governance gap.
The programme signal is straightforward: if clinicians are sharing credentials or leaving devices signed in, the access model is already compensating for design friction. That means IAM teams should expect policy exceptions, helpdesk workarounds, and weak audit trails unless mobile access is rebuilt around fast authentication and enforced handoff controls.
Shared clinical access also changes how leaders should read identity metrics. A high adoption rate does not equal strong governance if audit logs cannot prove who accessed what and when. Teams should use access attribution, sign-out compliance, and exception volume as the real indicators of programme health.
For practitioners
- Enforce per-user authentication on every shared device Require each clinician to authenticate before patient data is displayed, and prevent generic or shared logins from being used as a shortcut in busy wards.
- Design for automatic session termination at handoff Make the device log out or lock when a user finishes care delivery, so the next clinician cannot inherit an active session.
- Align shared-device access with access review cycles Include shared mobile device permissions in routine access reviews so managers can confirm who is authorised to use the device and under what conditions.
- Measure whether shared access is actually attributable Test whether audit logs can still show which individual accessed the patient record after a device handoff, because traceability is the control that proves governance works.
Key takeaways
- Shared mobile devices can improve care and reduce cost, but they also expose identity and accountability gaps if clinicians rely on credential sharing or persistent sessions.
- The scale of the problem is material, with Imprivata citing A$1.2 million in potential annual savings alongside 83% credential sharing and 77% devices left signed in.
- Hospitals need identity controls that preserve attribution at handoff, because mobility without session governance creates a compliance problem disguised as workflow efficiency.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Shared device access depends on controlled identity verification and account assignment. |
| NIST SP 800-63 | Clinical authentication experience must balance assurance and usability for human users. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Shared mobile access should assume breach and verify every session boundary. |
Use federation and authenticator guidance to reduce friction without weakening user accountability.
Key terms
- Shared-use mobile device: A shared-use mobile device is a handset or tablet used by multiple clinicians across shifts, tasks, or wards. In identity terms, the device is not the identity boundary. The security model must ensure each user is individually authenticated, each session is attributable, and no one inherits another person’s active access.
- Session handoff: Session handoff is the moment one user finishes using a device and another user takes over. In secure healthcare workflows, handoff must close the previous session cleanly and prevent inherited access. If the session remains open, the next user may gain visibility or privileges that were not meant for them.
- Credential sharing: Credential sharing is the practice of multiple people using the same login or authentication secret to reach a system. It removes accountability, breaks audit trails, and makes it impossible to prove which individual accessed patient data. In clinical environments, it usually appears when secure access is too slow or cumbersome.
- Identity attribution: Identity attribution is the ability to tie a system action to a specific person or account with enough confidence to support audit and investigation. For shared devices, attribution fails when logins are reused or sessions persist across handoffs. Good governance requires attribution to survive real-world workflow pressure.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Imprivata: Shared Mobile Devices Promise Millions in Savings, But Data Security Gaps Introduce Risk for Australian Hospitals. Read the original.
Published by the NHIMG editorial team on 2025-11-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
