Shared mobile devices in healthcare need identity-driven control

At a glance

What this is: This is an analysis of shared mobile devices in healthcare and the finding that they only scale safely when identity-driven access replaces manual handoffs and ad hoc sign-ins.

Why it matters: It matters because healthcare mobility is a live IAM, NHI, and lifecycle governance problem, not just an endpoint rollout, and weak identity controls quickly translate into friction, shadow access, and lost accountability.

By the numbers:

• 92% of respondents agreed that mobile devices are essential care tools.
• 87% reported access challenges on shared devices.
• 63% greater ROI came from fully implemented shared-device policies.
• 47.5% said mobile devices are more efficient than workstations for clinical work.

👉 Read Imprivata's analysis of shared mobile devices in healthcare

Context

Shared mobile devices in healthcare are more than a device-management issue. They create an identity governance problem because clinicians, devices, apps, and data all have to move together without slowing care or weakening accountability. When shared access relies on passwords, manual assignment, or informal handoffs, the programme inherits avoidable friction and security drift.

The article's central point is that shared clinical mobility works when identity follows the user and the device lifecycle is enforced consistently. That makes this a practical IAM and lifecycle question for healthcare leaders, especially where shared mobile access must support clinical communications, EHR use, and shift-based operations.

The primary keyword here is shared mobile devices, but the real control problem is who can access them, when, and under what policy state. In mature programmes, checkout, authentication, app access, and auditability are treated as one operating model rather than separate tools.

Key questions

Q: How should healthcare teams govern shared mobile devices without slowing clinical work?

A: They should make identity the control plane for the entire shared-device workflow. That means authenticated checkout, fast reauthentication, policy enforcement at use time, and auditable return. The goal is not to add friction, but to remove manual handoffs and shared credentials that slow care while weakening accountability.

Q: Why do shared credentials on clinical devices create security risk?

A: Shared credentials destroy attribution and make it impossible to prove which person accessed which system at a given moment. In healthcare, that weakens auditability across EHR, messaging, and other clinical apps. It also increases the chance that a device stays effectively open across shifts, which expands exposure.

Q: What breaks when shared mobile devices stay signed in between users?

A: The organisation loses session ownership, which means the next clinician may inherit access without a clean authentication boundary. That breaks audit trails, complicates incident review, and makes access control depend on behaviour rather than policy. It is a governance failure, not just a usability issue.

Q: Who is accountable when a shared clinical device is lost or misused?

A: Accountability sits with the organisation unless the programme can prove who checked out the device, who last used it, and whether access was revoked at return. Without identity-based lifecycle controls, the device becomes a shared risk object rather than a governed asset, and the audit trail is too weak to support response.

Technical breakdown

Identity-driven checkout and return for shared mobile devices

Shared mobile environments fail when the device is treated as the control point instead of the identity session. Identity-driven checkout and return ties the clinician to the device at handoff, then records ownership at sign-out so the organisation can audit who used what and when. That is materially different from shared passwords or informal shift change routines, which break attribution and invite credential sharing. In practice, the control plane must combine fast authentication, device assignment, and lifecycle logging so that mobility stays usable without becoming anonymous.

Practical implication: make checkout and return identity-based so every handoff is attributable and auditable.

Why shared credentials and signed-in devices create governance drift

When staff share logins or leave devices signed in, the environment no longer has a stable identity-to-device relationship. That creates governance drift, meaning the organisation cannot reliably tell which clinician, shift, or workflow state is associated with a given session. In healthcare, that is especially risky because the same device may surface EHR data, clinical messaging, and communication tools. The technical issue is not just weak authentication. It is the collapse of session accountability across the full device lifecycle, from issue to return to reuse.

Practical implication: remove persistent sign-in states and shared credentials from clinical device workflows.

Why mobile access management needs policy enforcement, not manual process

Mobile access management becomes effective only when policy is enforced automatically across provisioning, proximity access, app access, and audit trail creation. Manual assignment, paper sign-out, and ad hoc workarounds cannot scale across shift-based care because they introduce delays and inconsistent control states. The article points to a model where identity controls are applied as part of the workflow, not after the fact. That matters because security and usability improve together only when the policy engine is embedded in the operating pattern, not left to individual behaviour.

Practical implication: automate assignment, authentication, and audit logging so policy is applied at the moment of use.

Threat narrative

Attacker objective: The practical objective is unauthorised or unauditable access to clinical systems through weak shared-device controls, with disruption and data exposure as the downstream effect.

1. Entry occurs through unmanaged shared access, where clinicians rely on passwords, informal handoffs, or pre-signed-in devices to get work done quickly.
2. Escalation follows when shared credentials and open sessions blur attribution, allowing access to clinical communications, EHR tools, and other sensitive apps without clear session ownership.
3. Impact is lost accountability, higher risk of unauthorised access, slower shift change, and device loss that disrupts care delivery and increases operational cost.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Shared mobile devices are now an identity governance problem, not just an endpoint problem. The operational debate is no longer about whether clinicians will use shared devices, because the article shows they already do. The real question is whether identity, checkout, and audit state travel with the device lifecycle or remain fragmented across manual processes. Practitioners should treat shared mobility as a governance plane that spans access, device custody, and accountability.

Device sharing without identity control creates a standing-access pattern in disguise. When a device remains signed in or credentials are shared, the organisation effectively preserves access beyond the intended user session. That is a control gap, not a workflow inconvenience, because it removes traceability and weakens the assurance boundary around clinical applications. The implication is that healthcare programmes must evaluate where persistent access states are being normalised.

Identity-driven mobile access closes the gap between clinician productivity and security accountability. The article's strongest lesson is that friction reduction and control enforcement are not opposites. When authentication, policy application, and audit logging are unified, shared mobile becomes manageable at scale rather than tolerated as an exception. Practitioners should measure whether the mobile programme can prove who used the device, when, and under which policy state.

Identity blast radius is the right concept for shared healthcare mobility. A lost device matters less when sessions are short, sign-in is enforced, and checkout is attributable. It matters much more when one shared credential can expose multiple clinical tools and a shift's worth of activity. Healthcare leaders should frame this as blast-radius containment across a shared identity surface, not as a hardware loss problem.

Lifecycle discipline is what separates a mobile programme from a mobile pilot. The article shows that assignment, sign-out, and device reuse must be governed as one lifecycle, otherwise the programme absorbs friction, lost inventory, and unmanaged access. The practical conclusion is that shared mobility succeeds when access governance is operationalised end to end, not when it is left to local workarounds.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• For lifecycle governance context, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline.

What this signals

Shared clinical mobility will keep expanding, but only programmes that treat identity as the operating layer will keep control as the fleet scales. The warning sign is not adoption itself, it is whether each shift change still relies on memory, paper, or shared credentials. That is where NHI Lifecycle Management Guide becomes relevant, because lifecycle discipline is what turns shared access into governed access.

The deeper signal is that healthcare teams should stop measuring mobile success only by adoption and start measuring accountability, session hygiene, and time-to-care. In the NHI context, hidden access states are where risk compounds, and shared devices are a close analogue to unmanaged machine identities because both fail when ownership becomes ambiguous.

A useful concept here is clinical access drift: the gap that opens when a workflow stays operational but the identity state behind it becomes less trustworthy over time. That drift is what turns convenience into exposure, especially when device custody, app access, and auditability are managed separately. The control question is whether the programme can prove clean handoff at every stage.

For practitioners

• Replace manual device handoffs with identity-based checkout Tie each shared device to an authenticated clinician at issue and return, and log that ownership change in the access trail so audit evidence is available after the shift.
• Eliminate shared logins and persistent signed-in states Disable credential sharing on clinical devices, force reauthentication at appropriate intervals, and remove any workflow that allows a device to stay signed in across users.
• Measure shift-start friction as a control signal Track time to assign devices, time to first clinical app use, and the rate of missing or uncharged devices so the programme can show where process breakdowns are creating risk.
• Automate policy enforcement across the mobile lifecycle Embed provisioning, authentication, app access, and audit logging into the mobile workflow so local workarounds do not create inconsistent control states.
• Treat device loss as an identity governance event Investigate every lost shared device for session persistence, last-user attribution, and any lingering access to clinical systems before the asset is reassigned.

Key takeaways

• Shared mobile devices improve clinical work only when identity, checkout, and auditability are governed as one workflow.
• The data points to a clear trade-off: unmanaged shared access creates credential sharing, signed-in devices, and lost accountability at scale.
• Healthcare leaders should standardise identity-based mobile lifecycle controls now, because the operational gains depend on control maturity rather than device adoption alone.

Key terms

• Shared Mobile Device: A shared mobile device is an enterprise-owned handset or tablet used by multiple staff members across shifts or roles. In healthcare, the device is not the identity boundary. The boundary is the authenticated session, the assigned user, and the audit trail that proves custody and access state.
• Identity-Driven Access: Identity-driven access means the system grants and records access based on verified user identity rather than device convenience or shared credentials. In a clinical mobility programme, it connects authentication, checkout, app access, and audit logging so operational speed does not erase accountability.
• Session Accountability: Session accountability is the ability to prove who had access, when they had it, and what policy state applied during that use. It is essential when the same device is passed between users, because without it, shared access becomes effectively anonymous and difficult to investigate.
• Clinical Access Drift: Clinical access drift is the gradual weakening of access assurance in a healthcare mobility workflow as passwords are shared, devices remain signed in, or handoffs become informal. The programme still functions, but the governance state no longer matches the intended control model.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Shared mobile devices in healthcare and the role of identity-driven access. Read the original.