TL;DR: UK healthcare facilities using shared-use mobile devices report average annual savings of £522,000, but 47% still lack a fully implemented policy and 77% say users share credentials, according to Imprivata’s 2025 State of Shared Mobile Devices in Healthcare Report. The core issue is not device adoption itself, but whether identity, sign-in, and offboarding controls can keep pace with shared clinical workflows.
At a glance
What this is: This report examines how shared-use mobile devices are being used in healthcare and shows that the economic case is clear, but governance, credential handling, and device management still lag.
Why it matters: It matters because shared-device programmes sit at the intersection of NHI, human access, and operational workflow, so weak identity controls can undermine both patient data protection and clinical efficiency.
By the numbers:
- Nearly half 47% of organisations have not fully implemented a policy for managing shared-use mobile devices.
- Most survey respondents 85% agree that mobile devices are essential clinical tools.
👉 Read Imprivata's report on shared-use mobile devices in healthcare
Context
Shared-use mobile devices are not just a hardware decision. In healthcare, they become shared access endpoints where identity, session handling, and workflow all collide, which means the control problem is broader than device inventory or procurement.
The governance gap shows up when organisations scale shared devices faster than they define who can sign in, how credentials are handled, and what happens at handoff. In that model, the operational gains are real, but the identity risks are also shared across every clinical shift.
For identity programmes, this sits squarely at the boundary between human access management and lifecycle governance. The question is whether shared clinical access can be made repeatable, auditable, and revocable without slowing patient care.
Key questions
Q: How should healthcare organisations govern shared-use mobile devices safely?
A: Treat shared devices as governed access endpoints, not just shared hardware. Require explicit sign-out, session reset, device health checks, and clear user attribution at each handoff. The best programmes combine IAM, device management, and workflow design so clinicians can work quickly without leaving access state behind on the device.
Q: Why do shared mobile devices create identity risk in clinical environments?
A: They create identity risk because multiple people use the same endpoint, so access state can outlive the person who initiated it. If credentials are shared or sessions remain active, accountability weakens and patient data protection suffers. The risk is highest when policy is incomplete and device state is not reliably reset.
Q: What breaks when shared device policy is only partially implemented?
A: A partial policy allows local workarounds to become normal operating practice. Clinicians start sharing credentials, leaving devices signed in, and using misconfigured or unavailable devices, which weakens accountability and increases exposure. Governance only works when the policy is enforced at the point of use, not just documented centrally.
Q: Who is accountable when patient data is accessed on a shared clinical device?
A: Accountability should remain tied to the authenticated user, the device state, and the organisation’s access policy. If any of those are unclear, post-incident review becomes unreliable. Healthcare teams should ensure shared-device logging, sign-in controls, and offboarding rules make the responsible user traceable at every session boundary.
Technical breakdown
Shared-device session handling and credential reuse
Shared-use mobile devices create a recurring session-management problem: one device is used by multiple staff members, often across shifts, so authentication state must be cleared reliably between users. If credentials are reused or the previous user remains signed in, the device stops behaving like a controlled access point and starts behaving like an implicit trust channel. In healthcare, that is especially dangerous because clinical urgency encourages shortcuts. The result is not just privacy exposure but also accountability loss, since actions can no longer be confidently tied to the right user.
Practical implication: enforce explicit sign-out, rapid reauthentication, and user attribution at every handoff.
Device governance, tracking, and configuration drift
The report points to inconsistent configuration, unreliable tracking, and devices left uncharged or unavailable as signs of governance drift. In practical terms, a shared-device programme fails when the operational model assumes that devices are always present, always configured, and always ready, but the reality is a constantly changing pool of endpoints. That makes mobile device management, policy enforcement, and asset visibility part of identity control, not just IT hygiene. If a device cannot be located or trusted, it cannot safely carry clinical access.
Practical implication: tie device enrolment, configuration baselines, and asset visibility directly to access eligibility.
Shared mobility as an identity and workflow design problem
The report shows that healthcare organisations see mobility as essential, yet many have not fully implemented the policy structure needed to support it. That gap reveals a common mistake: treating shared devices as a usability project rather than an access governance model. Shared clinical mobility works only when the workflow, the user identity, and the device state are designed together. Otherwise, clinicians compensate for friction by sharing credentials, skipping lockout steps, or leaving sessions open, which increases risk across the entire care environment.
Practical implication: redesign shared mobility as a governed access workflow, not a standalone device rollout.
Threat narrative
Attacker objective: The objective is not always external intrusion, but the same weakness can still enable unauthorised access to patient data, misattribution of actions, and broader operational disruption.
- Entry occurs through legitimate shared-device use, where multiple clinicians access the same endpoint across shifts and one user’s session state can carry forward into the next user’s workflow.
- Escalation happens when credentials are shared or sessions are left signed in, allowing access to persist beyond the intended user and expanding who can reach patient data.
- Impact follows when the organisation loses attribution, weakens patient data protection, and creates avoidable operational disruption through missing, misconfigured, or unavailable devices.
Breaches seen in the wild
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Shared-use mobile devices expose an identity governance gap, not just a mobility gap. The report makes clear that the value case is established, but the control model is still incomplete in many organisations. When staff share devices and sessions are left open, the issue is not the device itself but the absence of a repeatable access lifecycle for a shared endpoint. Practitioners should treat this as a governed identity pattern, not a technology pilot.
Credential sharing is the clearest sign that shared-device design has outpaced policy. If 77% of respondents say users share credentials and 74% say devices are left signed in, the control failure is obvious: access handoff has not been formalised. That is a lifecycle problem as much as an authentication problem, because the identity boundary is not being closed cleanly between users. The implication is that shared access must be engineered around session reset, attribution, and revocation discipline.
Identity blast radius increases when clinical workflow depends on convenience over control. The report shows that 85% of respondents see mobile devices as essential, which means practitioners cannot simply remove shared access without harming care delivery. The real challenge is reducing blast radius while preserving throughput. That requires governance models that can support rapid access, but only within tightly defined user, device, and session boundaries.
Shared mobility succeeds only when IAM, device management, and workflow design are treated as one control surface. The report’s findings on configuration inconsistency, missing devices, and user frustration show that fragmented ownership creates security gaps. In healthcare, a shared device is both an endpoint and an access broker, so governance has to span identity policy, asset state, and clinical process. Practitioners should align these controls before expanding shared-device deployment further.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- For lifecycle governance detail, see NHI Lifecycle Management Guide, which expands on provisioning, rotation, and offboarding controls.
What this signals
With 5.7% of organisations reporting full visibility into their service accounts, the lesson for healthcare is that shared-device programmes fail faster when access ownership is unclear. Shared mobility needs the same governance discipline as any other identity programme, or clinicians will keep compensating for process gaps with unsafe workarounds.
Shared access drift: when a shared device remains signed in or is passed between users without a clean handoff, the organisation loses both attribution and control. That is why mobile device management, access policy, and workflow design must be aligned before shared-device usage expands further.
For practitioners
- Formalise shared-device access handoff Define how one clinical user ends a session before the next user begins, including explicit sign-out, session reset, and clear attribution rules for every shared device.
- Tie device readiness to access eligibility Block shared devices that are uncharged, misconfigured, or out of compliance from being used for patient access until they return to a known-good state.
- Track shared-device policy adoption at the ward level Measure whether policy is actually implemented by location, shift, and device pool so that governance gaps are visible before they become routine workarounds.
- Reduce credential sharing through workflow redesign Remove the operational reasons staff bypass sign-in controls by simplifying authentication flow, improving device availability, and making access handoff faster than unsafe shortcuts.
Key takeaways
- The report shows that shared-use mobile devices can deliver strong financial and operational value, but only if identity and workflow controls are built in from the start.
- The biggest governance weakness is incomplete policy implementation, which shows up as credential sharing, lingering sessions, and unreliable device tracking.
- Healthcare teams should manage shared devices as access endpoints with explicit handoff and reset controls, not as simple shared assets.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared credentials and lingering sessions map to insecure NHI access patterns. |
| NIST CSF 2.0 | PR.AC-1 | Shared-device access control depends on strong identity verification and session handling. |
| NIST SP 800-63 | Clinical device sign-in and reauthentication are human identity assurance problems. |
Use higher-assurance reauthentication where shared clinical devices carry patient data access.
Key terms
- Shared-use mobile device: A mobile device assigned to a team or location rather than a single person. In healthcare, the same device may be used by multiple clinicians across shifts, which makes session reset, attribution, and policy enforcement essential to preserve accountability and protect patient data.
- Session handoff: The controlled transition from one authenticated user to the next on the same device. In shared environments, the handoff must include sign-out, state reset, and reauthentication so the next user does not inherit access, context, or risk from the previous session.
- Access attribution: The ability to tie an action on a system to the correct user at the time it occurred. On shared clinical devices, attribution is weakened if credentials are shared, sessions stay open, or device state is not reset between users.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Imprivata: the 2025 State of Shared Mobile Devices in Healthcare Report. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
