TL;DR: Shared-use mobile devices in UK healthcare save hospitals an average of £522,000 annually, but 47% of organisations still lack a formal management policy, leaving security and workflow gaps, according to Imprivata research. The operational case for streamlined clinical access is clear, but the governance model has not caught up with shared-device reality.
At a glance
What this is: Imprivata research argues that shared-use mobile devices improve NHS workflows and save money, but weak management policy leaves security and usability gaps.
Why it matters: For IAM, NHI, and clinical access teams, the lesson is that shared-device value only holds when identity, device, and session governance are aligned.
By the numbers:
👉 Read Imprivata's analysis of shared-use mobile devices in UK healthcare
Context
Shared-use mobile devices are now part of frontline healthcare identity and access design, not just an endpoint choice. In NHS environments, the question is whether shared access can be governed cleanly enough to preserve clinical speed without creating avoidable exposure.
The core problem is familiar to IAM teams: when a device is used by many clinicians across many shifts, authentication, session control, and device governance have to work together. If policy, provisioning, and logout discipline do not align, convenience gains turn into security fatigue, repeated logins, and inconsistent accountability.
Key questions
Q: How should healthcare teams govern shared-use mobile devices across wards and shifts?
A: Treat shared-use mobile devices as governed identity surfaces, not general-purpose endpoints. Define how devices are provisioned, how sessions are handed off, how logout is enforced, and who is accountable when exceptions occur. Governance must span IAM, endpoint management, and clinical operations, otherwise informal ward practice will replace policy.
Q: Why do shared clinical devices create more access risk than personal devices?
A: Shared devices break the assumption that one device maps to one person and one session. In clinical settings, many users rotate through the same hardware, so weak policy can blur authentication, logging, and accountability. That increases the chance of credential sharing, stale sessions, and gaps in auditability.
Q: How do you know if shared-device access controls are actually working?
A: Look for fewer repeated logins, lower credential sharing pressure, consistent logout behaviour, and clear audit trails that identify each session by user and context. If clinicians still rely on workarounds to move between tasks, the access model is not supporting the workflow it was meant to secure.
Q: Who is accountable when a shared mobile device exposes patient data?
A: Accountability should sit with the organisation that owns the shared-device policy, the access model, and the device lifecycle, not with a single clinician using the handset at the time. In practice, healthcare security, IAM, and clinical operations must share ownership because the failure is usually systemic.
Technical breakdown
Shared-use mobile device governance and shared session control
Shared-use mobile devices work differently from personal endpoints because the trust model is session-based, not user-device persistent. A clinician may authenticate, complete a task, and hand the device to another user within minutes, so the system must bind identity to the session and clear state at handoff. That requires device management, access policy, and authentication controls to behave as one control plane rather than separate tools. Without formal policy, organisations end up relying on informal ward practice, which is where drift begins. Practical implication: treat every shared device as a governed identity surface, not a general-purpose handset.
Practical implication: treat every shared device as a governed identity surface, not a general-purpose handset.
Passwordless authentication and SSO in clinical workflows
Passwordless authentication and single sign-on reduce the number of interactive steps clinicians must repeat during a shift. In shared environments, that matters because repeated prompts encourage workarounds such as credential sharing, sticky sessions, or delayed logout. SSO can improve usability, but only if it is paired with role-aware access and strong reauthentication rules where clinical context changes. The operational goal is not fewer controls, but fewer low-value interruptions that push users around the controls. Practical implication: design login flows around clinical task switching, not office-style session assumptions.
Practical implication: design login flows around clinical task switching, not office-style session assumptions.
Device provisioning, context, and accountability for ward devices
Automated provisioning and contextual access controls make shared-device fleets manageable at scale. Provisioning keeps devices in a known state, while context controls limit where, when, and under what conditions a session can proceed. That combination matters in healthcare because the same device may move between wards, users, and urgency levels throughout the day. Centralised mobile device management provides the baseline, but accountability depends on every session being traceable back to an identity event. Practical implication: build control chains that can answer who used the device, under what conditions, and with what access rights.
Practical implication: build control chains that can answer who used the device, under what conditions, and with what access rights.
Threat narrative
Attacker objective: The practical objective is to gain unauthorised visibility into clinical data or exploit weak session discipline to preserve access beyond its intended user.
- Entry occurs through routine shared-device use in the ward, where multiple clinicians authenticate on the same mobile device across successive sessions.
- Escalation happens when weak governance permits repeated logins, informal handoff behaviour, or shared credentials to blur accountability and expand access scope.
- Impact is unnecessary exposure of patient data, slower clinical workflows, and a governance model that cannot reliably prove who accessed what and when.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Shared clinical devices are an identity governance problem first and an endpoint problem second. Imprivata's numbers show that hospitals can realise large cost savings while still failing at formal policy coverage, which means the governance layer has not matured at the same pace as deployment. In practice, the security question is not whether shared devices are useful, but whether identity, device, and workflow controls are coordinated enough to make them safe.
Security fatigue is a control failure, not just a usability complaint. Repeated logins, credential sharing pressure, and workflow interruptions are signals that access design is forcing clinicians to work around the system. When that happens, accountability weakens because the real process becomes informal and shift-driven rather than policy-driven. Practitioners should read user friction as evidence that the access model needs redesign.
Formal management policy is the difference between managed sharing and unmanaged drift. The 47% policy gap matters because shared-use fleets depend on consistent rules for provisioning, logout, session separation, and exception handling. Without those rules, every ward becomes its own access model. The implication is that organisations need to govern the shared-device lifecycle with the same discipline they apply to privileged access.
Shared-device programmes now sit at the intersection of IAM, mobile device management, and clinical safety. That combination makes them a cross-functional governance issue, not a narrow IT rollout. Hospitals that separate security ownership from operational ownership tend to inherit shadow processes, inconsistent device states, and avoidable trust loss. Practitioners should align IAM, clinical operations, and endpoint teams around one shared access standard.
Shared-use mobility is becoming a test case for identity modernisation in healthcare. Passwordless authentication, SSO, and contextual controls are not optional extras when the same device serves multiple users in urgent care settings. The field is moving toward access models that preserve speed without relying on memory, habit, or shared secrets. Practitioners should treat shared-device security as a measure of broader IAM maturity.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- For broader lifecycle context, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline across identity programmes.
What this signals
Shared clinical access is pushing healthcare closer to an identity-first operating model. The organisations that treat ward devices as part of IAM design, not just endpoint inventory, will be better placed to reduce friction without losing control. That is especially relevant as healthcare teams standardise access across more locations and shift patterns.
The governance gap here is formalisation, not invention. Once device handoff, logout discipline, and accountability are made explicit, shared mobility becomes measurable rather than anecdotal, which is what makes it governable at scale.
NHI and human access programmes increasingly converge on the same operating question: how do you preserve speed while proving who had access at any given moment? In shared environments, the answer is a control chain that binds session, device, and context together.
For practitioners
- Define a formal shared-device policy Set explicit rules for provisioning, user handoff, session timeout, logout behaviour, and exception handling across every ward and shift.
- Replace repeated login flows with stronger access patterns Use passwordless authentication and SSO where clinically appropriate, then add step-up checks only when role or context changes.
- Centralise mobile device management Maintain a known device state with standard provisioning, patching, and retirement controls so shared endpoints do not drift between users.
- Tie access accountability to context Record who used each device, under what conditions, and for which clinical function so audit and incident review can reconstruct session history.
Key takeaways
- Shared-use mobile devices can deliver measurable cost savings, but those gains disappear if policy and session governance remain informal.
- The main risk is not the device itself, but the failure to bind identity, workflow, and accountability across repeated clinical handoffs.
- Healthcare teams should modernise access with passwordless, SSO, and centralised device management while tightening policy for session traceability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Shared-device access should enforce least privilege and traceable authentication. |
| NIST SP 800-63 | IAL2 | Clinical authentication needs stronger identity assurance when shared devices are used. |
| NIST Zero Trust (SP 800-207) | SA-3 | Shared devices need continuous session verification across shifting clinical contexts. |
Apply stronger assurance and reauthentication rules where device context changes between users.
Key terms
- Shared-use mobile device: A shared-use mobile device is a handset or tablet used by multiple people across different shifts or tasks. In identity programmes, the control challenge is not ownership but session separation, accountability, and rapid state reset between users.
- Session handoff: Session handoff is the controlled transfer of a device from one user to another without leaving access, data, or authentication state behind. It is a governance pattern that depends on logout discipline, device state management, and clear accountability for each transition.
- Contextual access control: Contextual access control grants or restricts access based on current conditions such as user role, location, device state, or clinical setting. In shared-device environments, it reduces unnecessary exposure by ensuring access reflects the current task, not a past login state.
- Identity governance: Identity governance is the set of rules, reviews, and accountability processes that control who or what can access systems and under what conditions. For shared devices, it has to cover both user access and the lifecycle of the endpoint itself.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Imprivata: The Dual Reality of Shared-Use Mobile Devices in UK Healthcare. Read the original.
Published by the NHIMG editorial team on 2025-11-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
