Critical industry access friction: what IAM teams need to fix

TL;DR: Ransomware attacks on U.S. critical infrastructure climbed 9% in 2024, while healthcare workers lose 13 minutes per shift to login friction and 47% of organisations reported a third-party breach last year, according to the FBI, Imprivata, and Ponemon Institute. Access design is now an operational security control, not just a usability concern.

NHIMG editorial — based on content published by Imprivata: The Impact of Inefficient Access for Critical Industries and Frontline Workers

By the numbers:

• 9% in 2024., attacks on U.S. critical infrastructure climbed 9% in 2024.
• Clinicians lose an average of 13 minutes per shift just logging in.
• 47% of organizations experienced a third-party breach last year.

Questions worth separating out

Q: How should security teams reduce login friction without weakening identity controls in critical industries?

A: Security teams should replace repetitive password and MFA steps with phishing-resistant authentication that works in shift-based, shared-device environments.

Q: Why do shared workstations create more identity risk than personal devices?

A: Shared workstations increase identity risk because the session often outlives the person who authenticated into it.

Q: What do organisations get wrong about third-party access in hybrid environments?

A: They often treat vendor access as a provisioning task instead of a lifecycle control.

Practitioner guidance

• Replace repetitive login flows with phishing-resistant access methods Use tap-and-go badges, biometrics, or device-bound passkeys for shift workers where shared devices and rapid handoffs are normal.
• Apply session controls to every shared workstation Bind sessions to the individual user, force sign-out at handoff, and shorten inactivity windows on devices used across shifts.
• Re-scope third-party access to named owners and expiry dates Map every vendor account to a business owner, a specific purpose, and a removal checkpoint.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• How passwordless options such as tap-and-go badges, biometrics, and device-bound passkeys support frontline workflows
• Why clinician login friction translates into lost time and higher workarounds across shared devices
• What the article says about Zero Trust network access and user behaviour analytics in operational environments
• How the vendor frames the productivity and security trade-offs for shift-based teams

👉 Read Imprivata's analysis of access friction, frontline security, and passwordless access →

Critical industry access friction: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →