TL;DR: Ransomware attacks on U.S. critical infrastructure climbed 9% in 2024, while healthcare workers lose 13 minutes per shift to login friction and 47% of organisations reported a third-party breach last year, according to the FBI, Imprivata, and Ponemon Institute. Access design is now an operational security control, not just a usability concern.
NHIMG editorial — based on content published by Imprivata: The Impact of Inefficient Access for Critical Industries and Frontline Workers
By the numbers:
- 9% in 2024., attacks on U.S. critical infrastructure climbed 9% in 2024.
- Clinicians lose an average of 13 minutes per shift just logging in.
- 47% of organizations experienced a third-party breach last year.
Questions worth separating out
A: Security teams should replace repetitive password and MFA steps with phishing-resistant authentication that works in shift-based, shared-device environments.
Q: Why do shared workstations create more identity risk than personal devices?
A: Shared workstations increase identity risk because the session often outlives the person who authenticated into it.
Q: What do organisations get wrong about third-party access in hybrid environments?
A: They often treat vendor access as a provisioning task instead of a lifecycle control.
Practitioner guidance
- Replace repetitive login flows with phishing-resistant access methods Use tap-and-go badges, biometrics, or device-bound passkeys for shift workers where shared devices and rapid handoffs are normal.
- Apply session controls to every shared workstation Bind sessions to the individual user, force sign-out at handoff, and shorten inactivity windows on devices used across shifts.
- Re-scope third-party access to named owners and expiry dates Map every vendor account to a business owner, a specific purpose, and a removal checkpoint.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- How passwordless options such as tap-and-go badges, biometrics, and device-bound passkeys support frontline workflows
- Why clinician login friction translates into lost time and higher workarounds across shared devices
- What the article says about Zero Trust network access and user behaviour analytics in operational environments
- How the vendor frames the productivity and security trade-offs for shift-based teams
👉 Read Imprivata's analysis of access friction, frontline security, and passwordless access →
Critical industry access friction: what IAM teams need to fix?
Explore further
Access friction is not a convenience issue, it is a control failure. When clinicians, operators, and responders lose time to repetitive logins, the organisation is not merely inconvenienced. It is teaching users to work around identity controls, which increases shared credential use, unlocked devices, and weak session hygiene. The governance lesson is simple: if access takes too long, users will create a shadow access model that the security programme does not formally recognise. The practitioner conclusion is that authentication design is part of operational resilience.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: How can teams tell whether access controls are actually working for frontline users?
A: Look for reduced login time, fewer password-sharing behaviours, lower session reuse on shared devices, and clearer removal of dormant vendor access. If users are still bypassing controls to keep work moving, the programme is secure on paper but brittle in practice. Effectiveness is visible in behaviour, not policy text.
👉 Read our full editorial: Inefficient access in critical industries expands both risk and friction