HIPAA, shared devices, and vendor access: what IAM teams miss

TL;DR: Healthcare’s shift to EHRs, shared mobile devices, and third-party access is widening the identity attack surface and making HIPAA compliance harder to sustain, according to Imprivata. The control gap is no longer just access convenience versus security, but whether identity governance can cover every user, device, and vendor without breaking clinical workflows.

NHIMG editorial — based on content published by Imprivata: Thoughts from Dr. Sean Kelly on HIPAA’s 29th Anniversary

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should healthcare organisations govern shared mobile devices without slowing clinicians down?

A: Healthcare organisations should use session-level access controls, fast authentication, and strong user attribution so shared devices do not erase accountability.

Q: Why do third-party access relationships create HIPAA risk?

A: Third-party access becomes risky when vendor or contractor credentials stay active longer than the business need that justified them.

Q: How do security teams know whether zero trust is working in healthcare?

A: Zero trust is working when access decisions depend on current identity, device posture, and session context rather than on network location.

Practitioner guidance

• Map shared-device identity paths Trace which clinicians, contractors, and support staff use each shared mobile device, then require session-level attribution for every patient-data access event.
• Time-box vendor and contractor credentials Assign expiry, review, and offboarding checkpoints to every third-party account that can reach patient systems.
• Tie access to current device context Require device posture and session context to be evaluated at sign-in and during sensitive operations, especially for mobile clinical access.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• Dr. Sean Kelly's healthcare-specific commentary on how HIPAA risk changes as shared devices become more common.
• The vendor's perspective on balancing workflow efficiency with access control in clinical settings.
• The article's discussion of vendor risk management, patient privacy monitoring, and ZTNA principles in day-to-day hospital operations.
• Direct quotes tying these themes to patient safety and regulatory exposure.

👉 Read Imprivata's commentary on HIPAA, shared devices, and vendor access →

HIPAA, shared devices, and vendor access: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →