Shared clinical devices: what IAM teams need to fix now

TL;DR: Shared mobile devices in healthcare are frequently left signed in, with 79% of staff sharing credentials and 74% of devices often remaining authenticated after use, according to Imprivata research. The security problem is not device mobility itself but weak identity governance around shared access, which turns workflow convenience into patient-data exposure.

NHIMG editorial — based on content published by Imprivata: The Hidden Security Risk Undermining Healthcare Efficiency

By the numbers:

• 74% of shared-use devices are often left signed in after use.
• 79% of staff admit to sharing credentials.
• 87% of clinicians report access issues on shared mobile devices.

Questions worth separating out

Q: How should healthcare organisations secure shared clinical devices without slowing care delivery?

A: Use per-user authentication, automatic session termination, and single sign-on so clinicians can reach records quickly without sharing credentials.

Q: Why do shared devices create more identity risk than standard workstation logins?

A: Shared devices create identity risk because one device can serve many users in a short period, which makes it easy for sessions to persist after handoff and for credentials to be shared informally.

Q: What breaks when clinicians use shared passwords on mobile devices?

A: Shared passwords break individual accountability and make access reviews almost meaningless because the system cannot prove who performed each action.

Practitioner guidance

• Enforce automatic sign-out on every shared device Set idle timeout and session termination rules so a device cannot remain authenticated across handoffs.
• Eliminate shared credentials from clinical workflows Give each clinician a unique identity and use SSO or passwordless authentication so access is attributable at the point of care.
• Treat device handoff as an IAM event Build shift-change procedures that require explicit logout, confirmation of session closure, and local clean-up before the next user begins work.

What's in the full article

Imprivata's full research covers the operational detail this post intentionally leaves for the source:

• Role-by-role survey breakdown of how clinicians use shared devices in real care environments
• ROI comparisons between organisations with comprehensive shared mobile programmes and those without them
• Implementation detail on passwordless authentication, single sign-on, and biometric identification in clinical workflows
• The full set of access-friction findings, including help-desk lockouts and device-loss rates

👉 Read Imprivata's research on shared mobile device security in healthcare →

Shared clinical devices: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →