Shared devices and vendor access in critical industries: where IAM fails

TL;DR: Critical industries are redesigning authentication, shared device workflows, and vendor access because legacy systems, password friction, and opaque third-party pathways are slowing work and widening risk, according to Imprivata. The central issue is not convenience versus security, but whether identity controls can support frontline operations without creating unsafe workarounds.

NHIMG editorial — based on content published by Imprivata: identity, shared mobile devices, and vendor access in critical industries

By the numbers:

• Ransomware attacks on U.S. critical infrastructure increased 9% in 2024.
• The cost of downtime from cyber incidents now averages $49 million and 75 days to recover.
• Clinicians lose an average of 45 minutes per shift to logins, device resets, and manual provisioning.

Questions worth separating out

Q: How should security teams reduce credential sharing on shared devices?

A: Security teams should replace slow, user-specific login flows with fast authentication methods that preserve accountability on shared endpoints.

Q: Why do third-party users create outsized identity risk in critical industries?

A: Third-party users create outsized identity risk because their access is often broader, less visible, and harder to lifecycle-manage than internal access.

Q: What breaks when shared mobile programs are not tied to identity governance?

A: Shared mobile programs break when provisioning, deprovisioning, and role assignment are handled inconsistently.

Practitioner guidance

• Redesign authentication for shared endpoints Use badge tap, proximity sign-in, or equivalent fast authentication on shared workstations and mobile fleets so clinicians and frontline staff do not revert to shared passwords or manual resets.
• Separate vendor access from generic support pathways Require named vendor identities, session recording, and explicit approval before third parties reach production systems or operational technology, especially where VPN access is still common.
• Measure friction as an identity risk indicator Track time lost to logins, reconfiguration, and lockouts on shared devices, because repeated delays are usually a leading signal that users are bypassing intended controls.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• Specific case studies from healthcare, manufacturing, and public safety teams that show how identity changes affected day-to-day operations.
• Detailed implementation examples for badge tap access, shared mobile device workflows, and vendor privileged access management.
• Organisation-by-organisation outcomes that explain how access changes reduced downtime, improved transparency, and supported compliance.
• The source article's practical lessons from frontline work that show how teams balanced friction reduction with stronger control.

👉 Read Imprivata's analysis of identity, shared devices, and vendor access in critical industries →

Shared devices and vendor access in critical industries: where IAM fails?

Explore further

View Full Forum →  |  NHI Foundation Course →