Shared mobile devices in healthcare: are IAM controls keeping up?

TL;DR: Shared-use devices are often left signed in after use, staff frequently share credentials, and traditional usernames and passwords still underpin access for many organisations, creating a persistent security and workflow gap in healthcare, according to Imprivata research. The underlying issue is that identity controls for shared clinical devices have not kept pace with how care teams actually work.

NHIMG editorial — based on content published by Imprivata: The Hidden Security Risk Undermining Healthcare Efficiency

By the numbers:

• 74% of shared-use devices are often left signed in after use.
• 79% of staff admit to sharing credentials.
• 87% of clinicians report access issues on shared mobile devices.

Questions worth separating out

Q: How should healthcare organisations secure shared mobile devices without slowing clinicians down?

A: Use individual identity, passwordless re-authentication, and strong session controls so staff can move quickly without sharing credentials or leaving devices signed in.

Q: Why do shared devices create more access risk than personal devices?

A: Shared devices compress multiple users into one session boundary, so any failure to sign out, reset, or re-authenticate can expose patient data to the next user.

Q: What breaks when staff share usernames and passwords on clinical devices?

A: The access model breaks because accountability becomes indistinct, audit trails lose value, and credential reuse turns one user’s permission into many users’ access.

Practitioner guidance

• Define a shared-device session lifecycle Set explicit sign-in, idle, and sign-out rules for shared clinical devices so the session closes at handover instead of relying on user discipline.
• Replace shared credentials with governed authentication Move clinicians away from shared usernames and passwords by introducing passwordless or biometric re-authentication tied to individual identity.
• Map access policy to clinical handover points Review where patient-care handoffs occur and align device access termination with those moments, especially in wards, emergency care, and mobile rounds.

What's in the full article

Imprivata's full research covers the operational detail this post intentionally leaves for the source:

• Breakdown of shared-device adoption patterns across healthcare teams and the security trade-offs behind them.
• The detailed ROI comparison between comprehensive shared mobile programmes and organisations without a shared-device policy.
• The access issues, lockout behaviour, and help desk burden clinicians experience in day-to-day use.
• The report’s recommendations on combining passwordless authentication, SSO, and IAM policy for clinical workflows.

👉 Read Imprivata's research on shared mobile device security in healthcare →

Shared mobile devices in healthcare: are IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →