Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shared mobile devices in healthcare: are IAM controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Shared-use devices are often left signed in after use, staff frequently share credentials, and traditional usernames and passwords still underpin access for many organisations, creating a persistent security and workflow gap in healthcare, according to Imprivata research. The underlying issue is that identity controls for shared clinical devices have not kept pace with how care teams actually work.

NHIMG editorial — based on content published by Imprivata: The Hidden Security Risk Undermining Healthcare Efficiency

By the numbers:

Questions worth separating out

Q: How should healthcare organisations secure shared mobile devices without slowing clinicians down?

A: Use individual identity, passwordless re-authentication, and strong session controls so staff can move quickly without sharing credentials or leaving devices signed in.

Q: Why do shared devices create more access risk than personal devices?

A: Shared devices compress multiple users into one session boundary, so any failure to sign out, reset, or re-authenticate can expose patient data to the next user.

Q: What breaks when staff share usernames and passwords on clinical devices?

A: The access model breaks because accountability becomes indistinct, audit trails lose value, and credential reuse turns one user’s permission into many users’ access.

Practitioner guidance

  • Define a shared-device session lifecycle Set explicit sign-in, idle, and sign-out rules for shared clinical devices so the session closes at handover instead of relying on user discipline.
  • Replace shared credentials with governed authentication Move clinicians away from shared usernames and passwords by introducing passwordless or biometric re-authentication tied to individual identity.
  • Map access policy to clinical handover points Review where patient-care handoffs occur and align device access termination with those moments, especially in wards, emergency care, and mobile rounds.

What's in the full article

Imprivata's full research covers the operational detail this post intentionally leaves for the source:

  • Breakdown of shared-device adoption patterns across healthcare teams and the security trade-offs behind them.
  • The detailed ROI comparison between comprehensive shared mobile programmes and organisations without a shared-device policy.
  • The access issues, lockout behaviour, and help desk burden clinicians experience in day-to-day use.
  • The report’s recommendations on combining passwordless authentication, SSO, and IAM policy for clinical workflows.

👉 Read Imprivata's research on shared mobile device security in healthcare →

Shared mobile devices in healthcare: are IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Shared clinical devices expose an identity governance gap, not just a device hygiene issue. The article shows that the control failure sits at the boundary between human workflow and access policy. When 74% of shared-use devices are left signed in and 79% of staff share credentials, the programme problem is not awareness alone but the absence of a workable access lifecycle for clinical endpoints. Practitioners should treat shared-device governance as a core IAM control surface, not a side process.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.

A question worth separating out:

Q: Who is accountable when shared clinical device access leads to patient data exposure?

A: Accountability sits with the organisation that defined the access model, the operational owners who allowed the shared workflow, and the identity team that did not enforce a safer handoff pattern. In healthcare, compliance frameworks expect access to be attributable, so shared credentials and persistent sessions create a governance failure, not just a user error.

👉 Read our full editorial: Shared mobile devices expose healthcare IAM gaps and access risk



   
ReplyQuote
Share: