Notifications
Clear all
Topic starter
25/06/2026 2:42 pm
TL;DR: Australian hospitals could save an average of A$1.2 million annually through shared mobile device programmes, but Imprivata says more than half of clinical and IT leaders lack full confidence in patient-data protection because of credential sharing, unsecured logins, and inconsistent governance. The security problem is not the device itself, but the identity and access controls wrapped around shared clinical workflows.
NHIMG editorial — based on content published by Imprivata: Shared Mobile Devices Promise Millions in Savings, But Data Security Gaps Introduce Risk for Australian Hospitals
By the numbers:
- 83% of respondents report that users share credentials when accessing shared-use mobile devices.
- 77% admit these devices are often left signed in after use.
- 65% of nurses report high levels of stress.
Questions worth separating out
Q: How should hospitals secure shared mobile devices without slowing clinical work?
A: Hospitals should combine fast authentication with strict session control.
Q: Why do shared mobile devices create IAM risk in healthcare?
A: Shared mobile devices create IAM risk because one device can become multiple users’ access path if credentials are shared or sessions stay open.
Q: What do security teams get wrong about passwordless access in hospitals?
A: They often treat passwordless access as a complete fix rather than one control in a larger governance model.
Practitioner guidance
- Enforce per-user authentication on every shared device Require each clinician to authenticate before patient data is displayed, and prevent generic or shared logins from being used as a shortcut in busy wards.
- Design for automatic session termination at handoff Make the device log out or lock when a user finishes care delivery, so the next clinician cannot inherit an active session.
- Align shared-device access with access review cycles Include shared mobile device permissions in routine access reviews so managers can confirm who is authorised to use the device and under what conditions.
What's in the full article
Imprivata's full research covers the operational detail this post intentionally leaves for the source:
- The ROI assumptions behind shared mobile device programmes, including the A$1.2 million annual savings model.
- The survey breakdown showing how clinicians, IT leaders, and governance concerns vary across hospital environments.
- The practical identity controls discussed for device access, passwordless authentication, SSO, and policy design.
- The business case details behind the comparison between policy-led and ad hoc shared-device deployments.
👉 Read Imprivata's research on shared mobile devices and hospital identity risk →
Shared mobile devices in hospitals: what identity teams are missing?
Explore further
25/06/2026 3:49 pm
Shared mobile device risk is fundamentally a human IAM failure, not a hardware problem. The article shows that credential sharing and lingering signed-in sessions are the real control failures, even when the devices themselves are intended to improve care delivery. That means the governance question is whether identity controls can keep pace with clinical speed. Practitioners should treat shared devices as a human access design issue, not a mobility project.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How do you know shared-device governance is working in a hospital?
A: You know it is working when every patient-record access is attributable to a named clinician, signed-in sessions do not survive handoff, and access review can confirm who is authorised to use the device. If logs show persistent sign-ins or shared credentials, the programme is functioning as convenience-first access, not controlled identity governance.
👉 Read our full editorial: Shared mobile devices expose hospital identity gaps in Australian care
