Why do shared devices often improve care but still create security risk?

Why This Matters for Security Teams

Shared devices can improve care delivery because they reduce login friction, keep clinical workflows moving, and make it easier for teams to hand off work across shifts. The security problem is that those same efficiencies blur identity boundaries. Once a device is treated as “shared,” session persistence, cached tokens, and informal credential reuse become normal, and accountability weakens. That is especially risky when the endpoint is used to access EHRs, messaging, imaging, or admin tools.

Industry guidance increasingly frames this as a trust-model issue, not just an endpoint problem. NIST’s Cybersecurity Framework 2.0 emphasizes that access governance must stay aligned to operational context, while NHIMG’s Ultimate Guide to NHIs - Why NHI Security Matters Now shows how weak visibility and control over identities quickly translate into exposure. For shared devices, the same pattern applies to human and non-human access alike: convenience expands the blast radius unless session handling, authentication, and device state are designed for reuse.

NHI Management Group also notes that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which is a useful signal for shared-device environments because the control gap often begins with identity sprawl, not malware. In practice, many security teams encounter unauthorized access only after a shift handoff, not through intentional privilege design.

How It Works in Practice

Shared devices are safest when the device is treated as a managed access point, not as a reusable identity. The practical goal is to separate the person, the session, and the endpoint. That usually means strong user authentication, per-user sessions, automatic logoff, short-lived credentials, and role-appropriate access that is re-established at each handoff. For environments that rely on shared carts, kiosks, or bedside devices, the key is to reduce the amount of standing trust attached to the device itself.

Current best practice is to pair device hardening with identity controls that preserve accountability. That includes:

• Unique user login for every clinical action that changes records, orders, or permissions.
• Automatic session timeout and re-authentication after inactivity or user switch.
• Least-privilege access so a shared device does not become a pathway to broad application access.
• Auditing that ties each action to a named user, not just to the endpoint.
• Central policy enforcement for browsers, remote apps, and privileged workflows.

This is where NHI principles matter even in human-facing workflows. Shared devices often host service accounts, API keys, or application tokens that are reused across staff and systems. The Top 10 NHI Issues and the OWASP NHI Top 10 both reinforce the same point: long-lived credentials and over-privileged access are dangerous when multiple actors touch the same system. Shared-device programs should therefore inventory all secrets on the endpoint, rotate them aggressively, and remove any standing administrative access that is not essential.

These controls tend to break down when legacy clinical applications cannot support per-user authentication or when offline workflows force cached credentials to remain active for too long.

Common Variations and Edge Cases

Tighter shared-device controls often increase login time and workflow interruptions, so organisations have to balance clinical speed against session integrity. That tradeoff is most visible in emergency care, operating rooms, and high-turnover wards, where staff may move quickly between patients and devices.

Best practice is evolving for these environments. Some organisations allow limited shared access for non-sensitive functions while requiring re-authentication for any action that creates, changes, or exports data. Others use proximity badges, tap-to-authenticate, or context-aware access to preserve usability without abandoning accountability. There is no universal standard for this yet, but the direction is clear: reuse the device, not the identity.

Shared-device risk also grows when the endpoint is used for third-party portals, clinical integrations, or delegated admin tools. In those cases, the device can become a multiplier for credential exposure, especially if tokens are cached locally or sessions are left open between users. A practical control set should therefore include periodic review of all shared endpoints, removal of stale sessions, and explicit policy for handoff, logout, and escalation.

For guidance on broader identity governance patterns, NHI Management Group’s Ultimate Guide to NHIs - Key Challenges and Risks is useful because the same lifecycle mistakes that weaken machine identities also show up in shared clinical access. In practice, the risk is rarely the device alone; it is the combination of shared hardware, persistent sessions, and weak attribution.

Related resources from NHI Mgmt Group

• When does a short-lived API key still create material risk?
• Why do non-human identities create more audit risk than human accounts?
• Why do non-human identities create audit risk in modern environments?
• Why do non-human identities create compliance risk even when policies exist?