Shared workstations compress multiple users, roles, and shifts into one access surface. If authentication, session locking, and audit trails are weak, users are more likely to share credentials or stay logged in, which breaks accountability and increases exposure to sensitive data. The risk grows when regulated workflows depend on rapid handoff between users.
Why This Matters for Security Teams
Shared workstations are common in hospitals, laboratories, call centres, manufacturing floors, and branch operations because they improve throughput. The security problem is that the workstation becomes the identity boundary, not the person. When users move quickly between shifts or tasks, weak lock screens, shared passwords, and unattended active sessions make it easy for the next person to inherit access, data, and even privileged workflows.
That is especially risky in regulated environments where accountability, traceability, and least privilege are not optional. A single missed logout can blur who accessed a record, approved a transaction, or exported sensitive data. NIST’s Cybersecurity Framework 2.0 emphasises governance and access control, but in practice shared endpoints often undermine both if session hygiene is weak. NHIMG’s Ultimate Guide to NHIs shows that poor lifecycle discipline and excessive privilege are already widespread across identity estates.
In practice, many security teams encounter shared-workstation misuse only after an audit finding, a patient-data complaint, or an access review has already exposed the gap.
How It Works in Practice
Shared workstation risk is not just about physical proximity. It is about how authentication, session state, and audit data are bound together. If the device stays logged into an EHR, ERP, MES, or payment application, the next user may inherit the prior user’s authority without re-authenticating. In regulated workflows, that breaks non-repudiation because the system records an action, but not always the correct person behind it.
Good practice is to treat each handoff as a control point, not an administrative convenience. That usually means separate user accounts, enforced lock-on-inactivity, fast re-authentication for sensitive actions, and logs that capture user, device, time, and application context. It also means reducing cached credentials, browser persistence, and shared service logins that blur accountability. Where identity assurance matters most, organisations increasingly combine MFA, device binding, and policy checks at the application layer rather than relying on the workstation alone. Guidance from NIST SP 800-63B supports stronger authenticator and session management decisions, while NHIMG’s lifecycle guidance for NHIs reinforces that access should be revoked or re-issued cleanly rather than left to informal handoff.
- Use unique identities for every person, even on the same terminal.
- Require automatic screen locking after short inactivity thresholds.
- Force re-authentication before approving records, payments, or privileged actions.
- Capture audit trails that distinguish user identity from device identity.
- Disable password sharing, kiosk exceptions, and persistent application sessions unless formally justified.
Where this guidance breaks down is in high-volume operations with very short task intervals and legacy applications that cannot support per-action re-authentication or clean session isolation.
Common Variations and Edge Cases
Tighter workstation controls often increase operational friction, requiring organisations to balance traceability against shift speed and frontline usability. That tradeoff is real in emergency departments, manufacturing lines, and warehouse environments where users need rapid handoff. Best practice is evolving here, and there is no universal standard for every workflow.
Some environments use shared or generic accounts for device operation, but that should be an exception with compensating controls, not the default. In those cases, organisations need stronger supervisory logs, role-based restrictions inside the application, and clear procedural accountability at the workflow level. Shared kiosks used for patient check-in or visitor management may also be acceptable if the system is deliberately designed to avoid access to regulated records. By contrast, remote desktop jump points, privileged admin consoles, and anything touching financial, clinical, or export-controlled data should not rely on a workstation as the security boundary. NHIMG’s regulatory and audit perspectives and the 52 NHI Breaches Analysis both point to the same lesson: weak identity boundaries tend to surface first as audit gaps, then as incident reports.
For regulated teams, the safest approach is to assume the workstation will be shared and design the identity control plane so that no session, privilege, or approval survives the handoff unless it is explicitly re-established.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC | Shared workstations fail when access control and session governance are weak. |
| NIST SP 800-63 | SP 800-63B | Session and authenticator guidance maps directly to workstation handoff risk. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared endpoints often expose identity and session weaknesses that mirror NHI lifecycle failures. |
Treat workstation logins as managed identities and revoke access cleanly at every shift change.
Related resources from NHI Mgmt Group
- Why do shared mobile workflows often create identity risk in operations teams?
- Why do S/MIME certificates create compliance risk in regulated environments?
- Why do non-human identities create audit risk in modern environments?
- Why do shared workstations and mixed devices increase identity risk in public safety environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
