A shared mobile programme is a model where multiple clinicians use the same device across shifts or care tasks. The programme succeeds only when identity, device readiness, and application access are managed as one controlled workflow with clear handoff rules and auditability.
Expanded Definition
A shared mobile programme is more than device pooling. In NHI and clinical access terms, it is a controlled operational pattern where a mobile device must be treated as a transient access boundary, with each user session bound to a verified identity, an approved task, and a predictable handoff sequence. Definitions vary across vendors, but the governance requirement is consistent: the device cannot be assumed trustworthy just because it is hospital-owned. Guidance from the NIST Cybersecurity Framework 2.0 reinforces the need to align access control, asset management, and recovery processes so that identity and endpoint state are managed together.
In practice, a shared mobile programme sits between Mobile Device Management, identity governance, and application access policy. The programme must define how a clinician signs in, what happens when a shift ends, how local data is cleared, and how applications are re-authenticated for the next user. This is where the term overlaps with NHI controls, because app tokens, cached sessions, and device certificates can behave like non-human identities if they outlive the intended handoff. The most common misapplication is treating device checkout as the only control, which occurs when teams overlook residual sessions, shared local caches, and apps that remain authenticated after user changeover.
Examples and Use Cases
Implementing a shared mobile programme rigorously often introduces workflow friction, requiring organisations to weigh faster clinical mobility against stricter session reset and verification steps.
- Emergency department carts where nurses sign into a shared device for medication administration, then the session is fully cleared before the next shift.
- Ward round devices that require re-authentication for each clinician and rebind the device to a new identity at handoff.
- Phlebotomy or specimen-collection phones that access patient systems only after device health checks and short-lived application tokens are issued.
- Imaging or bedside documentation devices that use managed app containers so local notes, files, and credentials do not persist across users.
- Shared mobile workflows informed by lessons from the IOS app secrets leakage report, where unmanaged persistence can expose tokens, cached data, or embedded secrets beyond the intended session.
These scenarios align with guidance in the NIST Cybersecurity Framework 2.0 because the operational question is not just who can log in, but how the device returns to a known-good state before the next user receives it.
Why It Matters in NHI Security
Shared mobile programmes matter because they often create hidden identity persistence. A clinician may leave, but the device can retain app sessions, push tokens, local certificates, or cached credentials that behave like standing access. That is an NHI problem as much as an endpoint problem, because the exposure is tied to how credentials and application trust survive user turnover. NHIMG research shows that 96% of organisations store secrets outside secrets managers in vulnerable locations, and that pattern becomes especially dangerous when shared devices are used for fast-paced care delivery.
When a programme is poorly designed, the failure mode is rarely obvious until an audit, a patient safety review, or an incident response event reveals that the device was still trusted after handoff. At that point, access history, session revocation, and secret hygiene become inseparable. The Ultimate Guide to NHIs from NHI Mgmt Group highlights how widespread identity and secret mismanagement can be, and shared mobile operations inherit the same risks when handoff rules are informal. Organisations typically encounter the consequences only after a misplaced device, an unauthorised chart lookup, or a retained login session, at which point shared mobile programme controls become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions and session control are central to shared mobile handoff governance. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Residual tokens and cached credentials on shared devices reflect improper secret handling. |
| NIST SP 800-63 | IAL2 | Shared clinical access depends on reliable identity proofing and re-authentication practices. |
Bind each device session to the current clinician and revoke access cleanly at handoff.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
