Security gaps still haunt shared mobile device use in healthcare

Shared mobile devices are becoming the standard in hospitals and health systems. While they offer cost savings and workflow improvements, many organizations are still struggling to manage the security risks that come with them, according to Imprivata’s 2025 State of Shared Mobile Devices in Healthcare report.

Shared-use devices are everywhere, and their use will only grow. 99% of respondents expect shared device programs to expand over the next two years. The model saves money, with an average of $1.1 million saved each year compared to one-to-one or BYOD approaches. It also helps care teams communicate, access clinical apps, and treat patients more efficiently.

But behind those gains is a growing pile of security and accountability challenges that healthcare IT teams are still trying to get under control.

Credentials are still shared

The biggest security issue comes down to access. Despite the push toward more identity-driven workflows, 79% of respondents said staff still share credentials when using shared mobile devices. 74% said devices are often left signed in after use. These two practices alone can create serious exposure for sensitive patient data, especially if a device is lost or stolen.

49% of all survey participants said they’re not confident patient data is secure on shared mobile devices. That level of uncertainty stands out in an industry governed by regulations like HIPAA.

Informal processes dominate

One key reason for these risks is the lack of formal policies and processes. 16% of organizations say they have no consistent method for assigning devices at the start of shifts. 46% use verbal handoffs or other informal practices, and 28% rely on a “first come, first served” model with no logging or documentation.

When no one is tracking who has a device, there’s no easy way to know who accessed what, when, or why. There’s also no one to hold accountable when something goes wrong. As one IT decision maker from a 500 to 749 bed U.S. facility put it, “There’s a lack of accountability because shared-use devices don’t have an owner, which complicates tracking access and data changes.”

Lost devices, lost time, and data risk

The physical security of devices is also a concern. 23% of shared mobile devices go missing every year, whether through loss, theft, or simple misplacement. When a device is missing, staff waste time looking for it. On average, this adds up to three hours per week per device. For some organizations, the delay can be up to a 12-hour shift.

The report lists the top consequences of missing devices as risks to patient data security, communication delays, and delays to patient care.

Outdated tracking systems may be part of the problem. Many hospitals still use manual sign-out sheets or Excel spreadsheets to track device locations. That’s a weak link in any secure system, especially when real-time visibility is needed.

IT burden is growing

On top of security concerns, IT departments are under pressure. Without centralized systems to manage mobile devices, teams spend large chunks of their time on low-value tasks. Respondents said IT staff devote 32% of their time to maintenance, 25% to tracking, and 25% to monitoring shared devices.

Many also reported a lack of visibility. 48% don’t know which users had a device last. 53% don’t know when it was assigned. 55% don’t know which applications are being accessed. That lack of oversight increases the risk of compliance failures and makes it harder to detect malicious or negligent behavior.

Authentication still a pain point

Another sticking point is authentication. Nearly 90% of respondents said staff face access issues with shared mobile devices, often due to outdated authentication methods. A quarter of organizations still rely primarily on usernames and passwords for mobile access. This is not ideal in urgent care settings where every second counts.

These issues create frustrating workarounds. 81% of respondents said staff frequently resort to personal devices when shared-use ones are unavailable or too slow to access. That behavior not only undermines the organization’s investment in shared mobile, it also increases the attack surface and raises compliance concerns.

Policy is the differentiator

The report’s most hopeful finding is that a mobile access strategy makes a measurable difference. Facilities with an implemented shared device policy report a 63% greater ROI. They save $1.4 million per year, compared to $860,000 for those with no formal approach.

These organizations are better equipped to handle device checkouts, enforce consistent access controls, and track usage. They also generate fewer help desk tickets related to access problems, which cost an average of $70 each.