- Shadow IT is one of the most prominent threats to patient healthcare data because it often goes undetected unless the IT department has tools in place to flag and prevent the unauthorized use of third party apps and devices.
Shadow IT comes into being when users access PHI on an unauthorized personal device or third-party application. Outdated and unsupported apps on personal devices can potentially infect the network if the user accesses corporate data. Users may opt for third-party apps such as Dropbox and Google Drive if they are unhappy with the performance, layout, or lack of apps provided by an organization.
“Shadow IT could be any type of messaging app employees use or programming IT does that is outside of the norm or what has been approved,” explained 2nd VP at Travelers Global Technology Kirstin Simonson. “The healthcare industry in particular has a regulatory environment that surrounds it with HIPAA being the primary regulation when it comes to data privacy. From a programming perspective, shadow IT can also bleed into the function of that healthcare operation.”
Shadow IT has a significant impact on health IT infrastructure. But according to Simonson, it also provides IT departments with an opportunity to build better tools to improve workflows. When organizations discover employees using certain proprietary apps to make their jobs easier, organizations can use that information to provide or develop an app with similar functionality to improve operations and workflow.
“Employees are always going to look for ways to be more efficient,” said Simonson. “However, embracing an application throughout an organization to make their job easier is a bigger concern.”
Many employees tend to view IT policies and procedures as barriers that block greater efficiency in the workplace, added Travelers VP Chief Underwriting Officer Mike Thoma.
“Employees seek alternative workarounds unapproved or non-vetted software or develop independent programming,” he said.
“Organizations need to understand why employees are using shadow IT and look for opportunities to help improve efficiency” Simonson advised. “Shadow IT can definitely have a negative consequence, but shadow IT can also have a positive impact.”
“If you see that employees are consistently using one application over what is available, you have to ask yourself why,” she continued. “Clearly there is some type of ease of use or something that is making their jobs easier. Can you incorporate whatever that is into your organization? If employees feel comfortable using the tools that are available, they don’t feel hindered, they are less likely to use some non-approved device or application.”
The introduction of more connected medical and mobile devices increases the risk that shadow IT could corrupt a secure healthcare network.
“In 2013, the Mayo Clinic invited a white knight hacker to come in and attempt to infiltrate 40 connected devices they had within the clinic,” recalled Thoma. “He was successful at infiltrating all of them. The real danger is, as you’re introducing devices with different capabilities into an IT environment, you create a higher degree of risk.”
Shadow IT is surprisingly common in the healthcare industry, despite regulations such as HIPAA that should theoretically reduce the use of unauthorized health IT tools.
A recent Scrypt survey found that 83 percent of healthcare professionals send or receive PHI via mobile messaging tools at work. Of those respondents, 70 percent confessed to having done so using a non-secure application.
“If we went into any healthcare organization and really did a deep dive not only into employees but also into what IT is doing to make their jobs more efficient, we might be surprised how high those numbers are,” said Simonson.
Unsecure and unapproved devices and applications not only put PHI at risk, but can also cost organizations money and damage their reputation. Simonson stated that employee education is the first and most important step to protecting the network from shadow IT threats.
“I hate to put all the ownership on the IT department because I think it’s an organizational discussion,” said Simonson. “IT can only do so much to mitigate the risk because they are in the network. Why I really put this back on the organization is because it’s down to human behavior. How do you create a culture that not only understands and is aware of what can happen, but also understands what the business impact can be if they engage in behavior that puts the company at risk.”
“I think if the training is there and if employees really understand at a much deeper level how their behavior can have a negative impact on the organization,” she continued. “That’s where you would see corrective actions starting to take place.”
Employee education is the most prominent step organizations can take to protect the network from shadow IT, however, adopting and developing tools to address employee needs is just as important. Organizations should invest in app development platforms to provide employees with alternative and secure versions of the apps they want to use.
Simonson suggests that looking at shadow IT holistically is the only way to fully address the issue of shadow IT.
“Organizations need to make sure that everyone has a very clear and strong business directive,” Simonson explained. “If you’re trying to do it in silos, that’s where you’re going to start to stumble. It really has to be a holistic enterprise risk management approach.”