Out of the Fog: Managing Shadow IT in Healthcare


When I think of Shadow IT, I can’t help but imagine Humphrey Bogart, Claude Raines, or some other nefarious looking guy in a trench coat looking out from the fog.

What happens in the shadows sooner or later comes to light. That’s not a bad motto for CIOs in healthcare organizations who may be dealing with a shadow IT problem—sooner or later, you’re going to learn your employees’ habits, and the consequences of their actions may be ugly.

Shadow IT, which refers to the digital products and services used for business that are not formally sanctioned or monitored by IT departments, exists in every kind of organization and certainly isn’t a new challenge for IT staff. Although these days employees aren’t waltzing down to the local computer store to buy off-the-shelf software, they are increasingly utilizing cloud-based services and unsecured mobile devices to conduct official business, including the storage and sharing of sensitive data.

If you’ve ever texted a business partner from your personal smartphone (seems to me I’ve read something about that in the national news lately….) or uploaded a corporate document to Dropbox or Google Drive, you may know what I’m talking about.

As plenty of others have stated, shadow IT is not inherently a bad thing – when employees find tools that fill some void or circumvent some snag in their workflow, they often boost their productivity and increase their satisfaction at work. Shadow IT is really a canary in the coal mine, indicating that some aspect of the corporate process just isn’t working; understandably, employees devise their own workarounds to work smarter (which is ultimately a good thing!).

But, of course, any technology used under the radar poses serious security risks for an organization. This is especially true in healthcare, where HIPAA safeguards place strict guidelines on the ways protected health information (PHI) can be used and stored. And unfortunately, individuals can’t always be trusted to follow best-practices for security or compliance.

According to a 2016 survey by Scrypt, Inc., 78% of responding healthcare professionals have used mobile messaging at work, even though 52% believed (or weren’t sure) that mobile messaging was forbidden on the job. More unsettling, of the healthcare professionals who admitted to sending PHI over messaging, 70% used unsecured clients like iMessage or WhatsApp! The numbers don’t seem to be improving—a 2017 survey by Spok reported that 71% of hospitals do have some kind of BYOD policy, and yet 65% of doctors and 41% of nurses admitted that they have used personal mobile devices in ways that go against policy. What gives?

While it’s true that more healthcare organizations are adopting mobile strategies (90% of institutions surveyed in the U.S. and some western European countries either have or plan to implement one soon), many organizations remain skeptical of the security of existing Mobile Device Management (MDM) solutions and Bring Your Own Device (BYOD) policies. This leaves busy healthcare providers stuck between a rock and a hard place—wrestle with clunky communication systems, or dash off a quick text and move on to the next task?

Fortunately, there are some steps IT departments can take to better manage the use of unauthorized tech in the workplace.

What does your staff need?

  • Get out the shovel and dig. Find out what kinds of tools your employees are using and Are they looking for faster ways to share documents? Faster ways to communicate with coworkers or partner organizations? Are they using mobile apps that serve a specific purpose? In other words—what challenges are they facing when using authorized solutions, and why do they prefer to use apps and services outside of what is provided by the organization?
  • Trust, verify and improve. Once you have identified the needs of your employees, do some research into more secure (or more easily managed) alternatives. Perhaps implementing a HIPAA-compliant cloud-based file sharing service would cut down on the number of documents saved in unauthorized or unsecured locations, such as Dropbox or on USB flashdrives. Perhaps you can identify a new MDM vendor that meets your organizational standards for information security, enabling your employees to have more officially sanctioned mobile access.

Where can you consolidate?

Conduct an assessment of your organization’s IT resources and take a fresh look at your inventory (and use this opportunity to update it while you’re at it). Are there products serving redundant purposes? Can clinical workflows be streamlined by consolidating the number of services available or by upgrading to new systems that combine the functionality of disparate systems already in use? You can learn a lot about employee behavior by conducting a thorough review and potentially save yourself time and money in the long run; after all, consolidating the number of services IT has to manage will enable IT to monitor and manage operations more efficiently.

What else can be done? Consider the following:

  1. Educate staff. What are you doing to ensure that employees understand HIPAA requirements for data security? Do employees fully understand the risks of using non-authorized apps and services, and do they know the consequences for HIPAA non-compliance? Do they know which services are not authorized and why?
  2. Implement clear purchasing and technology use policies. Departments should not authorize the purchase of network-connected devices, software, or cloud-based services without the knowledge and input of IT and the information security team. Establish clear policies for all technology purchasing decisions and licensing agreements.
  3. Consider a Cloud Access Security Broker (CASB). According to Tech Target, a CASB provides a layer of security and supervision between an organization’s on-premises infrastructure and a cloud provider’s infrastructure, serving as a gatekeeper for external connections and helping IT identify the use of unsanctioned cloud services.
  4. Place limits on employee’s ability to download software without authorization. This should be a given, but it bears repeating!
  5. Implement or upgrade an MDM solution.
  6. Don’t simply try to control; be an employee advocate. Shadow IT cannot be eliminated by ruling with an iron fist. Employees should feel that the IT department is on their side, seeking to understand their problems and working to deliver solutions. While it is important for IT to put certain restrictions in place, ultimately the best tactic for mitigating shadow IT is to build relationships with employees to keep communication channels open.

Implementing new solutions to combat shadow IT can take a lot of time, careful planning, and upfront investment, and it’s not easy for an IT department on a shoestring budget to meet every application or service request. But healthcare system leaders must consider the alternative: The costly risk of HIPAA non-compliance. Last year, the HHS Office for Civil Rights fined Memorial Healthcare System in Hollywood, FL a whopping $5.5 million for violating HIPAA through the unauthorized exchange of PHI data. Children’s Medical Center in Dallas, TX was fined $3.2 million for the theft of an unencrypted laptop containing patient data. Just last month, the New Jersey Attorney General and the state Division of Consumer Affairs announced that the Virtua Medical Group will pay a $418,000 fine for a misconfigured server that exposed PHI to the internet.

The cost of mishandling data under HIPAA is steep. Don’t let sensitive data hide in the shadows; when the whistleblowers turn on the lights, someone will be held accountable for the mess.

As for Shadow IT, embrace the opportunity to make your organization better. It could be the beginning of a beautiful friendship.

More Blogs Like This: