Skip to content

Shadow IT in Healthcare Organizations

Shadow IT in Healthcare Organizations

Healthcare organizations and pharmaceutical companies rest on a foundation of sensitive patient data and intellectual property.

Healthcare entities in the private sector – especially those affiliated with academic medical centers and university research facilities – also commonly face challenges of identifying and reining in shadow IT and mitigating the security risks posed by technology deployments that aren’t formally sanctioned or managed by the healthcare organization’s IT or security team.

  • Every country has a healthcare infrastructure with patient data
  • Health care information has the most complete dataset
  • Digital health records are dispersed and sometimes unmanaged over time
  • Healthcare organizations have a significant legacy infrastructure which makes modernizing technology complex and often-times slow

Shadow IT is a primary concern for CIOs in all industries, but it carries a special importance in healthcare owing to the sensitivity of the data involved. Moreover, much of the information contained in health records is unalterable, and, taken in composite, makes for a remarkably full profile that criminals can put to use for all manner of fraudulent ends.

“It’s a social engineer’s dream,” says Mark Sander, a health IT veteran who co-founded the North Jersey CIO Roundtable. “You can change your driver’s license information. You can change your banking information. How do you change your biometric data? You can’t.”

Implementing new solutions to combat shadow IT can take a lot of time, careful planning, and upfront investment, and it’s not easy for an IT department on a shoestring budget to meet every application or service request. But healthcare system leaders must consider the alternative.

Last year, the HHS Office for Civil Rights fined Memorial Healthcare System in Hollywood, FL a whopping $5.5 million for violating HIPAA through the unauthorized exchange of PHI data.

Children’s Medical Center in Dallas, TX was fined $3.2 million for the theft of an unencrypted laptop containing patient data.

The New Jersey Attorney General and the state Division of Consumer Affairs announced that the Virtua Medical Group will pay a $418,000 fine for a misconfigured server that exposed PHI to the internet.

The cost of mishandling data under HIPAA is steep. Don’t let sensitive data hidden in the shadows. As for Shadow IT, embrace the opportunity to make your organization better. It could be the beginning of a beautiful friendship.

Critical Steps To Control The Risks Of Shadow IT In Healthcare Organizations:

  • Organizations need to communicate to their staff their policies regarding the use of “Shadow IT” such as software-as-a-service,infrastructure-as-a-service, personal mobile devices connecting to their networks
  • Employee education is the most prominent step organizations can take to protect the network from shadow IT, however, adopting and developing tools to address employee needs is just as important.
  • Conduct an automated and manual discovery sweep to uncover all of the non-approved domains and applications currently being purchased or Implemented within your organization.
  • Continuous monitoring of Shadow IT and analyzing their digital presence will help  Healthcare Organizations to keep themselves on the track of their IT.

Sources :