Shadow IT in healthcare: Risks & rewards

The term shadow IT is used to describe any IT system being used within an organization, without the organization’s knowledge or consent.

While shadow IT can help to improve workflows, it can also introduce security failings which may not be picked up until it’s too late. According to a recent report by Gartner, it is estimated that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.

For the healthcare industry in particular, shadow IT presents a significant threat due to the stringent rules surrounding the sharing of protected health information (PHI), under the Health Insurance Portability and Accountability Act (HIPAA). By sending, receiving and storing PHI on non-secure devices and applications, the risk of a data breach occurring increases significantly.

In our recent survey, Mobile messaging, security & HIPAA: A healthcare overview, it was revealed that 83% of healthcare professionals have sent or received PHI via mobile message, and of those 70% confess to having done so using a non-secure application, such as iMessage, WhatsApp, or their device’s native messaging client.

While the majority of employees who use unauthorized tools and applications do so with no malicious intent – ease of use and familiarity being two primary drivers – in doing so they introduce security vulnerabilities: what IT departments and CIOs do not know, will only serve to hurt the organization.

Despite the risks associated with shadow IT, it can also present opportunities. For example, if it is found employees are opting to use one application over another, and efficiencies are improving as a result, common sense would suggest that the organization should consider introducing the favoured application into the IT network.

In order for this to happen successfully, IT departments and CIOs must be active in identifying, assessing, and managing shadow IT to ensure risks are kept to a minimum.

However, as with any security related issue, prevention is always better than cure, and ensuring employees are educated about the risks of using unapproved, potentially non-secure tools should be the first step for any organization concerned with shadow IT. If employees are well versed in cybersecurity best practices and follow proper IT protocol, the chances of costly mistakes occurring can be significantly reduced.

With the widespread adoption of BYOD in healthcare environments, it is becoming increasingly difficult for CIOs to keep a lid on the numerous tools and applications employees use to carry out their jobs. Therefore it is vital that organizations invest in tools which allow employees to carry out tasks securely, and with maximum efficiency, whether in the office, at home, or in the field.