D'Arcy Gue

Shadow IT: Why Aren’t Hospitals Guarding Against This Risk?

April 29, 2016

HIPAA & Security 3 Minute Read

Hospital employees know they are using unauthorized cloud apps to the tune of over 850 apps for the average hospital. Their bosses — maybe you — and IT departments don’t know this; in fact, these apps equal 15 times more than most IT leaders estimate are in use in-house.

Healthcare isn’t alone; some industries are experiencing over 20 times as many unauthorized cloud applications running daily in their workplaces.  This rampant phenomenon is known as “shadow IT,” or “stealth IT:” computer systems solutions, often cloud-based, that are used within organizations without IT knowledge. Don’t assume these apps have been introduced only by rogue employees; many have been “carefully vetted” by department managers who simply want to use the best tools available to improve productivity. But shadow IT is fraught with security risks that must be addressed. If you aren’t going to ring the alarm, who will?

As I wrote earlier this week, the shadow IT phenomenon represents enormous data security risks for the healthcare world, especially now when cyber criminals are swiftly and surely utilizing an array of hacking techniques to gain access to valuable patient health information. In that last post, I quoted an excellent 2015 study by Skyhigh, a top security broker and researcher, to understand why useful and seemingly innocent cloud apps like Evernote, LinkedIn, Gmail, YouTube and Facebook are threatening your hospital’s security. To be fair, many of these apps and others are not intrinsically dangerous, but irresponsible usage of them is. On the other hand, other cloud apps ARE intrinsically dangerous.

slide-v4In case Skyhigh doesn’t get your attention, maybe Cisco will. In its August 2015 study across various industries,  it reported that “there is quite a bit that CIOs aren’t seeing. On average, CIOs surveyed estimated that there were 51 cloud services running within their organization. According to Cisco’s analysis, the actual number is 730.”

Shadow IT not only creates unknown security threats, but for the cost-conscious among you, it also is very wasteful, as employees in different departments purchase duplicative services for common processes like storage and collaboration.

How should CIOs handle shadow IT?

In an article in CIO.com, Bob Dimicco, global leader and founder of Cisco’s Cloud Consumption Service practice says that if your IT department “can’t see these cloud services being consumed, they can’t see the risk that’s being incurred, [and] then can’t manage it.” His recommendation: “Rather than trying to stop it, I’m going to look at it and say this represents hybrid IT…It starts with discovering and identifying what’s being used, and then taking that data and applying it to an informed cloud strategy so the IT organization can be a broker.”  He suggests that CIOs set up a catalog of approved cloud services that users can select from to speed up the provisioning process.

“It’s really clear, employees and lines of business have spoken — they want choice, they want greater speed and agility,” Dimicco says. I agree. In today’s world, this makes sense.

Let me offer one more piece of advice. If your organization goes the “broker”route suggested by Cisco,  make sure it provides documented usage standards such as (surprise!) not recording PHI and proprietary business information — and provides associated training. A big benefit to this approach is that users will have no excuse to circumvent the rules, thereby lowering your organization’s overall security risks.

Related Posts