Risks of Shadow IT in Healthcare and How to Identify it in Your Organization
For the last several years, shadow IT has been a hot topic among IT professionals—and with good reason. Internal purchases and downloads happening without the knowledge or approval of the IT department is no longer just a trend; it is a fact.
Gartner studies have found that shadow IT makes up 30 to 40 percent of IT spending in large enterprises, and research from Everest Group finds it comprises a whopping 50 percent. 
Even more interesting, a growing number of organizations are allowing shadow IT intentionally to gain competitive advantages. According to the 2019 Harvey Nash/KPMG CIO Survey, 63 percent of organizations now allow technology to be managed outside the IT department. 
Whether intentionally allowed or not, shadow IT creates a host of challenges and headaches for today’s CIOs and IT professionals. If not tracked or managed properly, shadow IT can pose significant security and financial threats to healthcare organizations and the people they serve. This article will look at the risks of shadow IT within the healthcare space, how IT leadership can identify it, and strategies for managing this growing issue for the benefit of the entire organization.
Shadow IT can pose a threat to any organization and industry, but when it comes to handling protected healthcare information (PHI), security and privacy are major concerns. Without the layer of protection an IT department offers, healthcare organizations—and the PHI they store—are extremely vulnerable. In fact, a Black Book report lists cybersecurity as a top IT concern among healthcare organizations, especially as they continue to adopt cloud technologies.
In some cases, shadow IT users may not be trained to understand the tools and policies that are in place to guarantee security and privacy. This can be something as simple as ensuring that the system has a password reset policy. However, when left unchecked, even a simple oversight can have detrimental consequences. If a zero-day exploit occurs, for example, IT departments can’t patch hidden systems or assets, leaving these systems open to errors and vulnerabilities. This makes worst-case scenarios like legal declarations of breach a real threat.
Shadow IT can present other business risks as well, including:
- Non-compliance. Training the IT department to meet healthcare regulations is hard enough. In fact, healthcare organizations often bring in third-party vendors to help safeguard their data for this very reason. No IT leader can afford to risk the time, cost, or legal implications of failed audits.
- Data loss. There is no guarantee that shadow IT users are thinking about backing up their data nor understand how to back it up. Without the help and oversight of the IT department, organizations increase the risk—and cost—of losing critical and sensitive data.
- Financial liabilities. When IT leadership is unable to control or oversee the usage of systems, IT costs can skyrocket. Shadow IT users may not take into consideration how to provision services cost effectively. When left unmanaged, cloud costs and spending can quickly become an issue for IT budgets.
Identifying Shadow IT
One of the most challenging aspects of shadow IT is that it is hard to identify. As use of the public cloud continues to increase at exponential rates, tracking and managing shadow IT is becoming even more difficult . Now more than ever, employees can easily bypass IT, go straight to the cloud, and spin up whatever resources they need for their critical projects.
As a result, IT leadership doesn’t usually have an accurate picture of how much shadow IT is happening within their organization. In one Cisco survey, CIOs estimated that their organizations were running 51 cloud services. However, based on Cisco’s analysis, they were actually each running closer to 730 cloud services. Even in highly regulated industries—including healthcare—Cisco found that between 17 and 20 times more cloud applications were running in companies than their IT departments had estimated. 
But there’s good news. There are several technology solutions available that IT departments can use to better manage shadow IT. While limited in scope, these tools allow IT departments to scan for assets within their environment, whether they are using a private cloud, a data center, or a public cloud. Although IT may not be able to tag or determine who owns those assets, these tools can help provide a big-picture assessment of where the shadow IT lives so the IT team can do further research.
Unfortunately, a lot of shadow IT users will intentionally use different accounts or will avoid using the same public cloud accounts in order to stay hidden. To address those users, IT leadership can take a more traditional approach and build cost controls around their actual IT spend. In these cases, each department has a budget for its overall project spend and is essentially getting charged back for all of those spends. This allows CIOs and controllers to monitor why certain projects may be over budget and whether or not shadow IT played a role in any increases.
De-Risking Your Organization
While it is important for IT leaders to identify and manage shadow IT as much as possible, the reality is that some business leaders will continue to bypass IT intentionally. From their perspective, shadow IT saves time, improves agility, and allows developers and other users the freedom to innovate without the hold-up of IT approval. Instead of waiting weeks to get clearance for a new server or software solution, users get what they need in minutes. Within the healthcare world, this could mean anything from pushing a clinical trial through faster to more quickly performing a big data analysis of large patient workloads.
Oftentimes, these benefits are valid, and many would argue that shadow IT can actually be strategic.
The key is for IT leaders to put de-risking procedures in place that support their organization’s competitive goals without compromising security and privacy.
The following are a few strategies for CIOs and IT managers to move toward de-risking their healthcare organization from shadow IT:
- Communicate critical IT policies and procedures. Because shadow IT will likely always be around, it is important for IT leaders to publish and communicate broadly the controls, tools, policies, and standards that must be followed to guarantee privacy, security, and compliance. This will ensure that departments have been fully informed and, therefore, are expected to use specific security and compliance tools inside their environments.
- Be a partner, not a blocker. In some companies, the IT department is seen as a hurdle that slows everything down, which is a top reason shadow IT exists. To overcome this, IT leaders can change traditional dynamics by working alongside departments to understand the problem or healthcare challenge they are trying to solve and then prioritizing steps accordingly. Instead of holding up a project, IT can position itself as partner in helping teams accomplish their goal while still fulfilling IT policies and responsibilities.
- Consider allowing some shadow IT. For healthcare organizations that are focused on innovation and speed to market, consider allowing shadow IT in non-PHI workloads. For example, development test environments where a department needs to run something for an hour, a day, or a week could be good candidates. This not only allows for innovation and agility within that department, it also frees up IT to perform other tasks.
- Set a time limit on shadow IT. In cases when shadow IT is allowed, those resources should, at some point, fall back into the hands of IT so that all systems and vulnerabilities are accounted for and closed out appropriately. At the very least, shadow resources should be tracked within a centralized managed database platform so the IT department knows what’s going on in case of an emergency.
- Consider partnering with experts to oversee PHI. To protect sensitive data fully, healthcare organizations may want to consider bringing in a third-party expert like ClearDATA to help ensure security, privacy, and compliance. This extra layer of protection provides an efficient way for organizations to safeguard PHI and free up their IT resources for other tasks, including managing shadow IT activities.
Successful and Secure
Market data continues to show that the days of IT having full control over the infrastructure and tech spending within an organization are over. As cloud technologies and SaaS become more commonplace across healthcare organizations, shadow IT will also become more commonplace. This leaves CIOs and IT leaders no other choice than to embrace change and be proactive. By strategically de-risking their organization, IT leaders can still enable flexibility, innovation, and competitive advantage without sacrificing the security of their healthcare organization.
 “How to eliminate enterprise shadow It,” CIO, April 2017. https://www.cio.com/article/3188726/how-to-eliminate-enterprise-shadow-it.html?nsdr=true
 “2019 Harvey Nash/KPMG CIO Survey: A Changing Perspective,” June 2019. https://www.hnkpmgciosurvey.com/
 “Emerging Trends Reshaping Healthcare Technology Support, Black Book Research,” December 2018. https://www.newswire.com/news/emerging-trends-reshaping-healthcare-technology-support-black-book-20707682
 “Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17.5 Percent in 2019.” 2 April 2019. https://www.gartner.com/en/newsroom/press-releases/2019-04-02-gartner-forecasts-worldwide-public-cloud-revenue-to-g
 “The biggest risks of shadow IT, and three steps to control it,” ITProPortal, September 2018. https://www.itproportal.com/features/the-biggest-risks-of-shadow-it-and-three-steps-to-control-it/