Skip to main content

Avoiding "shadow IT" in the healthcare space

Date: 05.09.2023

The rise of personalization affects every industry differently, with one underlying similarity: a curated, customized user experience. Hotels customize guest stays according to past stays. Retailers send customers recommendations based on their purchase history. Banks create automated financial roadmaps based on your spending habits, savings plans, and future goals.

Personalization, and digitalization, are even more important concepts in healthcare. The right technology can help reduce wait times, improve care accuracy, and relieve clinical burnout.

However, that same reliance on technology creates new data safety and security concerns. That’s why we implement security protocols that keep patient information private, during data collection and clinical analysis.

Shadow IT — hardware or software use without the knowledge of an IT department — represents one of these concerns.

What is shadow IT?

Shadow IT, the use of technology without prior IT approval, can quickly threaten operations and compliance.

Healthcare workers often have noble reasons to begin using non-approved technology. Some might feel they’ve found ways to further improve their own efficiency. Others might feel as though approved technology is inferior or creates more problems than it solves. Despite perceived productivity benefits, shadow IT poses a significant risk to a company’s security, particularly in the healthcare sector.

Shadow IT can contribute directly to a data breach, an increasingly common occurrence among health technology organizations. Organizations like Tricare, Trinity Health, Community Health Systems, and UCLA Health have all been victims of data breach that expose patient data like date of birth, lab results, email addresses, and claims information. An astounding 90% of healthcare organizations face at least one security breach each year. 70% of hospitals saw longer patient stays and other care delays because of ransomware attacks alone.

Healthcare and health technology organizations are also subject to strict regulations, including HIPAA — regulations that shadow IT will circumvent or entirely ignore. These regulations govern data storage, access, and transmission. Non-compliance can compromise data security and generate fines that start at $50,000 per violation. Non-compliance costs each violating organization an estimated $14.82 million, or $9.35 million more than the cost of compliance.

One of the greatest shadow-IT-related challenges is the lack of visibility it creates. Health IT organizations prioritize hardware and software programs that maintain high levels of transparency. When health employees depend on shadow IT over company-approved programs, they compromise IT’s ability to monitor and protect company systems. And when those systems include patient data, employees can quickly compromise personal security and the security of every patient’s data stored on their device.

Listen & explain: a two-part approach to wrangling shadow IT in a clinical setting

Eliminating shadow IT often creates a natural hesitancy among members of the healthcare field. Many employees prefer familiar devices and systems, even if that means operating outside of their IT department’s approved systems. Other employees are understandably hesitant to grant even more access to their files.

Consideration and explanation represent a two-part approach to handling these and other concerns.

Clearly defined policies leave little room for inadvertent shadow IT. Create policies that outline approved technologies and approved usage habits. Clearly identify the benefits to using approved programs and the consequences for knowingly contributing to shadow IT – consequences for healthcare professionals and patients whose data could become compromised.

Employees often turn to shadow IT only because they feel they don’t have the tools they need to complete tasks. If employees are to be told which devices and software to use, they deserve some say in determining which programs are included. IT departments should earnestly consider employee concerns and provide resources for common responsibilities, including secure file sharing, electronic health record (EHR) management, and internal communication.

Protecting patient data integrity from day one

Prevention is the best strategy to neutralize shadow IT. That process typically requires a strong combination of manpower, funding, working hours, and employee compliance.

The average hospital dedicated three full-time employees, and more than 500 hours per month, to risk assessment activities. This includes risk identification and analysis, full evaluations, and ongoing risk monitoring and review. That’s a considerable investment of time and resources – more than $24 billion across the industry. For many hospitals, it’s still not enough to ensure full compliance with each of their 1,300+ health vendors. Barely 25% of hospitals conduct vendor assessments for each partner.

This burden highlights the need for single solutions with multiple use cases. This solution would greatly reduce security risks with fewer vendor endpoints, leaving less patient data “out in the open.” It should also satisfy providers’ needs by integrating patient data straight into the EHR, eliminating the need for supplementary shadow IT.

Validic provides that functionality. It gathers and makes patient data immediately available to clinicians, without any new sign-ons or shadow IT to manage.

If you’re interested in learning more, please reach out to Stay updated with Validic in 2023 by following us on Twitter and LinkedIn.

Get started today.