Managing ‘Shadow IT’ Risks in Healthcare Settings
VA OIG Report Spotlights Some of the Challenges
A new report from a Veterans Affairs watchdog agency on a guest Wi-Fi network that was up at a VA medical center in Florida without being fully coordinated with the VA’s office for information and technology to ensure security spotlights the risks and challenges that many healthcare organizations face with so-called “shadow IT.”
Influence of the Cloud
Tom Walsh, managing partner and founder of consulting firm tw-Security notes that “shadow IT has always been a problem in healthcare, and with cloud-based applications/systems and software as a service, the number of shadow IT systems is growing and in most cases, unbeknownst to the CIO or director of IT.” The problem is often rooted in the distributed nature of healthcare delivery, Walsh notes.
“Traditionally, there have been certain departments that have system administrator control over their systems, even when the servers reside in the IT data center,” he says. These include, for example, pharmacy departments with their medication dispensing carts; radiology departments and their radiology information systems and PACs; laboratories with their laboratory information systems; and even human resources, he points out.
“The individuals responsible for the administration of these systems may not be a true ‘IT’ person by training and may not be aware of security requirements or regulations,” the consultant adds. “Often, the IT department only becomes aware of shadow IT systems when a call comes in, ‘I need an IP address,’ or when there is a problem, ‘I need your help with accessing this system’.”
Organizations need to do a better job of communicating the importance of coordination and inclusion of IT in any decision to purchase, lease or use internally developed, purchased or leased applications or systems, Walsh says. “Turf wars can sometimes interfere with what is in the best interests of the organization,” he notes.
Medical devices and IoT devices also are often among shadow IT that falls outside of the radar health IT and security departments. Mark Dill, former information security officer at the Cleveland Clinic and a partner and principal consultant at tw-Security, says technologies such as network access controls can also aid efforts to protect networks from shadow IT and other unauthorized devices.
“NAC tools are designed to only allow authorized assets to connect to the private network once they meet the minimum-security requirements for such things as the operating system level, patch level, correct configurations and antivirus software brand/version/update level,” he says.
In addition, engaging an organization’s supply chain to flag “out of IT’s view” purchases can help, Dill says. “All new systems and acquisitions – and their vendors – should be vetted pre-purchase to help ensure that the hospital’s IT standards are being met or exceeded. ”