By Anita Sathe, Chief Strategy Officer, CoverHound & CyberPolicy
Twitter: @CoverHound
Twitter: @CyberPolicy_com
Cloud technology has done wonders for the healthcare industry. It’s enabled medical professionals to get aspects of their jobs done more quickly, easily and flexibly and it’s allowed hospitals and private practices to scale their IT in an efficient, cost-effective manner. The cloud has also provided patients with the ability to instantly and continually access their personal health records and better communicate with providers.
According to recent research from HIMSS Analytics and Level 3, 35% of healthcare provider organizations are already using the cloud for patient engagement and empowerment tools. What’s more, a MarketsandMarkets report found the global healthcare cloud computing market is expected to reach $9.48 billion by 2020. The rate at which cloud adoption is accelerating in the medical industry is undeniably impressive, however it raises a crucial concern: Can healthcare organizations maintain control of all the cloud-based applications employees introduce?
Shadow IT, or the concept of computer systems, applications or devices being used without explicit organizational knowledge or approval, is a common phenomenon amongst growing medical practices, and it can introduce serious cybersecurity concerns, especially given the sensitivity and rising black market value of patient health data. A nurse using their personal iPhone to communicate patient updates to a primary care physician via unencrypted iMessage may appear harmless, for instance, but such behavior can drastically increase the likelihood of a catastrophic data breach.
To protect your medical practice from the dangers of Shadow IT, particularly as your business scales, consider the following five best practices:
1. Scan your network.
To quickly identify any instances of Shadow IT, leverage vulnerability scanning technology to continuously monitor your network for new and unknown devices. Be sure to log where new devices are found on your network and what kind of devices they are. Also, compare your list of devices between scans to determine when new devices appear.
2. Evaluate risk and restrictions.
Not all cloud apps or services used without organizational approval are bad. Take the time to determine which solutions pose the highest risk to your business and address those first by blocking them via existing infrastructure firewalls and/or restricting user access. Be sure to clearly state in your IT policy which cloud apps or services are forbidden and explain why so your employees don’t feel unjustly blocked and circumvent the rules.
3. Publish a list of approved apps.
Attempting to completely shut down Shadow IT isn’t realistic, nor is it helpful to your business. Compromise by creating and sharing a list of approved cloud applications and services that employees are allowed to download and use on their own. Also, consider putting processes into place that allow your IT team to quickly approve/disapprove new applications that employees express interest in.
4. Communicate regularly.
One approach to combatting Shadow IT is to simply identify the traffic to and from any third-party cloud solutions and block those users. This technique requires ample resources, however, and it’s still not a guaranteed solution. Instead, hold brief sessions with your employees to discuss Shadow IT on a regular basis. Encourage employees to share which apps or services they’re using and why they feel they need them, without fear of retribution.
5. Get cyber insurance.
Cyber insurance is an important, final step for comprehensive Shadow IT protection, especially given the significant financial demands many medical practices face as a result of data breaches. For growing medical practices in particular, it’s crucial to look for plans that cover the cost of any fine or penalty imposed under state or federal law such as HIPAA and HITECH, as penalties for data breaches have drastically increased under these guidelines, often leading to million-dollar fines and/or expensive lawsuits. Also, seek out coverage options that offer first-party insurance (which covers losses to your business that occur as a result of a breach) as well as third-party insurance (which covers losses suffered by third parties, such as patients and vendors, in the event that you unintentionally fail to protect third parties’ sensitive information).
Now more than ever, professionals are able to completely bypass their IT departments and procure the cloud solutions they want or need. It’s worth noting, however, that Shadow IT isn’t necessarily a result of employees wanting to subvert authority. Rather, Shadow IT is about busy professionals wanting access to the best tools available so they can do their jobs more effectively and efficiently.
To protect your growing medical practice while also supporting employee productivity, regularly discuss the risk factors Shadow IT can introduce and work with your staff to govern the plethora of cloud-based apps and services already in use. Leverage technology to continually scan your network for any unknown tools or devices, and protect your most valuable assets across a variety of platforms and hardware with cyber insurance that’s customized to your specific business needs.