Shadow IT: A Risk Proposition in Healthcare

MattFisherHealth IT Creates Great Opportunities But Potential Danger Too

By Matt Fisher, Esq
Twitter: @matt_r_fisher

The increasing use of technology in all aspects of healthcare creates many great opportunities as well as potential dangers. Technology may open new avenues of care and facilitate the easier sharing of information among all providers participating in a patient’s care. However, the same technology also presents the potential for sensitive healthcare information to be inappropriately accessed or exposed to public access, thus undermining the trust inherent in a provider-patient relationship.

Technology in healthcare can come in a number of forms too. One common means are electronic health records (“EHR”) or electronic medical records. Adoption of EHRs has been driven by government incentive payments. The incentive payments subsidized, to an extent, the cost of acquiring and implementing the EHR for healthcare providers. However, the rush to implement in order to take advantage of incentive payments resulted in systems that did not necessarily meet the needs of providers or take their preferences into consideration.

Shadow IT is one aspect of information technology that poses a significant amount of risk in the healthcare setting. What is “shadow IT” though? As explained in a recent article by Ryan Faas, shadow IT arises when employees or other workers are dissatisfied with available technology offering and turn to their own solutions. For example, an employee could use their own electronic device or cobble a solution together by using a combination of a personal device, applications they find and cloud services. The key element is the organization does not know what the individual is using or how those devices, applications or services are interacting with the organization’s systems.

In Mr. Faas’s article, he identifies messaging as the biggest shadow IT issue in healthcare. The issue arises where a provider sends a message via text, personal email or other unsecure means. As those of you who are familiar with HIPAA, out of control messaging should raise an eyebrow. Sending messages that are not secure raises significant risks because the organization has no idea where information is being sent, the message can easily go astray or any other number of issues.

Mr. Faas’s article also identified another issue that interviewees identified as shadow IT, namely the complete avoidance of technology. Instead of entering information into an EHR or using other available technology, some people are shunning IT altogether. Aside from questions this could raise about efficiency, there is again the opportunity for information to be lost and the need to safely secure paper records. The problem of not meeting meaningful use requirements will not be discussed on this issue, but do not forget that exists too.

Overall, shadow IT should be an area of concern for healthcare organizations. In case readers do not remember, the Office of Civil Rights imposed a $4.8 million fine on New York and Presbyterian Hospital and Columbia University for a breach caused by a physician trying to scrub his personal server on their systems. Instead of clearing his data, the physician caused PHI to be uploaded and indexed in Google.

The settlement highlights the dangers presented by shadow IT. One individual can very easily create exposure in what may otherwise be a secure system. What can be done to address the concerns?

First, educate individuals about what constitutes shadow IT and how it can pose a risk to an organization. Knowledge is usually one of the initial steps in being able to quantify and contain a potential problem. If individuals do not know that the use of personal devices is not a good idea, then how can they be expected to act in accordance with the organization’s wishes. Education should likely begin with defining what shadow IT means. In my personal view, I try to follow this area and Mr. Faas’s article was the first time the phrase appeared to me. Different organizations may call it by different names, but it needs to be explained clearly and with examples.

Once education is complete and likely on conjunction with it, an organization should also adopt a policy for bring your own device (“BYOD”) and cloud services. Without a clear BYOD policy, an organization may have difficulty holding individuals to set a standard. With a policy in place, then specific actions can be directed. A policy can also serve as a permanent reminder of why shadow IT is a problem and the risks that it creates for an organization.

On the flip side, an organization may want to consider asking employees why they would turn to an outside solution. Identifying and resolving problems with an organization’s IT systems is arguably one of the best things to do. For example, EHRs are often implemented without physician or provider input, which can lead to frustration. However, if the provider is given the opportunity to influence how the system works, then it can produce better results for everyone. From this perspective, while shadow IT is a security and privacy risk, it may lead to innovation and an overall better system going forward.

This is only a very barebones overview of shadow IT issues, but should help to explain why it is an issue and what may be done to address it. As suggested, educating, developing a policy and opening dialogues are all good options. The issue should not be ignored, instead getting to the root of the problem can be better for all involved.

About the author:  Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA.  Mat advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.  This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.