Celo Blog

Shadow IT: Get rid of it now

Written by Jack Clough | Mar 3, 2022 11:54:12 PM

Author: Jack Clough, Celo Chief Growth Officer

 

Shadow IT / ˈʃæd oʊ aɪ tiː / – Software, applications or devices in the workplace, that are managed outside of, and without the knowledge of the company’s IT department.

 

Shadow IT has become an increasingly relevant issue in the last decade. The reason behind its rise to infamy is the surge of easy-to-use consumer tools on the market - that are valuable and have made their way into workplace environments, including in the healthcare industry. If left unmanaged, this poses serious data security threats and exposes organizations to potential fines and lawsuits.

 

Alarmingly, a growing number of healthcare organizations are turning a blind eye to the use of Shadow IT in the workplace, in order to maximize staff efficiency.

 

Whether intentionally allowed or not, Shadow IT creates many challenges for today’s CIOs, CTOs and IT professionals. Understanding the risks of Shadow IT within the healthcare space and strategies for managing this growing issue is vital for the longevity of the organizations and the wellbeing of the people they serve.

 

Risks Are Around Every Corner

 

Shadow IT is a liability to any organization or industry, but security and privacy are critical when dealing with Protected Health Information (PHI). Healthcare organizations are especially vulnerable without the proper protections that an official IT department can offer because they store PHI. 

 

Most IT specialists recognize that Shadow IT users exist because employees are not properly trained to understand their data security policies and the potential impacts of breaching these policies. While this is not untrue, the root cause of this issue is that these organizations do not have adequate tools to support their employees and thereby forcing them to use unauthorized consumer applications. For example, many clinicians use tools like iMessage, WhatsApp and SMS to discuss patient information because their workplace has not provided them with a secure messaging tool.

 

If this did not sound serious enough, Shadow IT also poses other risks, including:

 

HIPAA non-compliance

While HIPAA is great for protecting patient data and privacy, it is often difficult for organizations to comply with because of the ever-changing tech landscape. Since Shadow IT is unknown, unauthorized, and unmanaged, it is needless to say that organizations where Shadow IT is used are not HIPAA compliant.

 

Data breaches

Without oversight from the IT department, Shadow IT users are putting their patient’s data at risk for both data loss and leaks. With consumer tools commonly used in Shadow IT, a lot of the data is stored in an unencrypted state; therefore, anyone can access it. This data is also stored on the user’s device and not in a secure environment and cannot be backed up or recovered.

 

Goodbye Shadow IT

 

Here are two straightforward strategies to get started on eliminating the use of Shadow IT in your organization. 

 

Educate

IT departments need to educate organization-wide employees on the policies and procedures that must be followed to guarantee patient privacy, data security and HIPAA compliance. With more knowledge, staff will be more aware and cautious about using Shadow IT.

 

Support

In addition to educating employees, the IT department must work alongside them to battle the challenges habitually solved by Shadow IT. IT leadership needs to proactively look for ways to support their colleagues, rather than being a roadblock. 

 

However, these two strategies only scratch the surface for solving your Shadow IT problems. In order to solve the core issue - having a lack of authorized and easy to use tools to support employees - the IT department must provide the right solutions to meet the needs currently met by the use of Shadow IT. One of the most significant needs in healthcare, presently addressed by Shadow IT, is efficient communication amongst clinicians and other healthcare professionals. Consumer tools are simply not adequate for the healthcare environment, so HIPAA compliant messaging tools like Celo must be explored.