Healthcare providers need great tools that facilitate their work and empower them. IT teams need to stay ahead of risk to their organizations; this includes all forms of system resilience, especially security risk. Leadership needs cost-effective solutions and reliable systems. To this end, healthcare IT departments have oversight of all software used in their institutions. They are charged with protecting patient data, efficient use of resources, and the overall security of computer systems; therefore, they review and approve every piece of software used. Sometimes employees find the approved software to be inadequate or prefer using solutions not provided by the institution. The use of unauthorized software without disclosure is known as "shadow IT". What are effective ways of addressing shadow IT?
Some healthcare employees may not know what a security risk shadow IT is or the HIPAA policies they are violating. For example, one common use of shadow IT is communication. Providers looking for a more efficient way to share patient health information amongst themselves could be using their personal device for messaging. It seems like a pragmatic and reasonable solution, but in reality, this is an insecure method and highly vulnerable to a data breach. How can these instances be addressed?
Many times it is the lack of a good clear process towards getting a better solution implemented. Any large organization has many rules and processes, and it is hard to be aware of the relevant steps. A solution-seeking provider may not know where to go to get the software approved. Is it an IT committee? The IT department itself? The CTO? Having a defined and published process with a clear entry point gives the progress-oriented people on the front lines a path to work within the institution's guidelines. A step beyond this is to develop an innovation committee. All approaches should show appreciation for the inclination toward improvement and steer creative souls into constructive, informed steps in partnership with IT.
Maybe you are an IT team member reading this thinking "We have a process. We still have this problem." This is an indication that a process audit would be helpful. Can you view the steps from the perspective of a healthcare provider in your organization? What are the steps to discovery? How do they become learn how to work with you? Is the process time-consuming or confusing? Can it be more clear or streamlined? Are innovators encouraged? Discouraged? Punished, even?
Shadow IT may not be any single department’s fault. Conflicting interests between leadership, IT, and the providers can cause the adoption process to be slow and painful, leading to more shadow IT. Creating and refining a collaborative and encouraging process will go a long way to reducing shadow IT, increasing security, and encouraging innovation.