Don’t Let Shadow IT Jeopardize HIPAA Compliance

By Brad Spannbauer, senior director of product management, eFax Corporate.

Bradley Spannbauer
Bradley Spannbauer

When it comes to cybersecurity, healthcare organizations are up against a constantly shifting threat landscape. New technologies and techniques, employed by increasingly advanced criminals, require organizations to be proactive in their defense efforts, or they risk being outsmarted by those who seek to expose them. But security threats don’t just come from external sources; risks are just as prevalent within organizations. In fact, the latest edition of Verizon’s Data Breach Investigations Report found that healthcare is the only industry where insiders pose the greatest threat to sensitive data, with 58 percent of incidents coming from within.

Whether malicious in intent or the result of innocent mistakes by healthcare workers doing their best in a high-stress environment, a failure to recognize these risks and apply appropriate safeguards can have grave consequences for healthcare providers. For example, an IBM & Ponemon Institute study revealed that healthcare data breaches cost organizations $408 per record on average, which is more than three times the global average across all other industries.  That may not seem like a lot of money, but multiplied by the thousands of records that could be contained on a stolen and unencrypted laptop, it adds up to a significant financial penalty.

Verizon’s DBIR data also revealed that of the data breach incidents involving unintentional mistakes from insiders, over half were caused by misdelivery. While the erroneous delivery of content, data, and documentation affects all industries, the implications for healthcare providers can be more severe than most due to legal obligations to safeguard  medical information under The Health Insurance Portability and Accountability Act of 1996 (HIPAA). When sharing protected health information (PHI) with a colleague, patient or any other third party, there’s no room for error; even a single text message or email sent to the wrong recipient could become a HIPAA breach if it were to contain personally identifiable information about a patient.

When looking at the causes of insider-led data breaches, technology misuse is undoubtedly a contributing factor. From message misdeliveries, to failing to secure movable physical devices such as smartphones, tablets and laptops, there are many ways individuals can compromise the security and privacy of sensitive information thorough connected tech when working in medical environments.

Technology and the risks of shadow IT

The term shadow IT refers to any hardware, software, or program within an organization that is not supported by the central IT department. According to a 2016 report by Gartner, a third of successful attacks experienced within enterprises by 2020 will be on shadow IT devices. To illustrate the extent of the shadow IT issue, Gartner’s research also found that more than 40 percent of organizational IT spend is allocated to shadow IT specifically.

Today, the concept has expanded to include mobile devices and the millions of applications that are readily available for free download. Everyday tools, such as email, calendars and mobile messaging applications like Whatsapp or Facebook Messenger, could all be considered examples of shadow IT if utilized for professional purposes, as could popular workflow tools, such as Dropbox or Evernote. People tend to use these applications because they are familiar, easy to use and allow for better productivity, but in downloading them without consent, new security and privacy risks are introduced.

After all, an IT organization can’t be expected to apply security controls to devices or applications it doesn’t know about. Not only do these applications present potential backdoors for cyber criminals, they also increase the risk of message misdelivery, data leakage and PHI exposure. While the tools mentioned above and others like them can be very useful when utilized alongside HIPAA secure tools and applications, in isolation they are inherently risky because of a lack of security and privacy features.

For example, a lack of sufficient access controls offered by most everyday apps puts data at risk as anyone who comes into contact with a device could in theory gain access to sensitive information stored within them. Similarly, a lack of encryption means customer data could be intercepted and viewed at any stage of its journey between sender and recipient, or while at rest on non-secure servers. For an application or tool to be HIPAA compliant, and therefore suitable for healthcare use, it must meet all of the administrative, technical, and physical safeguards described in the regulations.

This includes a directive to encrypt PHI whether at rest or in motion, or suffer the consequences should a data breach of unencrypted data occur.

Staying productive … and compliant

The term shadow IT carries mainly negative connotations due to the security risks, but in most cases employees have no malicious intent when they decide to introduce unauthorized tools into their workflows. If for example, staff are choosing to use one application over another, and productivity is improved as a result, then this isn’t all bad news, providing the actions are not violating HIPAA. IT departments and CIOs should learn from their employees shadow IT habits and instead of simply banning all non-approved tools, actively seek out and support (within reason) popular tools that can provide improved efficiency, better mobility, and uncompromised security and privacy features.


Write a Comment

Your email address will not be published. Required fields are marked *