By D’Arcy Gue, VP, Industry Relations, Phoenix Health Systems
Twitter: @PhoenixHealthIT
Twitter: @DarcyGue
Shadow IT is a concern for nearly 90% of organizations responding in a new HDI research report about unauthorized cloud app use and its impact. As I reported in a post last year, the average healthcare organization uses an astounding 928 cloud services, but their IT departments reported knowing about just 60 cloud services on average. Employees bring cloud services into their work places for increased productivity, usually without the knowledge of IT, sometimes creating serious security risks. There is no one better positioned than the IT support center to help manage the use of shadow IT and mitigate the risks to your hospital. How?
Shadow services vary from collaboration tools such as Gmail and Evernote, to content sharing services like YouTube and LiveLeak, to social media (Facebook, Twitter, LinkedIn), to file sharing such as Google Drive, Dropbox, to team / project management services like Asana and BaseCamp. According to a Skyhigh study: “The average healthcare employee uses 26 distinct cloud services including 8 collaboration services, 4 file-sharing services, 4 social media services and 4 content sharing services.” Many of these apps and others are not intrinsically dangerous, but irresponsible usage of them is, such as storing or sharing HIPAA-protected patient information. One danger among many is that cyber criminals monitor cloud services that healthcare employees frequent in order to target their organizations for data theft.
Aside from the direct risk caused by misuse, there are other reasons why shadow IT might cause problems for IT departments. One is poor controls and management, including compliance: IT staff can’t oversee or provide guidelines for applications they don’t know about. Storage and transmission of sensitive data cannot be monitored and accounted for. Another issue relates to configuration management across the organization. For example, If a non-authorized tool uses Java or requires a certain plug-in or browser version, these requirements could conflict with the organization’s IT services or applications.
How can your service desk staff help to manage these risks? Per HDI, the leading association of IT support technicians, over 15% of service trouble tickets received are for problems with unauthorized apps. Also, nearly 40% of respondents said that they know of shadow IT tools in use because of word of mouth. This suggests that many users are happy to talk about them (perhaps because they don’t know the applicantions are unauthorized). It’s pretty clear that if so many of the HDI survey respondents know how prevalent shadow IT is in their organization, many are not trying to abolish it, probably because enforcement would be essentially impossible.
But service desk leadership can take steps to manage the use of shadow IT.
In an article in CIO.com, Bob Dimicco, global leader and founder of Cisco’s Cloud Consumption Service practice recommends “Rather than trying to stop [shadow IT], I’m going to look at it and say this represents hybrid IT…It starts with discovering and identifying what’s being used, and then taking that data and applying it to an informed cloud strategy so the IT organization can be a broker.” In other words, be realistic, acknowledge an IT environment that likely includes hundreds more cloud applications than IT has provided or even knows about, and work with it.
Here’s where the IT support center can make an important contribution. Your service staff is engaged with users every day in their role of trouble shooting, and knows them. If the department is following best practices, the service and support leaders should be meeting regularly (preferably weekly) with user representatives to deliver updates and metrics, check for SLA issues, and review new problem trends. To address risks related to shadow IT, these regular conversations should include questions that may clarify usage of non-IT sanctioned software and the needs that have generated this usage. Service desk leaders should regularly ask:
- Is there anything you need that you’re not currently receiving in the way of services or applications?
- Are there any services or applications you’re obtaining elsewhere that we should know about?
- If so, what is their value to you?
- If so, how can we work together to ensure these applications are used securely, or to replace them with more secure and similarly beneficial tools?
AS HDI points out, it is critical that these questions are asked in a nonthreatening manner, and that a foundation of trust is built between users and the support center, if one doesn’t already exist.
Going the route of working with shadow IT users instead of against them will benefit the IT department and the entire organization if it results in:
- Development of appropriate policies that support security requirements, business goals and efficiencies.
- Central replacement of risky shadow applications where appropriate.
- Realization of potential cost savings where different departments may have overlapping subscriptions to SAAS tools which can be centrally consolidated.
- Acknowledgement that new applications may help the organization do its job, that the IT staff is not in a position to understand every work group’s needs and discover every solution, and that realistic discussions on the subject can be of mutual benefit.
- Development of an overall atmosphere of trust between the IT department and the hospital’s staff.
“It’s really clear, employees and lines of business have spoken — they want choice, they want greater speed and agility,” Dimicco says. A respondent to the HDI survey commented, shadow IT usage “typically indicates a need we’ve overlooked, not been made aware of, or not provided sufficient training to the field on what’s available. Discouraging or ignoring shadow IT creates the potential that we will miss out on improvement in our services.”
We all see everyday that the evolution of computerized applications seems to be moving at warp speed. IT departments cannot keep up with the vast array of groundbreaking new tools that can provide specialized user groups needed strengths in productivity. Independent adoption of these tools can present security and other risks, and the IT department must manage them. Let your service desk leadership help.
This article was originally published on Phoenix Health Systems and is republished here with permission.