When it comes to the spread of shadow IT, you might think the healthcare industry has it under control. Healthcare information security regulations are strict, with compliance violations often carrying heavy penalties, and data breaches can cost healthcare providers their reputations. In such an environment, it may be unthinkable that a healthcare provider would choose to adopt any cloud application without the IT department’s knowledge or approval. Unfortunately, it does happen. Here are some surprising facts about how shadow IT in the healthcare industry impacts healthcare information security.
Little lapses can cause big problems
Want to know where shadow IT can cause the biggest healthcare information security headaches? Messaging and email, according to CITEWorld’s Ryan Faas. “Where protected health information is entered on a personal device that is not properly secured, or communicated via unsecure messaging methods like text or unencrypted email, HIPAA violations can become a real threat,” Faas wrote.
Just how prevalent is work-related texting among healthcare providers? Over half of physicians have sent or received texts about work on personal devices, according to a study Faas cited. Meanwhile, only 11 percent of the surveyed physicians use a secure messaging solution provided by their organizations, and less than half of them “acknowledged concerns about protecting patient privacy while texting.” Most alarming of all, “about a third (30%) admitted that they had received protected health information about a patient via a text message.” All this unsecured texting adds up to major risks to healthcare information security and regulatory compliance.
Shadow IT can cost millions
Speaking of regulatory compliance, just how costly could a shadow IT-related compliance violation be? For New York-Presbyterian Hospital and Columbia University Medical Center, the answer was $4.8 million.
It started when a Columbia University physician connected a personally owned server to the hospital network. The physician’s attempt to later deactivate the server resulted in the online exposure of 6,800 patients’ ePHI. Even more embarrassingly, the breach was discovered when the hospitals received a complaint from someone who found the ePHI of their deceased partner—a former patient—online.
And New York-Presbyterian Hospital and Columbia University Medical Center aren’t the only healthcare providers who’ve been hit with seven-figure fines as a result of healthcare information security lapses. Concentra Health Services and the Arkansas-based QCA Health Plan were hit with almost $2 million in fines earlier this year, after the theft of two laptops containing ePHI.
The cloud could be the answer, not the problem
Clearly, healthcare providers are in dire need of solutions to get their shadow IT under control and to secure the protected patient information they handle. This leads us to our last surprising fact: the cloud, far from being an additional source of vulnerabilities and compliance hazards, could very well be the answer to the healthcare information security dilemma.
Why? It’s simpler than you think. A properly secured cloud platform for the storage, sharing, and handling of ePHI and other healthcare data provides a single, central point of access. Centralization leads to better visibility, monitoring, and control and reduces the likelihood that workers will resort to storing or sharing sensitive information using their own devices or applications. And pairing a centralized cloud platform with a robust cloud data encryption solution ensures that healthcare providers have access to the information and tools they need, when and where they need them, without sacrificing data security or regulatory compliance.