Why Is Shadow IT So Common in Healthcare?VA Watchdog Agency Report Cites Unauthorized Patient Database
The unauthorized deployment of an unsecured patient database is the latest instance of "shadow IT" spotlighted by a Department of Veterans Affair's watchdog agency. The incident serves as a reminder to healthcare entities about the risks to patient data posed by unsanctioned technology deployments.
In a recent report, the VA Office of Inspector General says an investigation into anonymous complaints filed back in July 2015 confirmed an unauthorized Microsoft Access database hosting sensitive personal information of veterans was operating at the VA Long Beach Healthcare System.
The OIG says it substantiated allegations that the unauthorized database hosted sensitive data and all of the Veterans Health Administration's 24 Spinal Cord Injury Centers had access to the database through a SharePoint intranet portal. In addition, the OIG confirmed the anonymous complaints stating that unsecured sensitive personal information was stored on a server outside of VA's protected network environment.
"Creating an unencrypted Microsoft Access database and populating the database with veteran SPI [sensitive personal information] created significant risks for potential disclosure of SPI to unauthorized personnel, as defined by VA policy," the report notes.
"Furthermore, without appropriate security controls, including database encryption and password enforcement, the Microsoft Access database was vulnerable to access by unauthorized users without proper authentication. Without proper user access controls, the database files were vulnerable to modification and subject to data corruption by unauthorized personnel. As a result, veteran SPI was at risk of unauthorized disclosure."
Out of Bounds
The OIG also substantiated that veterans' sensitive data was hosted on an external server, located at the University of Southern California, without a formal data use agreement authorizing such activity. In addition, the OIG noted this server could be accessed from the internet using default log-in credentials.
"Spinal Cord Injury Center personnel manually entered clinical information obtained from VA's computerized patient record system onto the university server in order to test the functionality of the supporting database," OIG writes.
"VA policy states that external information systems hosting VA data must be authorized under a formal data use agreement and appropriate safeguards must be established to secure the confidentiality of SPI." Despite this policy, however, the VA Long Beach Healthcare system did not have a formal agreement with the University of Southern California that authorized the transfer of information or defined security and confidentiality controls for the protection of sensitive data, OIG writes.
The incident involving the Long Beach VA facility isn't the first shadow IT situation that the VA's watchdog agency has recently spotlighted.
In February, the VA OIG issued a report about an investigation into a guest Wi-Fi network that was activated at a VA medical center in Florida without being fully coordinated with the VA's office for information and technology, also putting patient data at risk (see Managing Shadow IT Risks in Healthcare Settings).
Healthcare entities in the private sector - especially those affiliated with academic medical centers and university research facilities - also commonly face challenges of identifying and reining in shadow IT and mitigating the security risks posed by technology deployments that aren't formally sanctioned or managed by the healthcare organization's IT or security team.
"Shadow IT departments are very common for academic medical centers due to the federated model of support for academics, research and patient care," says Cris Ewell, CISO at University of Washington Medicine.
Shadow IT deployments are common issues in many departments, including radiology, lab, finance, health information management, he says. In academic medical centers, those issues also extents to the university school of medicine and research IT departments, Ewell notes.
What Causes the Problem?
But the problem of shadow IT is pervasive throughout healthcare, he contends.
"Prevention starts with the knowledge of the shadow IT and understanding where the confidential/protected data are within the enterprise."
—Cris Ewell of UW Medicine
"I believe that because of the complex nature of healthcare systems and the need to support patient care, very smart workforce members within the institution export and duplicate copies of the original source of truth so they can efficiently perform their job," Ewell says.
"The difficulty with protecting the data and enforcing the information security controls comes as the data gets further from the original source," he says. To help minimize the impact, UW Medicine has common policies and standards that apply to all departments, he explains.
"Prevention starts with the knowledge of the shadow IT and understanding where the confidential/protected data are within the enterprise," Ewell says. "Leadership is also needed to understand the reasons for a shared IT service and risks associated with a distributed IT infrastructure. From the risks, we can make informed decisions as to the processes, standards and policies that must be implemented if you want to continue with a IT/shadow IT infrastructure.
"As the CISO, I am still responsible for protecting all of the ePHI within the institution whether it is under the control of a central IT service or a shadow IT department."
The OIG recommended that the VA under secretary for health should ensure that the spinal cord injury and disorders program staff comply with VA's privacy program and information security requirements for all veteran sensitive data collected.
In addition, the OIG recommended the executive director for the VA's National Spinal Cord Injury Program Office discontinue storing sensitive information in unauthorized Microsoft Access databases.
The OIG also recommended that the VA implement improved procedures to identify unauthorized uses of sensitive personal information and take appropriate corrective actions.
VA leadership concurred with the recommendations, the OIG notes.