Managing 'Shadow IT' Risks in Healthcare SettingsVA OIG Report Spotlights Some of the Challenges
A new report from a Veterans Affairs watchdog agency on a guest Wi-Fi network that was up at a VA medical center in Florida without being fully coordinated with the VA's office for information and technology to ensure security spotlights the risks and challenges that many healthcare organizations face with so-called "shadow IT."
To help mitigate the risks of shadow IT, security experts recommend such steps as deploying data loss prevention systems, network access controls and asset inventory tools as well as training staff.
"Organizations should develop policies and procedures for acquiring any network-connected technology that goes through both a financial and technical review," says David Finn, a former healthcare CIO who's executive vice president at security consultancy CynergisTek. "This should include everything from PCs and laptops to biomedical equipment and security cameras to the monitors on your refrigerators and HVAC system controls."
The report from the VA Office of Inspector General says its review of the development of a Veterans Services Adaptable Network, or VSAN, at the Orlando VA Medical Center was prompted by a March 2015 whistleblower complaint alleging that the facility's efforts to launch a guest services wi-fi network "were not coordinated with the VA Office of Information and Technology and that project funding was inappropriately coming from medical services appropriations rather than information technology funding."
The VA OIG says its investigation into the complaint ultimately did not find that inappropriate funding was used for the project. But the OIG "substantiated that the VSAN deployment was not fully coordinated with OI&T to ensure it met VA security requirements." The Orlando facility and VA OI&T did not perform a security risk assessment or implement security controls to segregate VSAN from VA's network.
"The VSAN deployment was not fully coordinated because local OI&T staff did not exercise effective oversight due to completing priorities and resources," the report says. "OI&T's lack of effective VSAN oversight posed unnecessary risks to VA's networks that could have resulted in unauthorized access to other VA systems."
Situations similar to what happened at the VA Medical Center in Orlando often arise at private sector healthcare entities when new IT or internet-connected devices are introduced into the organization without the formal knowledge, approval or assistance of the IT department or information security team.
Shadow IT is a significant challenge for many healthcare organizations and can present serious security risks to those organizations.
"Not unlike the issues noted in the report from the VA's OIG, this typically starts with a purchasing decision made outside the purview or even review of IT - and sometimes central purchasing," Finn says.
Many healthcare organizations have a large number of devices attached to their networks that are owned by employees that are not controlled or fully accessible by the healthcare IT and information security areas, notes Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"All these devices are potential pathways for hackers planting malware on the healthcare network," she says.
But it's not only rogue employees who bring these unsanctioned devices into an environment, the experts note.
"The many business associates that do work for healthcare organizations also create the same types of pathways and bring similar risks, only there is even less visibility, and less authority by the healthcare org, for these types of shadow IT devices," she says.
Influence of the Cloud
Tom Walsh, president of consulting firm tw-Security notes that "shadow IT has always been a problem in healthcare, and with cloud-based applications/systems and software as a service, the number of shadow IT systems is growing and in most cases, unbeknownst to the CIO or director of IT."
The problem is often rooted in the distributed nature of healthcare delivery, Walsh notes.
"Traditionally, there have been certain departments that have system administrator control over their systems, even when the servers reside in the IT data center," he says. These include, for example, pharmacy departments with their medication dispensing carts; radiology departments and their radiology information systems and PACs; laboratories with their laboratory information systems; and even human resources, he points out.
"The individuals responsible for the administration of these systems may not be a true 'IT' person by training and may not be aware of security requirements or regulations," the consultant adds. "Often, the IT department only becomes aware of shadow IT systems when a call comes in, 'I need an IP address,' or when there is a problem, 'I need your help with accessing this system'."
Organizations need to do a better job of communicating the importance of coordination and inclusion of IT in any decision to purchase, lease or use internally developed, purchased or leased applications or systems, Walsh says. "Turf wars can sometimes interfere with what is in the best interests of the organization," he notes.
Medical devices and IoT devices also are often among shadow IT that falls outside of the radar health IT and security departments.
"Another significant risk comes from all the medical devices that are attached, and from the medical device vendors that have not implemented sufficient security controls within them and who often have continuous access into the healthcare organizations' networks through them," Herold notes.
Healthcare organizations can take steps to get a better handle on shadow IT and the risks it poses, Herold says, including:
- Improving business associate security management oversight;
- Using data and asset inventory tools to identify all the digital assets;
- Demanding that medical device vendors and makers build security controls into their devices;
- Ensuring sufficient budgeting to information security departments to most effectively address these risks;
- Providing regular training to healthcare workers so they understand the risks and how to mitigate them through their own work activities;
- Acquiring cybersecurity liability insurance to help mitigate the effects of shadow IT in the event of a data breach.
Mark Dill, former information security officer at the Cleveland Clinic and a principal consultant at tw-Security, says technologies such as network access controls can also aid efforts to protect networks from shadow IT and other unauthorized devices.
"NAC tools are designed to only allow authorized assets to connect to the private network once they meet the minimum security requirements for such things as operating system level, patch level, correct configurations and antivirus software brand/version/update level," he says.
In addition, engaging an organization's supply chain to flag "out of IT's view" purchases can help, Dill says. "All new systems and acquisitions - and their vendors - should be vetted pre-purchase to help ensure that the hospital's IT standards are being met or exceeded. "
Organizations also "should conduct regular network scans and maintain appropriate inventories about what should be on the network and what is just showing up on the network," Finn suggests.
"There are plenty of good scanning tools and companies that will do the scans if you don't want to acquire that technology. We shouldn't forget that the most important asset is the data, and there are now data loss prevention tools that help organizations find, classify and detect movement of identified data - even block or encrypt it if it is moving off-site."
When it comes to the risks presented by the unofficial use of cloud-based applications and services, Finn notes, "there are now ways of assessing shadow IT. You can identify the sites and applications that are sending or receiving data through your own firewall that the IT department has not implemented or approved for use."
Ultimately, security is about risk management, and managing risk means understanding what the risks are, he adds. "We get very focused on doing our annual risk assessment, but what HIPAA really intended - and what good security requires - is an ongoing risk management process.
"The better you can control and manage the purchasing and deployment of these technologies, the better you can understand and manage your security risks."
—David Finn, executive vice president, CynergisTek
"That means doing the scans on and for devices and using them; it means having data classification and a data loss prevention program. Things change every day and that means doing this once a year may not give you the insights you need into your risk posture. The better you can control and manage the purchasing and deployment of these technologies, the better you can understand and manage your security risks."
Next Steps for VA
As for the VA OIG, the agency in its report says it recommended the executive in charge for the VA Office of the Under Secretary for Health, in conjunction with the executive in charge for the OIT, "ensure that all guest internet access networks, external air-gapped networks and industrial control systems are appropriately segregated from VA networks and meet the department's information security requirements."
The report notes that the Veterans Health Administration says it will continue to work with OI&T to ensure no industrial control systems are connected to a public internet connection.