What is: Shadow IT

Why is Shadow IT an issue?

Any piece of technology or software that has not been approved by Digital Metro North, eHealth Queensland (eHQ) or Biomedical Technology Services (BTS) is called “Shadow IT”.

Shadow IT is as a significant RISK to Metro North Health. It may introduce security threats and expose our healthcare services and health information. Shadow IT is also a potential open back door to our health information.

Types of Shadow IT

Software as Service

Externally provided or cloud-based software (Software as a Service) requires information to leave Metro North Health. Information leaving Metro North Health can be a risk if the process is not compliant with privacy and confidentiality legislation.  A privacy breach causes problems:

• with accessibility and integrity of the data.
• with the safety and protection of our patients and staff, as well as their information.
• the image and reputation of Metro North Health.

Non-Endorsed Devices

It can be problematic to use of hardware or devices not endorsed by Digital Metro North, eHealth Queensland or BTS.
If there is no formal support or patching management in place to maintain device security issues may emerge. If the device, or the data on the device, fails or is compromised, our network may be at risk. There may also be a service impact if there is no local support person or if there is no replacement available for the device.

Custom Software

Software developed and managed by staff outside Digital Metro North can be effective, however issues can occur when that system requires a security update or integration with other Queensland Health software. Queensland Government is bound by legislation and some software may not be compliant with these guidelines.

Do you have Shadow IT?

You can check if you are using Shadow IT.

Technology approved for use across Queensland Health (QH) is available within the “QH Software Centre”. Metro North Health technology is listed in the “Metro North Health Approved Standards List”. All Metro North Health staff have access to the QH Software Centre (from the Start menu on your PC) and the Metro North Health Approved Standards List located in the Enterprise Architecture Repository Portal here.

If you cannot find your specific vendor, device model, technology or software in the QH Software Centre  or MNHHS Approved Technology List, the DMN Enterprise Architecture team can help you to assess the technology with the aim of identifying the most appropriate way forward to ensure the information is secure. This may be to have your technology approved and added to the Metro North Health Approved Standards list or it may be a recommendation to leverage an existing QH or Metro North Health technology.

How do I get my technology assessed?

To have your technology assessed, click the  IT Support link or go to QHEPs IT Support and search  “HHS Architecture and Strategy – Generic Request.”

In your request outline:

• your business problem,
• the information you are using and why,
• the technology requested,
• the current risks and
• any specific timeframes for response.

Assessments will typically take approximately five (5) business days.

What happens when Shadow IT is identified?

Not all Shadow IT is bad. Shadow IT comes with risks. Digital Metro North will help you evaluate and mitigate these risks.

If your software or hardware is not currently on the Queensland Health or Metro North Health approved lists, Digital Metro North will work with you to identify, document and mitigate any current information technology risks.

Step 1: Identify the risk

Digital Metro North will look at your solution including:

• Desktop computers, servers or other devices either hosting applications, databases or clinical files.
• non eHealth Queensland services used.
• Backups, Interim storage (USB drives, CD, DVDs or other hard drives storing information).

Digital Metro North will assist in documenting any identified risks and how to mitigate these.

Digital Metro North staff will highlight the risks, and work with you to help to find ways of mitigating the risks. These risks are documented so the Health Service is aware of them.

Step 2: Record the risk

You should use the Metro North Health Risk Establishment Tool to record the risks in RiskMan.

Digital Metro North can advise on any controls and treatments that may be applicable and help assess the level of risk.

Step 3: Identify mitigation strategies

Digital Metro North can provide you with advice and guidance on the most appropriate risk mitigation strategies. The mitigations strategies may not have any direct cost and will ensure the ongoing accessibility of your data.

Step 4: Process the risk

Record the risk of the shadow IT system on your Operational Risk Register. This allows everyone to understand the working environment. Digital Metro North, eHealth Queensland (eHQ) and Biomedical Technology Services (BTS) will work with you to best maintain the confidentiality, integrity, and accessibility of your information.