Preparing for Shadow OT: A Hospital Case Study

The convergence of IT and OT is happening more rapidly than IT expects. Once upon a time, IT was so expensive that enterprises built entire departments to prioritize spending and efficiently manage those costly investments. Now, IT is so inexpensive that any individual who wants IT can buy it (or rent it). This is “Shadow IT”: information technology that the IT organization does not know about. IoT puts OT on the same path.

Nurses at a hospital in the US Northeast decided to use IoT to help doing rounds. They put motion and moisture detecting pads in thirty hospital beds on one ward, with remote monitors in the nurse’s station. Instead of walking into each room every hour or two overnight, nurses monitored the patients for signs of motion or possible spills centrally. This improved patient care. Patients who were sleeping soundly remained undisturbed, while those who needed attention got it quickly. The nurses had more time to manage paperwork, prepare medications, and attend to other duties.

These devices were very inexpensive – home versions retail for $50 or less. In contrast, an FDA-approved smart hospital bed can cost from $10,000 to $40,000 (a standard hospital bed costs around $6,000). Clearly the nurses would not succeed asking IT for an additional $4,000 to $30,000 per bed, but spending $50 per bed for non-clinical supplies doesn’t require that level of approval or scrutiny.

The experiment was so successful that sensors were installed on beds across the hospital – over 1,000 in total. They use WiFi and do not communicate over the hospital’s corporate network. Then the administration directed IT to take over management of the devices. IT was blindsided by the request. They are coping with this new technology.

See https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4746860/ for a survey of smart hospital bed technology.

Shadow IT represents a risk:

  • It is not governed and may violate compliance regulations,
  • It is not integrated into the organization’s information security program and may present additional attack surfaces,
  • It is not covered by the IT organization’s functional strategies so it will not be backed up or included in the enterprise disaster recovery plan, and
  • It is not included in the organization’s enterprise architecture so it may drive investment into counter-strategic channels.

OT – operational technology – is in the same boat. The Internet of Things brings sensors, actuators, and programmable analytics within the budget of most organizations. These organizations are acquiring capabilities without any governance, security, centralized management or architecture. This wave of ungoverned OT will end up in IT’s lap.

IT has never been able to shut off shadow IT. From personal computers, WiFi, and cheap storage devices to free open source software and cloud computing, people will use available technology to solve business problems whether IT approves or not. A better strategy is to embrace this creativity: provide tools and training to help power users can make better choices. By opening the lines of communications, IT can improve the overall security and management of its technology portfolio, and stay informed of what may come next.

What do you think? Let me know by responding below, or Tweet me @WilliamMalikTM .

Read More HERE