Can shadow IT work in healthcare?
Oct 22, 2019
Professor Arvind Narayanan’s twitter thread on “Why Enterprise Software Sucks” got me thinking about how the same narrative plays out in healthcare IT. Essentially the same dynamic exists - the end-users aren’t the ultimate decision-makers, and all the incentives get misaligned. It also got me thinking about how we as developers and entrepreneurs can break these kinds of cycles.
Enterprise software is developed for the business, not the end-users. Or so goes a mantra that I’ve believed dating back to my time at Epic. In healthcare though the stakes are much higher - patients can die because of bad software, and the contracts are two to three orders of magnitude larger than education. Those who assume that EHR developers are just low-skill or don’t have user experience expertise are wrong. With such big deals at stake, end users are always brought in to evaluate the software.
Shadow IT is one way to get user-friendly software into large enterprises but faces an uphill battle in healthcare. Shadow IT is the use of software that is not explicitly approved by your employer. For many, it’s a huge part of the workday. For example, sharing calendar data with a tool like Calendly is something that makes me more productive, and is not explicitly approved by Redox. When it comes to healthcare, however, security and integration challenges make shadow IT a difficult strategy.
Publicly-traded companies like Slack, Dropbox, and even Facebook have used shadow IT as a tactic to grow into the enterprise. The reasoning goes like this: get individual teams at a company to use the product and eventually central IT will take notice and sign an enterprise deal. In healthcare this approach is hindered by HIPAA - but not in the way you’d expect. I believe the biggest barrier is bad HIPAA training. The law requires employee training, and the least common denominator is usually to put the fear of God into people. “Don’t put sensitive information into anything - period.”
The US government wants a future that resembles shadow IT for patients, but it’s unclear if it will trickle into the rest of the health IT enterprise space. If you haven’t heard about all the policy coming out of the 21st-century cures act, check out some of our coverage. Suffice it to say patient-authorized applications (a-la Apple health records) are here to stay. The idea is that this functionality will give rise to an ecosystem of apps that help patients understand and manage their health better. The real kicker is that the same technology can be used in the provider space. The SMART project out of Boston Children’s is the foundation for the patient-auth flows but was originally designed with provider-facing flows in mind. The acronym for SMART - Substitutable Medical Apps, Reusable Technology - taps into substitution, one of the core ideas of shadow IT. Despite SMART’s open-ended design, ONC is not currently pursuing any policies that would make it easier for providers to operate in a “bring-your-own” type of ecosystem.
Enterprise software is terrible and one of the solutions is to use the free market to make IT decisions. This presents numerous headaches for enterprise IT teams, hence the ominous name “shadow IT”. Shadow IT is not typically a viable sales strategy in healthcare because for better or for worse potential shadow IT buyers operate with an irrational amount of confidence. The right of a patient to choose whatever apps they want to read their data will be enshrined in law, but we may never see such an ecosystem evolve on the provider side without further lawmaking from congress.