Addressing Point-of-Care Ultrasound’s Shadow IT Problem

Point-of-care ultrasound (POCUS) is taking hold across healthcare, and for good reason. By administering ultrasound technology at the point of care, whether that be the patient’s bedside or an ambulance, POCUS prevents patients from being sent to another facility for imaging or waiting for a radiologist. That, in turn, enables more efficient workflows and faster diagnoses and treatment. 

Multiple studies, from The Nurse Practitioner and the Annals of Medicine and Surgery, identify POCUS as a convenient tool that reduces the number of imaging tests required to achieve a diagnosis and is able to circumvent barriers that have prevented certain populations from being able to access medical imaging in the past. POCUS can also be used by non-radiologist physicians, increasing the number of caregivers who can provide imaging services and ultimately increasing its utility.  

These benefits are resulting in greater adoption of POCUS to generate quality imaging in a wider variety of settings, helping patients at the point of care rather than emphasizing appointment-based examinations. Unfortunately, POCUS’ potential is being compromised by a lack of security protocol. 

Across hospital settings, IT infrastructure has not kept pace with ultrasound innovation. Despite the many benefits of POCUS, the opportunity for wider implementation is hindered because today’s POCUS tools do not seamlessly integrate with existing hospital IT infrastructure. These disjointed systems and workflows result in more work for POCUS practitioners, already bogged down by documentation burdens, requiring manual uploads of ultrasound images. This added difficulty has prompted many caregivers to default to risky workarounds to review and document ultrasound information; workarounds that can introduce serious security issues. 

Here, we will explore how next-generation POCUS tools can create more intuitive workflows to minimize the risk that comes from process workarounds – and ultimately ensure patients and their data are kept safe.

The shadow IT problem

The various workarounds that clinicians use in their documentation can create a challenge known as shadow IT, which Gartner defines as “IT devices, software and services outside the ownership or control of IT organizations.” Because POCUS devices don’t easily integrate with existing hospital IT systems, clunky workflows related to ultrasound reviews, documentation and billing are created. Because POCUS devices generate a wide range of data types, including images, videos, and waveforms; the devices tend to use DICOM as the standard format for storage, but transferring those files into electronic medical records (EMR) and the picture archiving and communication system (PACS) can be a manual process if not seamlessly integrated with existing IT systems. According to an IoT threat report issued by Unit 42, 83 percent of medical imaging devices are running on unsupported operating systems.

As a result of these unsupported and outdated systems, clinicians have — in some cases — needed to use their own “middleware” to complete their notes. For example, a physician might start consolidating information and clinical notes in Excel, perhaps even downloading that information to a flash drive to take home after work. Personal email, messaging apps, and mobile devices are all other venues for shadow IT to create problems, as clinicians use personal devices and accounts to send information to colleagues. These actions result in bandwidth-strapped clinicians inadvertently introducing security risks to their POCUS programs, all with inadequate workflows at the root of the problem.

The impact of shadow IT

The unsanctioned use of technology leaves health systems vulnerable to security breaches. If health IT departments are unaware of the (unsanctioned) systems clinicians are using to review and document ultrasounds, they can’t properly ensure proper protocol is being followed. In other words, they can’t protect what they don’t see. 

This elevates the risk of exploitation by bad actors with ransomware. Ransomware attacks, which are becoming more frequent and more sophisticated in hospitals over the past several years, can be incredibly damaging to hospitals and create mistrust among patients, whose personal health data can be put at risk. This, in turn, can destroy a hospital’s reputation and even its business. 

Building workflows that address shadow IT issues

Modern POCUS workflows can prevent the shadow IT problem by allowing physicians to scan, document and bill exams easily – meaning they won’t feel the need to create risky workarounds to review and document ultrasounds. In a few minutes, physicians can complete the required documentation and seamlessly send their exams to the EMR and PACS – all while maintaining a hospital’s security posture. This reduces the chance of lost imaging or documentation, in addition to keeping healthcare facilities compliant with regulations and protocols designed to protect patient data, like HIPAA, HITRUST, SOC 2 and ISO 27001. 

Innovation is only as good as the processes and infrastructure it is a part of. By making next-gen POCUS tools a seamless part of workflows, health systems can mitigate risky workarounds. To do that, IT departments need to work together with others in the hospital to address security risks and arrive at win-win solutions, creating a better experience for providers and better outcomes for patients.

About Ketan Patel

Ketan Patel is the Senior Director of Security & Cloud Operations Software at Exo, a medical imaging software and devices company.

imaging
healthcare
medicine
health
hospital
medical
devices
health it
apps
iot
software