CityMD Finds the ‘Shadows’ in the Cloud

IT leaders are well aware that there are unsanctioned applications in their enterprise, but most have no idea just how many there are. That was the case with CityMD. a fast-growing urgent care organization with about 1600 employees.

However, the company was determined to get a better handle on the number of “shadow apps” being used by employees, so it turned to Cisco Cloud Consumption Services, which reveals which cloud services are being tapped, as well as the potential risks associated with them.

After implementing the service, Robert Florescu, vice president of information technology at CityMD, learned that there were 522 cloud services running in his organization, even though no more than 20 were officially listed for IT support. None of the shadow apps exposed the company to risk. However, it is particularly important for a business that deals with health data, which is subject to Health Insurance Portability and Accountability Act (HIPAA) regulations, to be on top of the flow of data.

CityMD opened for business with a single location five years ago. It currently has 52 locations in New York State, including the five boroughs of New York City, Long Island, Westchester, Rockland County and New Jersey—and more are scheduled to open this year. Florescu says that in his organization’s climate of rapid growth, it is expected that “the culture of the company becomes cloud-oriented.”

“In order for us to grow this fast, we employed a lot of cloud services,” he said, citing Google Mail as just one example. Employees used various cloud services to share ideas, and also used mapping software to share content with members of their team.

Florescu was aware of those services and applications, but the Cisco service gave him information about other apps and services the employees were using that he didn’t know about. That provided “understanding about where our people are going and why,” enabling him to steer employees in the right direction in order to comply with company protocols.

Enabling Growth While Maintaining Security

Always mindful of his goal to secure “any sensitive data that flows through our network,” Florescu has to assure that anything used to send out data is from a partner that provides a HIPAA business associate agreement, which they do have from Amazon and Google for Gmail. Should an employee make use of a cloud service for sharing information without that agreement in place, they could be putting data at risk.

For example, Florescu said it would be possible for someone on the marketing team who is not necessarily aware of HIPAA regulations to transfer information to an outside consultant who uses Dropbox or a similar service. If they are not trained to recognize the nature of data that is subject to regulation, they could end up transferring information such as a patient’s name and date of birth.

While CityMD does have policies in place, there are always new streaming services coming out, and some of them would be considered allowable for a valid business use in a controlled environment. That’s why Florescu doesn’t consider mass blocking a viable solution, because he does not want to hamper the business’ agility and its ability to grow.

Consequently, CityMD’s approach is to continue to assess the cloud services on a case-by-case basis, based on information provided by Cisco Cloud Consumption Services.