Shadow Code, Part I: The Unofficial Systems Running American Healthcare

When Lurie Children’s Hospital in Chicago suffered a crippling ransomware attack, the media focused on the outage and the recovery timeline. But investigators quietly flagged a deeper issue: several clinical teams had been relying on unapproved scheduling spreadsheets and unsecured workarounds, introduced without IT oversight and operating in parallel to enterprise systems. These tools, collectively known as shadow systems, weren’t part of the hospital’s official infrastructure. But they were running it just the same.

This article launches Shadow Code, an investigative editorial series that will uncover the role shadow systems play in the daily operation of American healthcare. These are the tools departments build when enterprise software doesn’t work. Sometimes it’s a homegrown staffing platform. Sometimes it’s a shared cloud folder routing lab results. Always, it exists outside of governance, and often, outside of security.

Each piece in this series will feature anonymized interviews from health system staff, at least three external sources, and an editorial examination of what these systems say about healthcare IT design, oversight, and risk. We’re not tracking bad behavior. We’re documenting survival architecture.

Built in the Margins, But Critical to the Core

At a large IDN in the Pacific Northwest, a finance and revenue cycle team maintained a shadow database for real-time charge reconciliation. The system was constructed in Airtable, updated manually, and stored without encryption. It had become so central to month-end operations that “if it went down, we’d miss financial targets,” said the group’s VP of Revenue Integrity. “But if you asked IT? It doesn’t exist.”

These systems live outside formal IT. Yet they carry patient data, support staffing decisions, and drive billing accuracy. That makes them dangerous not because they’re unofficial, but because they’re invisible.

According to a 2023 report by the Ponemon Institute, 54 percent of healthcare organizations admit to knowing shadow systems exist within their operations, while only 11 percent have policies in place to mitigate their risks. In many cases, these tools persist for years. They’re often built by mid-level managers, analysts, or nurses using Microsoft Access, Smartsheet, or Google Workspace to stand in for vendor systems that couldn’t be configured in time.

In February 2024, the U.S. Department of Health and Human Services reiterated that liability for breaches applies whether or not a system was sanctioned. If protected health information is exposed, even via an unofficial system, it qualifies as a compliance event. In practice, that means a Dropbox folder created to speed up lab notifications could trigger the same penalties as a formal EHR failure.

Why They Keep Appearing

These systems aren’t created in secret. They’re created in plain sight. The trigger is always operational: a missing feature, a delay in deployment, or a usability failure that forces frontline teams to find their own solution.

A clinical transformation lead at a Midwest academic health system described a years-long struggle to customize their Epic discharge workflows to accommodate non-English speaking populations. “It just wasn’t getting prioritized,” she said. “So our social work team made a workaround. Google Docs, folders, color codes, everything shared through Gmail.”

A nurse informaticist at a California health system added: “We literally trained our float staff using a shadow SharePoint site because the LMS was too slow. Compliance didn’t like it, but the official system wouldn’t load on the floor.”

These are not corner cases. They are endemic. At HIMSS 2023, hospital security executives openly acknowledged that shadow systems often outperform formal tools and not just in speed, but in how closely they match clinical realities. Once embedded, they’re hard to remove without breaking something more important: the work.

Dr. John Halamka, president of Mayo Clinic Platform, described this pattern in a MedCity News interview. “Shadow systems are a response,” he said. “They’re what happens when the official systems fall behind the work.”

The Unofficial Becomes Unmanageable

The commercial health IT landscape is quietly responding. Vendors like Palo Alto Networks and Netskope have started marketing observability and enforcement tools aimed specifically at identifying shadow infrastructure in healthcare. As noted in a recent Fierce Healthcare feature, these tools are being pitched not just for cybersecurity, but as a necessary layer of visibility, something like an X-ray of the hospital’s real operational stack.

At one large health system in Texas, a CMIO said the organization is testing an internal registry for graylisted systems. These tools are neither formally approved nor actively blocked. “We know we can’t eliminate them,” he said. “So we’re trying to track them without killing the workflows they support. It’s triage.”

Even the most proactive CIOs are struggling to keep up. “If I decommissioned every shadow system in my org, I’d break scheduling, supply chain, and patient access,” said a digital health executive at a Southern IDN. “The problem isn’t visibility. It’s substitution. Until we give people something better, they’re going to keep building what they need.”

What This Series Will Explore Next

The second installment of Shadow Code will examine how generative AI tools, especially those embedded in Microsoft Copilot, Google Workspace, and custom LLMs, are accelerating the creation of new, invisible infrastructure at the departmental level. These tools promise automation and productivity. But when used without governance, they also amplify risk.

We will continue to report anonymously from the field. If you work inside a health system and want to share your story, you can do so confidentially through our encrypted submission form. We protect all sources. No attribution is used without explicit consent.

This series is not about shadow systems as isolated flaws. It’s about what they reveal. That enterprise healthcare IT, as currently designed, still doesn’t fit the floor.