Beth Hunkeler, CIO of Dayton Children's Hospital in Ohio, has seen the health IT industry grow and change — and not always for the better — throughout her roughly 30 years of experience in the arena.
Ms. Hunkeler began her career in health IT at the hospital in the mid '80s, rising through the ranks from help desk support into programming and systems analysis positions. Although she left the hospital for a number of years to work as CIO of an adult care facility, she returned to Dayton Children's Hospital in 1998, where she ultimately took the lead as CIO in 2000.
"Healthcare is all I know," she said. "I love helping people, and I'm very passionate about affecting the lives of children. The way I can help is to bring tools and processes to our clinicians to provide the very best care and really enable wellness for the kids of our region."
Ms. Hunkeler recently spoke with Becker's Hospital Review to discuss the evolution of cybersecurity practices and how she ensures data security as a CIO.
Note: Responses have been lightly edited for length and clarity.
Question: Looking back over the roughly 30 years you've been involved in health IT, how have you seen the cybersecurity landscape change for hospitals?
Beth Hunkeler: It is just constantly changing — and not for the better. When I first started in healthcare, you really had very little that ran on computers. It was more financial, transactional types of things, and over time we started to keep clinical records. Now, not only are there electronic health records, but every device that we use to capture data also feeds into that health record. Practically everything that we do, everything, runs on our network, so the complexity just continues to increase.
Healthcare data is a very lucrative market for people to steal. As the environment increases in complexity, we have to be ever diligent. It changes all the time. We all have fairly complex environments, we have lots of vendors that we are dealing with, so everybody plays a role in that. It's not just your IT department — every individual in this organization has to help with that.
Q: Beyond protecting patient health information, what do you think hospital executives should keep in mind when it comes to protecting and securing other data, such as payments?
BH: There are a lot of different points where you could be collecting payment, and you really need to make sure that those payments are protected in what we call "end-to-end," which is one of the reasons we selected InstaMed. It's protecting from the point of swiping or using the chip in the credit card, to our Epic software, to going out to the issuing bank, to the message back to us to verify that the purchase is appropriate.
You have to protect that card data in what we call "in flight" or "in transit," through all of those systems, to prevent it from being compromised. That way, you can collect credit card information, so people can go on your website or use the kiosks that we have to pay their bills. You just need to make sure all of your points are protected.
Q: What are some of your main considerations when selecting third-party security vendors?
BH: We have lots of controls that we need to make sure are in place, because there are minimum requirements to play in our environment. We have to understand what their security standards are.
When we look to work with security vendors, in particular, we need to make sure that they're familiar with HITECH and HIPAA, because we are a hospital. We also have the payment card industry regulations, so they have to understand all of the regulatory aspects that we have to deal with, and have to tailor their program, penetration tests and audits accordingly.