Karen Habercoss is the Vice President, Chief Information Security and Privacy Officer for the University of Chicago Medicine, a leading academic health system with a tripartite mission of patient care, research, and medical education. She is responsible for the enterprise strategy and operations of the health system Information Security and Privacy Office and co-leads the artificial intelligence (AI) governance program for the organization. Karen chairs the Healthcare Information and Management Systems Society Cybersecurity, Privacy, and Security Committee and is the chair elect of the Association of American Medical Colleges Compliance Officers’ Forum Steering Committee. She is the past co-lead the Privacy-Security Task Group for the Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group. Her primary interest centers around effective collaboration efforts between security and privacy teams, and recent publishing around AI privacy best practices.
Recently, in an exclusive interview with CIO Magazine, Karen shared insights on the role of security and privacy evolving in the healthcare industry, personal hobbies and interests, future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Hi Karen. What drives your passion for information security and privacy, and how do you stay current with the latest trends and threats?
As a former healthcare clinician, it’s important for me to continue working to protect the environment and the data of the patients, employees, research subjects, and larger community my entity serves. I want to make certain care is safely delivered and maintained throughout my health system. I stay current by reading and connecting with other professionals I respect. I try to ask a lot of questions of my peers to find out what they might be doing that is different or innovative. I belong to several professional organizations and attend conferences where thought leaders in both privacy and security present. I review the threat intelligence that is available.
What do you love the most about your current role?
Every day is something new and there is always a learning opportunity. I love the challenge of anticipating and identifying potential concerns and this keeps the role fresh. I have a strong interest in setting short term goals and long term strategies, and I enjoy seeing how these evolve over time in a consistently changing environment. I love that technology is rapidly advancing in the role of healthcare right now and being a part of this is very exciting. Areas like robotics, artificial intelligence, precision and personalized medicine, analytics are all changing the way healthcare is delivered and allowing patients to be cared for in innovative ways never previously considered. Most importantly, and very cliché, I love the people I get to interact with each day.
How do you see the role of security and privacy evolving in the healthcare industry, and what challenges and opportunities do you anticipate?
New and emerging technologies in healthcare are exciting and promising in the care of patients, but they also pose challenges for the security and privacy communities. Many are often not well understood, are unproven, or untested, and they require professionals upskill and educate themselves. There is a need now to really spend time with healthcare business units to understand the actual usage, the workflows, interfaces, integrations, and ultimately the business risks involved with those critical technologies. The technology environment is also rapidly evolving, but often the oversight cannot keep pace. As an example, the use of quantum computing may have seemed far away years ago but now is on the short horizon. It offers acceleration in pharmaceutical discoveries and research areas and manners to evolve healthcare in yet known ways but security and privacy professionals are challenged with fully understanding the implications.
What does the term “authentic leadership” mean to you?
Authentic leadership to me is simply being genuine and recognizing that everyone has talents and challenges. It means being able to capitalize on strengths and offer grace when situations are less than ideal. It is supporting your team and your fellow leaders and their teams. It promotes trust among and between teams. I want to be seen as someone who is a strong but humble contributor. It also involves having difficult and hard conversations when needed. Prior to becoming a privacy and security leader, I was a clinical social worker for many years. I use the social work skills I learned long ago every day to try to understand other people’s perspectives. Every person has a history and story that is uniquely that individual’s and the ability to reframe situations has served me well as a leader.
What are your thoughts on diversity and inclusion in tech? How important is it to have authentic conversations with leaders, professionals, and changemakers to create more acceptance across the globe?
This is such an important topic. The field can be intimidating and it definitely can become more inclusive. There are barriers that can be difficult to overcome, especially in the area of security where the requirements for entry may appear higher than for other technology professionals to start. It’s not enough to just have an education or a mentor. I’ve discovered that having a mentor is important to learn and guide my career, but what gave me better visibility and confidence was sponsorship. Those couple leaders during my career who were an advocate and champion for me personally, believed I could achieve more, and actively helped to promote my career interests without anything in return for themselves or when I wasn’t even in the proverbial room, was incredibly impactful and helped me to achieve my current role.
What are some of your passions outside of work? What do you like to do in your time off?
I am extremely passionate about childhood literacy, and my community and volunteer time is spent in this area. I believe childhood literacy is one of the most important predictors of future success for any person. I personally spend a lot of time reading, and I’ll read just about anything including fiction and nonfiction. When I’m not working, I spend time with my family, and we like to travel. My favorite place to go is Italy. I play pickleball every week, and used to play tennis.
Which technology are you investing in now to prepare for the future?
Technologies related to access management, especially around the protection of privileged access are key. I’m also very interested in identity verification solutions. While not a technology, I also think analytics and metrics are so meaningful. It’s useful for both security and privacy professionals to show value for their programmatic work and as much as possible what financial value is being added. So often we think about the amount or volume of protection we are providing or productivity when metrics are offered. I think it’s more useful to attempt to show valuation in a financial way through the quantification of risk.
What is your biggest goal? Where do you see yourself in 5 years from now?
My biggest goal is always to practice a better work-personal life balance. In five years I will be moving toward retirement with the goal to continue to travel.
What advice would you give to someone looking to break into the field of information security and privacy?
Attend conferences, meet thought leaders, and network. Introduce yourself, be sincere, and let others know what you’re looking to accomplish in the future and ask for help. Gain an understanding of the different areas of privacy and security such as operations, engineering, incident response, architecture, identity and access, audit, governance, risk, and compliance. If you have an interest in the technical side then you should enhance your skills in that area. There are also less technical roles in compliance and audit that are equally important if you have interest in the profession but may not want something so technical.