Risk Never Sleeps Podcast Episode #100

Managing Risk in a Digital Age: Perspectives on Cybersecurity and AI
Guest: Tim Swope, Interim CISO at University of Chicago Medicine
Host: Ed Gaudet
Date: October 3, 2024

Episode Overview

This landmark 100th episode features a candid conversation with Tim Swope, Interim Chief Information Security Officer (CISO) at University of Chicago Medicine. The discussion centers on managing risk in today’s digital healthcare environment, with an emphasis on cybersecurity, artificial intelligence (AI), and fostering collaboration across healthcare organizations. Swope shares his experiences as an interim leader, key priorities in cyber risk, viewpoints on managing AI adoption, and practical career advice for those entering the cybersecurity field.

Key Discussion Points and Insights

Tim Swope’s Role as Interim CISO

[00:56]

Swope steps into organizations when there’s a cybersecurity leadership gap or urgent risk issues.
Focuses on assessing risks, processes, and tools, developing corrective action plans, and preparing for the next permanent CISO.
“I walk in and the flag is hanging upside down and when they leave, the Fort is corrected,” – Tim Swope [00:56]

Career Path into Healthcare and Cybersecurity

[02:16]

Swope’s background includes a degree in economics and math, and early work in data science and business intelligence for life sciences and pharma.
Entered healthcare cyber through working on federally funded collaboration programs and standardizing cybersecurity requirements for hospitals serving Medicaid populations.

Evolution and Use of AI in Healthcare Risk

[04:24]

Discusses the dual nature of healthcare institutions connected to universities that are often eager to adopt AI, contrasting with healthcare’s stricter patient data requirements.
Highlights “augmented intelligence”—AI used to support, not replace, human judgment.
“When everybody’s looking at the greatest tools, the tools actually give us this information ... that’s actionable intelligence.” – Tim Swope [05:13]
Current real-world AI use cases: IBM’s cancer imaging; Swope leverages quantitative risk analysis and actionable intelligence for decision-making.

Digital Transformation and Ongoing Cyber Risks

[07:31], [08:52]

Swope discusses the tension between security and usability: “If I had my way, we might be on dumb terminals right now… But we can’t do that.”
Patient data sharing (due to the Cures Act) is necessary for care but increases risk; focus is on “control effectiveness,” monitoring, and balancing safety with operational needs.
“My business is the patient safety, security, privacy business. It’s not the convenience business.” – Tim Swope [08:10]

Relationship-Building and Partnering with Stakeholders

[09:04], [09:39]

Strong collaboration with privacy officers and operational leaders is essential.
“I am not always going to be in agreement with the CIO. This is to make operations move. Mine is to make them safe, and Karen’s is to lock us down … but when you work together, you can manage risk.” – Tim Swope [09:10]
Advocates for direct human connection with clinicians and researchers—even in remote environments.

Top Cybersecurity Priorities at University of Chicago Medicine

[10:27]

Identity and Access Management (IAM), especially Privileged Access Management (PAM).
- Addressing credential harvesting/escalation.
- “You need to understand what would happen in the event of a privilege escalation and how you can see that.” – Tim Swope [10:37]
Fast, sometimes drastic, incident response: “There’s power in that... I do things that ask for forgiveness later. But you have to be willing to block things that don’t look right.” [11:09]
Endpoint protection and constant reassessment of rules, training staff for quick and effective response.
Recognizes the persistent threat of phishing and insider risk—emphasis on “frequent flyers,” those prone to security mistakes.

Human Factors and Risk Culture

[13:36]

Hesitates to use punitive measures against high-profile staff, preferring counseling: “The top cardiologist ... pays my check. It’s usually not good to have punitive damages … I counsel them.” [13:36]
Stresses continuously training staff and “watching” habitual offenders to reduce risk.

Notable Quotes & Memorable Moments

On Big Picture Risk Management:
“When you stand back, what do you see? The whole picture. So that’s what I do. Standing back from the organization allows me a little bit of ability to see the picture that others don’t.” – Tim Swope [01:47]
On AI in Security Operations:
“We have more alerts coming in every day ... correlating those alerts is very tedious. That’s where AI will come in … but there are some decisions we have to make ourselves.” – Tim Swope [06:40]
On Clinical Collaboration:
“You have to be socially connected … I don’t email them, I call them up, I meet the main users or the main people that I need to secure down.” – Tim Swope [09:54]
On Responding to Risk:
“You block instantly. That stops the bleeding, it stops the risk till you can remediate or investigate it.” – Tim Swope [11:14]
On Intern CISO Power:
“When I come in as an interim, I don’t have to worry about being reelected…” – Tim Swope [11:02]
On Learning and Staying Relevant:
“To stay in this game you have to always be relevant. You don’t understand it until you fell behind.” – Tim Swope [19:51]
On Life and Risk:
“Life is risk. Everything we do is risk. It’s just how you identify it.” – Tim Swope [17:04]
On Cross-organizational Collaboration:
“Some hospital systems ... think this is secret sauce. It’s the same for all of us. If we do this together as a consortium, we’re gonna know how these risks get remediated.” – Tim Swope [18:53]

Practical Advice & Takeaways

For Building Relationships with Clinical and Research Staff

[09:39]

Be visible and approachable: prefer calls and face-to-face interactions over email.
Understand the value and context of the work clinicians and researchers are doing, particularly when enforcing controls.

Managing Cybersecurity Priorities

[10:27 – 13:36]

Implement robust identity and privileged access management.
Prioritize rapid incident detection and response—even if it temporarily blocks operations.
Continually reassess security rules, tools, and staff readiness.

On Education and Career Development

[22:26]

For aspiring cybersecurity professionals:
- Gain hands-on experience in IT infrastructure and networking.
- Pursue meaningful internships.
- “You gotta know something in order to consult about something … in order to be able to secure things, you have to know something about that.” – Tim Swope [22:26]

On Personal and Professional Growth

[19:51]

Stay current to remain valuable in the field.
Use automation to create space for continuous learning.

Lighthearted and Personal Moments

Tim jokes about “winning a prize” for being the 100th guest—“I think someone knocks on your door and gives you a cake or something.” [00:44]
Shares his passion for restoring an 18th-century home in Maine [13:56–14:59].
Tells a risk management parable involving car versus house payments:
“You can live in your car, but you can’t drive your house to work.” [15:14]
Explains the Cantonese symbols for “risk” as “danger and opportunity” [16:18].
Favorite movies/music and his Red Sox fandom discussed in closing banter [20:33–21:52].

Notable Timestamps

00:56 — Swope explains the interim CISO role
02:16 — Swope’s background and path into healthcare cyber
04:24 — AI in healthcare and risk management
08:10 — Balancing convenience and patient safety
10:27 — Current top security priorities
13:36 — Handling “frequent flyers” in phishing attacks
15:14 — Risk management advice (“car vs house payment”)
16:18 — Cantonese concept of risk: “danger and opportunity”
19:51 — Hardest lesson: staying relevant

Final Reflections

Tim Swope’s candid discussion highlights the realities and complexity of managing cyber risk in healthcare. He emphasizes actionable intelligence, pragmatic incident response, the importance of business relationships, and staying ahead of evolving threats—always with a keen sense of both the technical and human dimensions. His approach is collaborative, practical, and grounded in decades of experience, offering rich insights for cybersecurity professionals across healthcare.

For more on cyber risk and patient safety, visit censinet.com.

Risk Never Sleeps Podcast Episode #100

Managing Risk in a Digital Age: Perspectives on Cybersecurity and AI
Guest: Tim Swope, Interim CISO at University of Chicago Medicine
Host: Ed Gaudet
Date: October 3, 2024

Episode Overview

Key Discussion Points and Insights

Tim Swope’s Role as Interim CISO

[00:56]

Swope steps into organizations when there’s a cybersecurity leadership gap or urgent risk issues.
Focuses on assessing risks, processes, and tools, developing corrective action plans, and preparing for the next permanent CISO.
“I walk in and the flag is hanging upside down and when they leave, the Fort is corrected,” – Tim Swope [00:56]

Career Path into Healthcare and Cybersecurity

[02:16]

Swope’s background includes a degree in economics and math, and early work in data science and business intelligence for life sciences and pharma.
Entered healthcare cyber through working on federally funded collaboration programs and standardizing cybersecurity requirements for hospitals serving Medicaid populations.

Evolution and Use of AI in Healthcare Risk

[04:24]

Discusses the dual nature of healthcare institutions connected to universities that are often eager to adopt AI, contrasting with healthcare’s stricter patient data requirements.
Highlights “augmented intelligence”—AI used to support, not replace, human judgment.
“When everybody’s looking at the greatest tools, the tools actually give us this information ... that’s actionable intelligence.” – Tim Swope [05:13]
Current real-world AI use cases: IBM’s cancer imaging; Swope leverages quantitative risk analysis and actionable intelligence for decision-making.

Digital Transformation and Ongoing Cyber Risks

[07:31], [08:52]

Swope discusses the tension between security and usability: “If I had my way, we might be on dumb terminals right now… But we can’t do that.”
Patient data sharing (due to the Cures Act) is necessary for care but increases risk; focus is on “control effectiveness,” monitoring, and balancing safety with operational needs.
“My business is the patient safety, security, privacy business. It’s not the convenience business.” – Tim Swope [08:10]

Relationship-Building and Partnering with Stakeholders

[09:04], [09:39]

Strong collaboration with privacy officers and operational leaders is essential.
“I am not always going to be in agreement with the CIO. This is to make operations move. Mine is to make them safe, and Karen’s is to lock us down … but when you work together, you can manage risk.” – Tim Swope [09:10]
Advocates for direct human connection with clinicians and researchers—even in remote environments.

Top Cybersecurity Priorities at University of Chicago Medicine

[10:27]

Identity and Access Management (IAM), especially Privileged Access Management (PAM).
- Addressing credential harvesting/escalation.
- “You need to understand what would happen in the event of a privilege escalation and how you can see that.” – Tim Swope [10:37]
Fast, sometimes drastic, incident response: “There’s power in that... I do things that ask for forgiveness later. But you have to be willing to block things that don’t look right.” [11:09]
Endpoint protection and constant reassessment of rules, training staff for quick and effective response.
Recognizes the persistent threat of phishing and insider risk—emphasis on “frequent flyers,” those prone to security mistakes.

Human Factors and Risk Culture

[13:36]

Hesitates to use punitive measures against high-profile staff, preferring counseling: “The top cardiologist ... pays my check. It’s usually not good to have punitive damages … I counsel them.” [13:36]
Stresses continuously training staff and “watching” habitual offenders to reduce risk.

Notable Quotes & Memorable Moments

On Big Picture Risk Management:
“When you stand back, what do you see? The whole picture. So that’s what I do. Standing back from the organization allows me a little bit of ability to see the picture that others don’t.” – Tim Swope [01:47]
On AI in Security Operations:
“We have more alerts coming in every day ... correlating those alerts is very tedious. That’s where AI will come in … but there are some decisions we have to make ourselves.” – Tim Swope [06:40]
On Clinical Collaboration:
“You have to be socially connected … I don’t email them, I call them up, I meet the main users or the main people that I need to secure down.” – Tim Swope [09:54]
On Responding to Risk:
“You block instantly. That stops the bleeding, it stops the risk till you can remediate or investigate it.” – Tim Swope [11:14]
On Intern CISO Power:
“When I come in as an interim, I don’t have to worry about being reelected…” – Tim Swope [11:02]
On Learning and Staying Relevant:
“To stay in this game you have to always be relevant. You don’t understand it until you fell behind.” – Tim Swope [19:51]
On Life and Risk:
“Life is risk. Everything we do is risk. It’s just how you identify it.” – Tim Swope [17:04]
On Cross-organizational Collaboration:
“Some hospital systems ... think this is secret sauce. It’s the same for all of us. If we do this together as a consortium, we’re gonna know how these risks get remediated.” – Tim Swope [18:53]

Practical Advice & Takeaways

For Building Relationships with Clinical and Research Staff

[09:39]

Be visible and approachable: prefer calls and face-to-face interactions over email.
Understand the value and context of the work clinicians and researchers are doing, particularly when enforcing controls.

Managing Cybersecurity Priorities

[10:27 – 13:36]

Implement robust identity and privileged access management.
Prioritize rapid incident detection and response—even if it temporarily blocks operations.
Continually reassess security rules, tools, and staff readiness.

On Education and Career Development

[22:26]

For aspiring cybersecurity professionals:
- Gain hands-on experience in IT infrastructure and networking.
- Pursue meaningful internships.
- “You gotta know something in order to consult about something … in order to be able to secure things, you have to know something about that.” – Tim Swope [22:26]

On Personal and Professional Growth

[19:51]

Stay current to remain valuable in the field.
Use automation to create space for continuous learning.

Lighthearted and Personal Moments

Tim jokes about “winning a prize” for being the 100th guest—“I think someone knocks on your door and gives you a cake or something.” [00:44]
Shares his passion for restoring an 18th-century home in Maine [13:56–14:59].
Tells a risk management parable involving car versus house payments:
“You can live in your car, but you can’t drive your house to work.” [15:14]
Explains the Cantonese symbols for “risk” as “danger and opportunity” [16:18].
Favorite movies/music and his Red Sox fandom discussed in closing banter [20:33–21:52].

Notable Timestamps

00:56 — Swope explains the interim CISO role
02:16 — Swope’s background and path into healthcare cyber
04:24 — AI in healthcare and risk management
08:10 — Balancing convenience and patient safety
10:27 — Current top security priorities
13:36 — Handling “frequent flyers” in phishing attacks
15:14 — Risk management advice (“car vs house payment”)
16:18 — Cantonese concept of risk: “danger and opportunity”
19:51 — Hardest lesson: staying relevant

Final Reflections

For more on cyber risk and patient safety, visit censinet.com.

Episode #100. Managing Risk in a Digital Age: Perspectives on Cybersecurity and AI, with Tim Swope, Interim CISO at the University of Chicago Medicine

Powered by Wave AI

Summary

Risk Never Sleeps Podcast Episode #100

Episode Overview

Key Discussion Points and Insights

Tim Swope’s Role as Interim CISO

Career Path into Healthcare and Cybersecurity

Evolution and Use of AI in Healthcare Risk

Digital Transformation and Ongoing Cyber Risks

Relationship-Building and Partnering with Stakeholders

Top Cybersecurity Priorities at University of Chicago Medicine

Human Factors and Risk Culture

Notable Quotes & Memorable Moments

Practical Advice & Takeaways

For Building Relationships with Clinical and Research Staff

Managing Cybersecurity Priorities

On Education and Career Development

On Personal and Professional Growth

Lighthearted and Personal Moments

Notable Timestamps

Final Reflections

Summary

Risk Never Sleeps Podcast Episode #100

Episode Overview

Key Discussion Points and Insights

Tim Swope’s Role as Interim CISO

Career Path into Healthcare and Cybersecurity

Evolution and Use of AI in Healthcare Risk

Digital Transformation and Ongoing Cyber Risks

Relationship-Building and Partnering with Stakeholders

Top Cybersecurity Priorities at University of Chicago Medicine

Human Factors and Risk Culture

Notable Quotes & Memorable Moments

Practical Advice & Takeaways

For Building Relationships with Clinical and Research Staff

Managing Cybersecurity Priorities

On Education and Career Development

On Personal and Professional Growth

Lighthearted and Personal Moments

Notable Timestamps

Final Reflections