
Loading summary
Tim Swope
Foreign.
Ed Gaudette
Welcome to Risk Never Sleeps, where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudette.
Welcome to the Risk Never Sleeps podcast in which we learn about the people that are on the front lines delivering and protecting patient care. I'm Ed Gaudet, the host of our program and today I am pleased to be joined by Tim Swope, the interim CISO at the University of Chicago. And welcome. This is the hundredth episode of the Risk Never Sleeps podcast. You are the hundredth participant. This is.
Tim Swope
Looks like I might win a prize for that.
Ed Gaudette
I think someone knocks on your door and gives you a cake or something. I'm hoping anyway, they show up soon. I'm just kidding. All right, so let's start off with. Tell our listeners about your current role in your organization Now.
Tim Swope
The current role I have is now is an interim ciso. So what that is. Often I go into an organization when they either a CISO has left. There's been some issues that they need to have remediated. A lot of them center around risk. So I go in and I assess the risk, their cyber posture and put together plans, capital corrective action plans and sometimes training. I look at people process and the tools they have in order to make sure that when I leave and my goal is that I do have to leave, I usually stay for anywhere from five to six months and when the next CISO comes in, and usually I work with them for a month or two for transition, but then they have a clean slate. I walk in and the flag is hanging upside down and when they leave, the Ford is corrected. So that's a little what I do for a living.
Ed Gaudette
Excellent. So that must give you the opportunity to see a lot of things.
Tim Swope
It does, it does. And I also take on it. I take a real objective eye because objectivity made you based on evidence. But one of the things I told people is, and everybody listening to the podcast might not be as old as I am, but they. Our parents told us not to look at the TV because all you saw was dots. The thing is, when you stand back, what do you see? The whole picture. So that's what I do. I'm standing back from the organization allows me a little bit of ability to see the picture that others don't.
Ed Gaudette
That's great. Tell our listeners how you got into healthcare and how you got into it.
Tim Swope
One of the things is I actually have a. A degree in economics and math. And right now I probably couldn't get a job at Starbucks with that the way and I studied Fortran in college at Indiana University. So yeah, the thing is things have changed immensely over the years. I've actually have 28 years in life sciences. I started off as a data science scientist. I worked with companies like Thomson Reuters Health, which is now Truman Reed Elsevier. And I was often. I did a lot of business intelligence work for pharmaceutical companies within the 90s and the 2001 thing that was interesting that happened from a pharmaceutical standpoint. Of course they had GXP requirements almost and they were very heavy regulated just like health hospitals and such. We and I'm going to date myself again they called it information assurance. Right. And so they didn't have the term cybersecurity. None of us did at that time as things were moving ahead. And you looked at from a data science standpoint. Now they do it for patient analytics at different levels of aggregation. Those became security levels for what details you could see on a. You would say now in. I say now in healthcare patient. But back then they were doing clinical trials. So they are under the same requirement. So I leverage that to assist healthcare organizations from a cyber standpoint. I got started with many. I've worked with over five large health systems, New York City Health and Hospitals, Northwell Catholic Health, Stony Brook, to name a few. And there was a program about. It was probably around 2014, it was called District Delivery System Reinvestment Incentive Program, Federally funded program to see how hospitals could work together for Medicaid population, reduce emergency room visits. What that required was that you had a standard cybersecurity requirement from the Department of Health. And that was my entree into really working from this capacity with health systems.
Ed Gaudette
Wow, excellent. And so you mentioned data science early on in your career. Lots changed in that that area. How are you thinking about and how are you helping University of Chicago and others as they think about introducing artificial intelligence, gen AI and other capabilities in their organization.
Tim Swope
Our organization is very interesting too because you have University of Health, you also had Texas University Harvard unit. So one thing is we're all connected with a university and the university loves AI. Plus they don't have as many requirements. We do healthcare, we're very. We have risks around using gender, AI and learning models that are outside the organization because then you have patient health issues and issues. One of the things I do say is we will adopt it sooner or later. In fact, IBM has, they've used AI, we call it assisted intelligence. When you look at the cancer cells, they'll take a picture of they got 476 million plus pictures of it. And they're able to see if you need a second opinion. So we've been doing assistant. They've augmented intelligence. One of the things that I'll be honest, which I use from a cyber standpoint and risk standpoint is actionable intelligence. When everybody's looking at the greatest tools, the tools actually give us this information and that information will say, and as we're talking about risk, this might be a risky endeavor. And sometimes we use quantitative analysis. Everybody does one of these. That's a one, maybe that's a two. And everybody understands the whole thing. The likelihood, the, the impact of the organization. You have to have something behind those. That's the first thing. The other thing too is how do they factor up your control effectiveness? In other words, a very high risk. But I have very good controls becomes a lower risk. I'm in healthcare, I'm going to triage the highest ones first. And so that quantitative analysis allows us to look at a different way. Now that's actionable intelligence so that I can make operational decisions.
Ed Gaudette
I love that you can manage the residual risk in a way that allows you to focus on those things that matter that might be more risky that.
Tim Swope
You haven't been looking at. We really never. It's incumbent upon the work that we do. We have risk everywhere in our health care. In fact, I try to break it down to things. We have enterprise risk, large organizational risk. We have some ad hoc rests and these come up all the time. People sending patient information potentially through their hot minute or they could put a thumb drive. But you don't block the U.S. those would be ad hoc risks. And then you have vendor risks. All those three, when you look at a Venn diagram of them, they center upon a risk posture. However, you can pull them apart and analyze them separately and that shows where your real risks are coming from an organization. So again, those are actionable intelligence. I always hate to pivot from the AI. I'll be honest, in my world right now, guynet is not fully aware. Right. We're getting there. We're going to learn how to use it. But again, it will most likely be from a standpoint. We have more alerts that are coming in every day. So use tools that give you certain types of event alerts. We correlating those alerts is a very tedious business. And that's where that AI will come in. Is it going to. There's some decisions we actually have to make ourselves. A lot of people can say, I can identify anomalous behavior in months in your organization, you've never worked in our hospitals. Not only that is they're all different from the earth. You really have to have that human intervention. And then the AI really is augmented intelligence trust right now.
Ed Gaudette
I love that. And you got to be able to connect with the business to communicate the differences and help them make the decision about taking on risk.
Tim Swope
There's so technology. Yeah, I tell we just have a new cio. I've worked with a our older CIO in a couple different places and he understands my way of working. But if I had my way, we might be on dump terminals right now. I'm just saying. But we can't do that. In other words, you can secure things. If you can lock everything down, you can't operate as a hospital. Now we have things like the Cures act, not the CARES act, the Cures act, which actually is giving patients more information, freely opening things to them. A huge risk is digital transformation. People have to understand it's a first time for many people that they've actually had to get data outside of their four walls. There's a risk. Now what we have to do is have control effectiveness to mitigate it, because that risk will always be there. And then we actually monitor it. And one of the things we can't forget is monitoring that risk and monitoring the activity. That's a key thing that we have to do. Is it easy? Who was a Kennedy said, we go to the moon not because it's easy, we go to the moon because it's hard. I tell people that my business is the patient safety, security, privacy business. It's not the convenience business. There are risks and is sometimes we have to accept some of those risks, but moderate them because you actually have to make patient care effective, efficient, and sometimes easier on the doctors to perform it more quickly.
Ed Gaudette
Yeah, that's a great point.
Tim Swope
One of the things I always say. I work closely with our privacy officer, Karen Haberkost. In fact, I think she was on one of these.
Ed Gaudette
She was, yes. We love Karen.
Tim Swope
She's blessing for me because she actually knew as an interim you really have to rely on the people in the organization. I'm not going to find out everything myself. But the other thing is I am not always going to be in agreement with the cio. This is to make operations move. Mine is to make them safe, and Karen's is to lock us down if I failed in any of those attacks. When you work together like that, I think you can manage risk. And I think that's the biggest thing we have to do is how do we manage it?
Ed Gaudette
That's great advice as you think about that. What advice would you have to listeners that are trying to build relationships with those clinicians and other business leaders?
Tim Swope
One of the things too is we have a research area and we have to be very visible to them. I have to everybody during COVID we were like physically dispersed. We were like socially distancing too. We have to be, we can be physically distanced from folks and a lot of people work remote but we have to be socially connected. In other words, I don't email them, I call them up, I meet the main users or the main people that I need to secure down. And it's interesting when sometimes you get research folks and they really need to put that thumb drive in, carry that everywhere they go and sometimes you have to ask them how important is that research, your lifetime research, what is the value of you losing that or retaining it? And that's with there I said that's where I come and I partner with them on that.
Ed Gaudette
That yeah, that's excellent. What are your top three priorities that you're currently managing at the university?
Tim Swope
Oh, one of the things that everybody is looking at is identity access management really from a privileged access management standpoint it's usually a huge risk for everybody. There's, it's there, there's tools, there's there the plethora of things to, to use. However, you have to understand what you're doing. In other words, you have an, the ability for hackers now to come in and do a credential harvest, credential fetch. How are you going to stop that? You need to understand first of all what would happen in the event of a privilege escalation and how you can see that. So those are the things we monitor, we identify and then put processes and rules in place to literally stop things from happening. One of the key things that people don't do and I always tell people when I come in as an interm, it's like a one term president, I don't have to worry about being reelected. That's right. And so there's a lot of things I could do. So there's power in that. There is actually. There is power in it. So I do things that ask for forgiveness later. But people have to, you have to be willing to block things that are not, they don't look right. You can investigate them later, re enable people but you better be prepared to block instantly. That stops the bleeding, it stops the risk till you can remediate it or Investigate it. That's what some of the other things we're doing is. Obviously you have endpoint protection, but if you look at have you had an incident, we have events. Anybody that has health care, other industries, we get over 10,000 events that we block them. You have to identify what you block. You have to keep watching them, understanding anomalous behavior, tracking that. One of the key things is really understand the tools that you have to block it. Reassessing your rules all the time and then having the staff be able to respond to them quickly. I ran track at Indiana University and I coach Sam Bell used to say, he said, I'm going to train you like others won't. So you'll react how others can't. And we have to do that with our staff too. It's still human beings running the tools. So those are some of our large priorities. And then again, some of the ancillary things, it's. There's always. You have outside threats. You have to understand that a patient record is very valuable and you have to track insider threats. Also, sometimes people are doing things they're not supposed to do that could cause problems. Sometimes it might be nefarious behavior, but innocent behavior. Like I'm taking my home thumb drive and going to put it in. I just happen to have a freeware version of Adobe that has a back door ransomware on it. And these things happen. We block those now and again. Also there's fishing. You can, to be honest with. You'll get down to about. If you can get under 10%, you're good. You're going to have your frequent flyers, which we always have, they'll click on anything you send them, you retrain them and it still doesn't work. So then you watch them. The other thing too is those usually are the first vector for an account takeover. And you have to have those controls in place to identify. Those are the things we look at till they're fully remediated, we monitor. And at that time, once they're fully remediated, we're going to monitor something else. I'm going to the next patient in.
Ed Gaudette
A sense, with those frequent flyers, some organizations will tie punitive recourse. Have you thought about that or have you done that in the past or what do you.
Tim Swope
Yeah, the top cardiologist that brings in the money that pays my check. It's usually not good to have punitive damages on those. I like to counsel them. I contact them and counsel them. Yes, I love that.
Ed Gaudette
Always pragmatic. You always have pragmatic approach to things. If you weren't in this role, what would you be doing outside of healthcare and it what's your passion?
Tim Swope
See the boat right here?
Ed Gaudette
I did, I did.
Tim Swope
My wife and I actually have bought a home up in or Maine and it's in New Harbor, Maine. Oh I hope this doesn't bring a lot of people there because it's a beautiful small town. Pemaquid Lighthouse 1 is the third oldest lighthouse in the United States. I think is at the point. And I work on a house that was built in 1780.
Ed Gaudette
Nice. Now where is it? Up by Booth Bay or.
Tim Swope
Bay Harbor. In fact it's off the road to Damascada. Like I said I'll stop there. I don't want people coming. Beautiful place to visit.
Ed Gaudette
Booth Bay is beautiful.
Tim Swope
The weather's beautiful. So what I do up there is I work on an old house that is and you'd be surprised. They built these things really good Bob.
Ed Gaudette
So yeah, no they'll last the tell.
Tim Swope
That the walls forever are logs and then they put clock boards on them. They were the original log cabin. And then the rather than plaster it is lime crust up shells. Oh and mixed with clay and so it's like concrete. So this will last forever. I'll and we're the only third gener third group family that's owned it.
Ed Gaudette
Really?
Tim Swope
Wow.
Ed Gaudette
That's incredible. I won't be seeing on Airbnb, will I?
Tim Swope
No. Okay. Still I stay here and I'm not sure, you know I like to know who slept in the back. So there you go. There you go.
Ed Gaudette
If you could go back in time, what would you tell your 20 year old self?
Tim Swope
Well, I did give some advice to my son one time. I had two older sons. A 27 year old, 24 year old. I have a four year old daughter. But before the one was getting married somebody asked me what advice would you give him? I said if you've got a car payment and a house payment and you can only pay one, you pay your car payment. He said why? I said because you can live in your car but you can't drive your house to work. So you mitigate those risks of debt somewhere.
Ed Gaudette
I like that.
Tim Swope
Okay.
Ed Gaudette
So that's what you tell your 20 year old self. What's the riskiest thing you've ever done?
Tim Swope
I'll tell you. My wife is the used to be the conservative the Asian art collection to met. She had no idea what I did for a living. So I brought her to a risk conference and one of the things I will say and it's very interesting. She speaks fluent Cantonese. And when I was discussing this with her on the plane, she says in Cantonese, risk. And this is very good for people. You could use this in any presentation. She said risk in Cantonese is loosely translated to crisis. But it's two signal, it's two symbols, danger and opportunity.
Ed Gaudette
Right.
Tim Swope
So I'm like writing another slide on the plane. Anyways, it ended up. But if you think about it, if you identify the danger first, proactive risk management, it's the only time you have the opportunity to remediate. Anyway, I brought her there not knowing that she was. I needed a good opening. And my second slide was picture of our wedding. And I said a little bit more about me. I got married last month. She's sitting right back there as her face turned red and she looked quite angry. And I said in full disclosure, this is my second marriage, so I'll let you know if this risk management stuff works out in a personal standpoint. And that was the riskiest thing I think I ever did.
Ed Gaudette
I love that and I love the Cantonese. The opportunity in danger. Because if you don't take risk, obviously you miss out a lot of opportunities. So.
Tim Swope
And life is risk.
Ed Gaudette
Life is risk.
Tim Swope
Everything we do is risk. It's just how you identify it. There's a lot of people in our business that they wait for an auditor to tell them the risk findings. Right. I'll be honest with you. They're going to be the same ones that they find everywhere else. So it's. They're not uncovering anything really special. You can only find those risks when you work there. You work with somebody, you interact with people. Again, I've. I'll be honest with you. I've done a presentation with my old privacy officer, Leslie Giglio. Although, sorry, she's probably so maybe she'll hear this, but her and I also got along very well. And I did a group co presentation and I asked CISOS how many of them work closely or even know your privacy officer. Very few of them raised their hand.
Ed Gaudette
Yes.
Tim Swope
The thing is, the risk comes to privacy after the fact. Right. But they see it from a different lens than we do. The risk from other people, from a different view. So you really have to understand who's in your organization. On one, like the Holiday Inn thing. I'm not a doctor, I play one on tv. I'm not a clinician. But I do work with them closely because they know the inherent risks and other things they do too. That's right. And the risks that are involved. If I make things more encumbrance to them, make it harder to get into something. Yeah.
Ed Gaudette
And you're the benefactory of that in so much as you're a patient. We're all patients. Right. So we all understand the give and take as it relates to risk in healthcare.
Tim Swope
So that's. Those are some of the things we have to really. You have to look for the risks. And now I'll be honest with you, I do bounce around to different hospitals. Like I said. Mainly there's a couple reasons why people out there look for a ciso. Someone retired, maybe they let them go or unfortunately they just didn't have one. Or someone who was doing a dual role, which is very hard to do these days.
Ed Gaudette
Yes.
Tim Swope
That dual role. So what I get to see is a lot of different scenarios. Unfortunately, I'm seeing the same risk over and over. So I'm trying to evangelize and maybe through podcasts like this, there's things that we should do as a group. Some hospital systems, some people in other areas of healthcare, life science, think that this is secret sauce for. It's the same for all of us. And if we do this all together as a consortium, we're gonna know how these risks get remediated. And I think that's what I'm trying to do in my second act here of my life. Play my second act is to get this out and say you guys aren't unlike everybody else and this is what's been successful. And let me help you walk.
Ed Gaudette
And how are you representing that? In a book or, you know, writing. Writing a book.
Tim Swope
I've written some articles. I teach a privacy and security lecture every now and then through Columbia University, so. But a lot of what I do is actually go into the health systems themselves.
Ed Gaudette
Couple last questions. Hardest lesson in your career?
Tim Swope
Hardest lesson in my career. I don't think there's the hardest. It was one best learned is the fact that in order to stay in this game as long as I had have you have to always be relevant. That's a huge lesson because you don't understand it until you fell behind. Yeah. And then you realize that I keep telling everybody tomorrow is when you start learning what you should learn today. And it's constant. One of the things I do tell when I do the people part of what I say, I will help even through automation. Maybe cut down the hours and the time that you work. And in that next free time, you best start studying for the next attack.
Ed Gaudette
Exactly.
Tim Swope
Yep. Yeah.
Ed Gaudette
Work that top of license for sure. Movies or music if you're on a desert island, you could bring five. What would they be? Or three. Or two.
Tim Swope
Oh, wow. Movies. Definitely the. The Natural. I'm a Robert Redford fan because the Sting is pretty good. Yeah. Movies. I'd probably actually. Music. Maybe hope that Eric Clapton was sitting there with me and Cloffner. So. Yes. And then one more. I'm gonna have to say this. The movie of my wedding. I made my wife watch this, so.
Ed Gaudette
She'S been mentioned twice, so I hope she does watch it. So you brought up the Natural. Are you a Mets or a Yankees fan?
Tim Swope
I used to live in Boston. I'm the only guy. That's nasty.
Ed Gaudette
You're a Red Sox fan?
Tim Swope
Yes. In fact, a good friend of mine, Martin, is a very big Yankees fan. Another one is. Mine is a Mets fan and I sit right between them and let him argue. I grew up in.
Ed Gaudette
I grew up in Connecticut, which is the halfway point between the Bronx in Fenway and.
Tim Swope
So I live in the greater New York City area. You did? Yeah. And so even though I'm up in Maine now, but. So, yeah, I go to both.
Ed Gaudette
Oh, very nice.
Tim Swope
Yeah. Yeah. I say I go to whoever gives me the free tickets. There you go.
Ed Gaudette
Maybe we'll have to catch a Red Sox game days.
Tim Swope
That would be fun. It is one of the last old school ballparks.
Ed Gaudette
Yes. It's special, there's no question. Hopefully it stays that way. Yeah, I'm good.
Tim Swope
I was going to say, nothing like seeing someone hit one off the Green Monster. Yeah.
Ed Gaudette
And they look like they're clawing their way back to a wild card.
Tim Swope
I lived in Watertown after college.
Ed Gaudette
Oh, you did?
Tim Swope
Oh, it was a lot different than it is today, trust me.
Ed Gaudette
Did you go to the New York Diner? Do you remember the New York Diner?
Tim Swope
Yeah, yeah. Now, those same apartments are like $5,000 a month or something, and it still looks the same. Yeah, yeah.
Ed Gaudette
Where did you go to school? Did you go to school in Boston or.
Tim Swope
I went to Indiana University.
Ed Gaudette
Oh, Indiana.
Tim Swope
I went there to work there after. After. And I'm Portland, Maine. Got it. Got it. Portland, Maine's like a mini Boston.
Ed Gaudette
It is, it is, yeah. Very similar. Last question. What advice would you give to kids coming out of school that would like to pursue profession in cyber IT, healthcare, etc.
Tim Swope
But one of the things is there are some schools that have cyber schooling. Right. But we all know the cissp. You take it, you pass it, and to get it, you have to have some referenceable background. Look for some internships. But also, if you're going to go into the cyber world, you can't really do it unless you understand the infrastructure architecture, networking side. Those are the pieces that we try to secure. If you go that route and then you can move into the cyber world, you actually know what we're protecting, you understand a little bit about it and you can get that referenceable requirements that you need to finish those to get those certifications. It's all those people that come out of school and they're going to be a consultant. But you got to know something in order to consult about something, right? So in order to be able to secure things, you have to know something about that. Right? That would be the best advice I would give to somebody coming out. It's, it's almost that becomes your internship or your almost like your pre work requisite for cybersecurity.
Ed Gaudette
I love it.
Tim Swope
I love it.
Ed Gaudette
Tim, thanks very much for your time.
Tim Swope
Thank you very much.
Ed Gaudette
This is Ed Gaudette from the Risk Never Sleeps podcast. And if you're on the front lines protecting patient safety and delivering patient care, remember to stay vigilant because Risk never sleeps.
Thanks for listening to Risk Never Sleeps. For the show, notes, resources and more information and how to transform the protection of patient safety, Visit us@cincinnat.com that's C-E N S I N E T.com I'm your host, Ed Gaudet. And until next time, stay vigilant because Risk never sleeps.
Managing Risk in a Digital Age: Perspectives on Cybersecurity and AI
Guest: Tim Swope, Interim CISO at University of Chicago Medicine
Host: Ed Gaudet
Date: October 3, 2024
This landmark 100th episode features a candid conversation with Tim Swope, Interim Chief Information Security Officer (CISO) at University of Chicago Medicine. The discussion centers on managing risk in today’s digital healthcare environment, with an emphasis on cybersecurity, artificial intelligence (AI), and fostering collaboration across healthcare organizations. Swope shares his experiences as an interim leader, key priorities in cyber risk, viewpoints on managing AI adoption, and practical career advice for those entering the cybersecurity field.
[00:56]
[02:16]
[04:24]
[07:31], [08:52]
[09:04], [09:39]
[10:27]
[13:36]
On Big Picture Risk Management:
“When you stand back, what do you see? The whole picture. So that’s what I do. Standing back from the organization allows me a little bit of ability to see the picture that others don’t.” – Tim Swope [01:47]
On AI in Security Operations:
“We have more alerts coming in every day ... correlating those alerts is very tedious. That’s where AI will come in … but there are some decisions we have to make ourselves.” – Tim Swope [06:40]
On Clinical Collaboration:
“You have to be socially connected … I don’t email them, I call them up, I meet the main users or the main people that I need to secure down.” – Tim Swope [09:54]
On Responding to Risk:
“You block instantly. That stops the bleeding, it stops the risk till you can remediate or investigate it.” – Tim Swope [11:14]
On Intern CISO Power:
“When I come in as an interim, I don’t have to worry about being reelected…” – Tim Swope [11:02]
On Learning and Staying Relevant:
“To stay in this game you have to always be relevant. You don’t understand it until you fell behind.” – Tim Swope [19:51]
On Life and Risk:
“Life is risk. Everything we do is risk. It’s just how you identify it.” – Tim Swope [17:04]
On Cross-organizational Collaboration:
“Some hospital systems ... think this is secret sauce. It’s the same for all of us. If we do this together as a consortium, we’re gonna know how these risks get remediated.” – Tim Swope [18:53]
[09:39]
[10:27 – 13:36]
[22:26]
[19:51]
Tim Swope’s candid discussion highlights the realities and complexity of managing cyber risk in healthcare. He emphasizes actionable intelligence, pragmatic incident response, the importance of business relationships, and staying ahead of evolving threats—always with a keen sense of both the technical and human dimensions. His approach is collaborative, practical, and grounded in decades of experience, offering rich insights for cybersecurity professionals across healthcare.
For more on cyber risk and patient safety, visit censinet.com.