Risk Never Sleeps Podcast

Episode #102: "Ransomware, AI, and the Future of Cybersecurity"
Guest: Hugo Lai, Chief Information Security Officer at Temple University Health System
Host: Ed Gaudet
Date: October 17, 2024

Overview

In this episode, host Ed Gaudet interviews Hugo Lai, CISO at Temple University Health System, to explore the evolving landscape of cybersecurity in healthcare—highlighting the challenges posed by ransomware, AI adoption, and talent shortages. The conversation balances Hugo’s personal journey and reflections with practical insights into healthcare IT security, governance, and the unique mission behind healthcare cybersecurity.

Key Discussion Points & Insights

1. Hugo Lai’s Professional Background and Journey

[00:46 – 02:16]

• Started as a security consultant for government health agencies, focusing on penetration testing and risk assessment.
• Transitioned to healthcare to avoid heavy travel, building a two-decade career in the sector.
• Consulting exposed him to diverse environments, accelerating his learning:

  “I honestly enjoyed my consulting base because those are typically short engagements and I get to work with many different clients in different environment and I certainly learned a lot from each of these engagements.” (Hugo Lai, 01:54)

2. Top Security Priorities in Healthcare

[02:16 – 02:49]

• Preventing ransomware attacks remains paramount.
• Building business resilience in the face of cyber threats.
• Strengthening the third-party business assessment program to manage vendor risk.

  “Certainly helping the organization to prevent ransomware attack. That's definitely very high up on my radar.” (Hugo Lai, 02:24)

3. Responsible AI Adoption and Governance

[02:49 – 05:18]

• Temple Health has established an AI Committee to guide adoption and governance.
• Approach is cautious and measured—prioritizing security assessments and vendor-led solutions.
• Emphasis on minimizing risk with large language models and integrating AI seamlessly into clinical workflows to prevent fragmentation.
• Focus on building the right infrastructure before scaling AI use:

  “We are carefully evaluating as of which areas that we want to start utilizing AI… At the very beginning, I want to make sure that we're setting up the right infrastructure with the right configurations and we understand the security risk that comes with the technology.” (Hugo Lai, 03:36)

4. Key Challenges: Talent and Innovation

[05:18 – 06:17]

• Attracting and retaining cybersecurity talent is increasingly difficult due to rapid tech innovation and concurrent projects:

  “There's a lot of demands. We're trying to go through many different technical projects at the same time… finding the right talent to help us resolve some of the… projects… is challenging.” (Hugo Lai, 05:40)

• The health system partners with the university to help bridge the talent gap.

5. Personal Passions and Self-Reflection

[06:26 – 10:17]

• Hugo is passionate about Japanese fencing (kendo), practicing with his daughter. He draws parallels between martial arts and self-reflection needed in security leadership:

  “It's not about beating your component, but really looking towards yourself and every single move is about how to perfect that… movement.” (Hugo Lai, 06:46) “We normally start the practice with a little bit of meditation, so it also helps with the stress of the CESO life.” (Hugo Lai, 07:01)

• On advice to his younger self:

  “Party less, study more… spend a little bit more time to understand myself a bit more.” (Hugo Lai, 07:25)

• Emphasizes the importance of understanding personal motivations, self-discovery, and aligning one’s career with genuine interests.

6. Musical and Cultural Tastes

[09:17 – 10:17]

• Describes himself as someone who embraces diversity and finds it difficult to pick a favorite genre:

  “I embrace diversity. So there's not a one type of music or one genre of movies that I enjoy… I actually, I'm the type of person that will enjoy doing many different things.” (Hugo Lai, 09:19 & 09:54)

• Mentions classical music and jazz as genres he enjoys, especially in relaxed settings.

7. Hardest Lessons and Security Philosophy

[10:17 – 11:21]

• Biggest challenge: Translating cybersecurity best practices (like NIST frameworks) into actionable strategies aligned with business needs rather than just technical checklists:

  “You have to understand whether it is actually bringing value to the organization and how to apply these security principles. And it took me a while to… connect the dots together.” (Hugo Lai, 10:42)

• Advocates for learning the business as much as the technical, seeing cybersecurity as a business enabler.

8. Advice for Aspiring Healthcare Cybersecurity Professionals

[11:52 – 12:56]

• Be prepared for long hours—but the work is rewarding because of direct impact on patient safety and protecting privacy.

  “One of the differences in working in healthcare is that you get to feel the impact that you are bringing to the organization. You know, that you are protecting the patient's privacy or making sure that their information is being protected.” (Hugo Lai, 12:09)

• Gratification comes from seeing tangible results in patient care.

Notable Quotes & Memorable Moments

• On Ransomware:
  “Certainly helping the organization to prevent ransomware attack. That's definitely very high up on my radar.” (Hugo Lai, 02:24)

• On AI Governance:
  “We are carefully evaluating as of which areas that we want to start utilizing AI… At the very beginning, I want to make sure that we're setting up the right infrastructure with the right configurations and we understand the security risk that comes with the technology.” (Hugo Lai, 03:36)

• On Self-Reflection Through Martial Arts:
  “It's not about beating your component, but really looking towards yourself and every single move is about how to perfect that… movement.” (Hugo Lai, 06:46)

• On Career Advice:
  “Party less, study more… spend a little bit more time to understand myself a bit more.” (Hugo Lai, 07:25)

• On Aligning Cybersecurity and Business:
  “You have to understand whether it is actually bringing value to the organization and how to apply these security principles. And it took me a while to… connect the dots together.” (Hugo Lai, 10:42)

• On Meaningful Cyber Work:
  “The difference is that you can actually put a face to some of the patients as well. So I think that gratification is something that I enjoy the most.” (Hugo Lai, 12:20)

Segment Timestamps

| Segment | Timestamp | |-----------------------------------------|------------| | Introduction & Background | 00:00–02:16| | Priorities: Ransomware, Resilience | 02:16–02:49| | AI Governance & Cautious Adoption | 02:49–05:18| | Challenges: Talent & Innovation | 05:18–06:17| | Personal Passions & Reflection | 06:26–10:17| | Hardest Lesson: Business Alignment | 10:17–11:21| | Advice to Aspiring Professionals | 11:52–12:56|

Tone & Takeaways

• Pragmatic, reflective, and collaborative: Hugo approaches each challenge by grounding it in both technical rigor and personal self-awareness.
• Highlights the unique fulfillment of protecting patient safety in healthcare—beyond mere technical job satisfaction.
• Drives home the importance of cautiously adopting AI, prioritizing the business value of cybersecurity, and understanding the “why” behind every security initiative.

Recommended for anyone interested in the intersection of healthcare, security, and technology leadership.