Download the "RNS_Karen Habercoss audio file directly.
RNS_Karen Habercoss: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Ed Gaudet:
Welcome to Risk Never Sleeps, where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudet.
Ed Gaudet:
Welcome to the Risk Never Sleeps podcast. I'm Ed Gaudet, your host today, and I'm joined by Karen Habercoss, the chief privacy officer for the University of Chicago Medicine. Welcome, Karen.
Karen Habercoss:
Hi, Ed. Thanks for having me.
Ed Gaudet:
Absolutely. Well, we're excited to have you here today. We have a lot to cover, we have a little bit of time. So let's get started. So you've got a pretty interesting background, I think I read you, we were in the joint commission.
Karen Habercoss:
I was at the joint commission.
Ed Gaudet:
What did you do there? That seems eerie and spooky and scary. A little scary,
Karen Habercoss:
No. So let me go back even a little bit further.
Ed Gaudet:
Yeah, please.
Karen Habercoss:
So, prior to being at the joint commission, so in a past life, I was actually a clinical social worker and I worked in psychiatry. So with people who had pretty severe mental illness and children and ended up then moving into, I have this sort of strange way that I've moved into compliance, if you will. So for many, many years worked as a clinical social worker at the University of Chicago Medicine and then left there with a bunch of colleagues to go work for a healthcare startup, a new healthcare startup, and then went to go work for the joint commission in the compliance department. So not just privacy, all things regulatory compliance on the joint commission side. So they have the same types of compliance things we all have in healthcare, they're a business associate obviously to healthcare systems, so on that side of the fence at that point and learned lots of things about form corrupt practices and conflict of interest and privacy being one of them, and then ended up going from there back to University of Chicago Medicine in privacy specifically, I realized privacy was the area of compliance that I wanted to specialize in. So that's how I got back to University of Chicago Medicine in privacy.
Ed Gaudet:
Interesting. Now, did the joint commission ever have its own data breach where they had to actually go through an OCR audit?
Karen Habercoss:
No.
Ed Gaudet:
I would hope the answer would be no on that. Very good. So you did a good job then, it sounds like. Excellent. Excellent. So.
Karen Habercoss:
I try.
Ed Gaudet:
Yeah. I'm always fascinated by the debate about privacy versus security.
Karen Habercoss:
Ah, good question.
Ed Gaudet:
Yeah, I'd love to hear some of that.
Karen Habercoss:
One of my favorite questions. So this is one area that I'm super focused on right now. And so I have this thought that privacy and security teams probably need to be jointly strategizing much more than they are. I actually think that in terms of risk, it actually decreases the level of risk for an entity when they're able to successfully do that. Privacy, and I think they actually share a lot in common. I think privacy is really about the regulatory responsibility, so is security to an extent. But what are the, in this case, consumers or patients, lots of different things going on in the privacy world right now. I think it covers all sides of the fence. And so when I say privacy, in my role, I'm talking about patients, I'm talking about employees, I'm talking about consumers, so people who come to us who are yet to become patients. In that vein, I think privacy is really focused around what are the rights, the data rights of those people or any one of those areas, what data rights do they hold, and what are the regulations that surround the data protection for those people? How can we use and disclose or process data, you can call it a number of different things, but how can those things be adequately done under the law to serve the transparency of everything from the entity side and from the patient-consumer, or employee side? So I think that's what privacy does and security is much more technically, I would say.
Ed Gaudet:
What's the working relationship like with the security team?
Karen Habercoss:
When privacy and security, like I said, work really well together, then you can strategize to do things in tandem. So things like incident risk management, things like third party risk assessments, a lot of times third party risk assessments that the security team might do certainly influence the way that I might contract with a third party from a data protection side or what data rights I might allow our internal users and external users to have based on the security of the risk behind that, the security that they have in place. And then I think there's even just small things related to data governance where people should be together, walking hand in hand, how you message your two programs to your board of trustees. I think there's just so many areas, and we could talk about this much longer than the podcast, but that I think is really important. So teasing out what are the areas that the two groups can work together, and it's really everything. And privacy is really exploding now in terms of this whole privacy enhancing technologies and how that works with the security team too, the audits that are being performed on both sides. I think there's important information to be gleaned there as well in terms of what you're looking at.
Ed Gaudet:
Do you feel like there's a better understanding at the board level of privacy versus security?
Karen Habercoss:
Yeah, that's a good question. I think it depends on how it's messaged to the board. So I think it's really important for both to have a seat at the table with the board so that they can explain, this is what privacy looks like, as I just mentioned, in terms of this is the transparency we want to provide people, this is how we want to use our data, this is how we can do it, these are some of the risks involved. While the security person is also sitting at the table saying, here's are the ways that we can technically control these things, or this is the governance that privacy and security has put together around these things to secure our organization. So I think it really depends on how savvy the board is and how it's messaged to the board.
Ed Gaudet:
Excellent. So we're going to switch here. We're going to talk more about your personal life.
Karen Habercoss:
Okay.
Ed Gaudet:
What are you most proud of, over the last couple of years, we've all been through COVID, that was obviously a stress to all of us, but as we came out of it in 2021, 2022, what are some of the things that some of your highlights of the last couple of years for you?
Karen Habercoss:
The easiest one maybe is professionally, right? I mean, so I've moved our privacy program from just compliance-based to a risk-based privacy program. So that's super special for me from a professional standpoint. From a personal standpoint, I have successfully and I don't know if I can take all the credit for this, but successfully managed to get my daughter graduated from college.
Ed Gaudet:
Excellent.
Karen Habercoss:
She's about to become a productive adult like the rest of us.
Ed Gaudet:
Yeah.
Karen Habercoss:
Taking on her first job and moving away, obviously from the Chicago area into another state into this first job. And so I'm pretty proud of that.
Ed Gaudet:
Excellent.
Karen Habercoss:
That we've raised a pretty successful human.
Ed Gaudet:
Yeah. No, that's so important. We have three daughters and it's, you know, you give them roots and you give them wings, right? You have to really help them find their wings as they, you know, as they become adults, they become, like you said, productive citizens. And is she close by, though, or?
Karen Habercoss:
So now she's back home, but she will be moving very shortly to Columbus, Ohio.
Ed Gaudet:
Oh, okay.
Karen Habercoss:
That's close enough.
Ed Gaudet:
Not too far, yeah.
Karen Habercoss:
... To drive, an hour flight so.
Ed Gaudet:
That's the other weird dynamic that happens, I think, that we didn't experience as much. But our kids seem to go and come back and go and come back again often.
Karen Habercoss:
Oh, yeah. Well, yeah. I mean, that happens with college. I mean, that was the interesting thing. So she left to go to college and then COVID happened and returned home to finish college essentially from Zoom meetings.
Ed Gaudet:
Yeah, from Zoom meetings, which is such an awful experience for that generation that had.
Karen Habercoss:
I think so too. They've lost something.
Ed Gaudet:
So much, I know I have a daughter who's a senior now and my last daughter and my youngest and senior at Stevens Institute in New Jersey. And I just feel so bad for that class because I entered in during COVID and experience has been just so different than everybody else's experience, so.
Karen Habercoss:
I think that's true.
Ed Gaudet:
Yeah. Given the challenges and given the pressures certainly in healthcare, what keeps you up at night as a privacy officer?
Karen Habercoss:
Yeah, and I think from a general sense, the things that keep me up are the things I don't know about, what I don't know is probably what keeps me up at night. That's probably for most people, though. The interesting thing is that I prefer when people tell me things in advance. And so I prefer when people ask me permission in my organization so that I can slow walk things out when I can, or put mitigations in place, or tell them how this can best be done. And so I think what keeps me up at night is when people don't do that ahead of time and tell me when things are happening.
Ed Gaudet:
Yeah, exactly. No, I think that's right. Outside of healthcare and IT, what's your passion? What would you be doing if you weren't doing this?
Karen Habercoss:
Oh, gosh, I think I probably would be back in social work. So from a very young age, I wanted to be a social worker or a psychologist, something in therapy for people and, in the clinical sense that way. And I never wavered, really. I mean, that was like I took a psychology class in high school and then I never wavered. It was my degree in undergraduate, took a master's in social work, became a social worker in this very strange environment of healthcare startup. You take a job, and the job I took was to manage social workers in that job. But then as a start-up, you end up wearing lots of different hats, and compliance just happened to be one of those hats. And so that's how I made the switch. I'd probably go back to social work, I actually keep my social work license on the off chance that at some point I ever want to see people again from a therapy perspective.
Ed Gaudet:
Yeah, I know, is it the dynamic of behavior that interests you?
Karen Habercoss:
Yeah. So one thing I'm super passionate about, well, two things I would say is that one of the things I'm very cognizant is that, everybody has a story. I mean, everybody comes from someplace, it's almost always unique. People have lots of unique stories. That whole history that people operate from sort of defines who they are as an adult in the way that they operate in the world. And this is just fascinating to me how people get that way or why they make choices that they make or why they have biases that they have, and so that sort of thing has always been of interest to me. So the interesting thing, though, as the privacy officer, I use so many techniques that I learned as a social worker, in the same way, to understand why staff make choices the way they do or why they've made decisions to do certain things, especially when there's some sort of privacy incident, for example, you want to know, like, why did you do it that way? Or why did you make this decision? And so it really just goes back to that same thing. Everybody's got a story and there's a reason why. So incidentally, I'm reading this book now called Noise. I don't know if you've heard of this book before.
Ed Gaudet:
No, no.
Karen Habercoss:
Okay. I'll recommend it. It's by Daniel Kahneman. And it's really just about like human judgment and how we're flawed and like how two people who are faced with very similar situations, medicine, law, forensics, I mean, you name it, business strategy, like when faced with the same types of information, make very different decisions. It's really just about the noise and things in their life.
Ed Gaudet:
Yeah, no, that is interesting. Similarly, leading teams of individuals and trying to get the best out of them and each one is each individual is so different in response to different incentives, stimulus, whatever, right? And so it's.
Karen Habercoss:
Right.
Ed Gaudet:
Trying to tap into that and really understand it is always fascinating to me.
Karen Habercoss:
I think that's one of the hardest things in leadership is just knowing the people you're leading or the people reporting to you and to your point, what drives them or what are they striving to do in their life. What's their background story?
Ed Gaudet:
The background is so, the etymology of an individual is so important because you can tap into things that aren't necessarily on the surface, but by really understanding that, what's behind that individual, you can again help them live their best life, you know, live the best version of themself, whatever, right, whatever you want to term it. I love when that happens though, that to me is like the, and then I don't know if you've ever had this, but individuals that work for you or work with you come back years later and say, Remember when you said this to me like, oh no, don't tell me.
Karen Habercoss:
Yes.
Ed Gaudet:
I hope it was good.
Karen Habercoss:
Because it has an impact either way. It always, things always stick with certain people, and something that you might not have ever thought twice about stick with that person in some way because of something in their former life.
Ed Gaudet:
Yeah, exactly. All right. So given that thinking back when you were 20, what would you tell your 20-year-old self?
Karen Habercoss:
Oh, gosh. For me, I think it would just be to trust myself more. You know, it's one of the things I try to impart on my daughter sort of going out of the nest, if you will, is just you're not going to have all the answers, although you're going to think you do. But there is some level of trust that you have to give yourself because I think you look at other people around you and you think, wow, they've all got it together. They have all the answers. And the reality is it's probably nobody has.
Ed Gaudet:
Nobody has.
Karen Habercoss:
I don't even have all the answers anymore. Now I just feel more confident in myself saying like, I don't have the answer. So I think to give yourself a little bit of grace and thinking that you're not going to have all the answers, but to trust that you're making the decision based on the information that you have or you're making the best judgment you can at the time.
Ed Gaudet:
And I think that's so accurate and it's so interesting. When I was putting together this series of questions that I was going to ask folks that came on, that was a question that I loved, but I had a different expectation in terms of what I was expecting people to say. And, you know, most everyone says something similar to what you just said.
Karen Habercoss:
Oh, okay!
Ed Gaudet:
And I just find that so beautiful, actually, because I had this like, you know, oh, I would have told myself to buy Microsoft stock or I would have told myself to, you know what I mean? Like travel more. But I love the grace of getting back to yourself, of trust yourself. It's okay. You've got time. I just think that's such a graceful view of one's previous self. I certainly didn't share. I would have told myself not to be such an idiot and to be less of a lunatic.
Karen Habercoss:
Well, I'm going to think that's. And thing, right? Like you're so hard on yourself. I mean, I'm pretty hard on myself now still. But I think, you know, you're sort of extra hard on yourself when you're younger and there's really no reason to be. You don't have enough experience to be that hard on yourself.
Ed Gaudet:
Yeah, exactly. Well, I would be remiss if I didn't ask you this question because this is the Risk Never Sleeps podcast, so here we go. What is the riskiest thing you've ever done?
Karen Habercoss:
Oh, wow. So I am fairly risk-tolerant for a privacy officer, and I've done a lot of risky things. I would say probably the most recently risky thing is jump out of an airplane skydive.
Ed Gaudet:
You did.
Karen Habercoss:
Yeah!
Ed Gaudet:
That's fantastic. When did you do that?
Karen Habercoss:
A couple of years ago. It was actually during COVID. Oh, yeah.
Ed Gaudet:
That's fantastic. Where did you do that?
Karen Habercoss:
It was probably about an hour away from where I live, so past the Chicago suburbs. Even an hour out.
Ed Gaudet:
Okay. Do you know Karen Blanchett?
Karen Habercoss:
Yes.
Ed Gaudet:
So she, I don't know if you knew this, but she was part of a women's skydiving team.
Karen Habercoss:
No, I had no idea.
Ed Gaudet:
And they hold some records. It's like a world record she holds. She's going to kill me for saying this on the.
Karen Habercoss:
Oh, wow. No, that's pretty cool.
Ed Gaudet:
Yeah. No, I've seen videos of her skydiving. It's pretty cool.
Karen Habercoss:
Yeah. Yeah. No, definitely had the pictures and the video. You know, people would be like, did you really? And I'm like, I have.
Ed Gaudet:
So what was that like? Was it what you thought it would be? Because you trained obviously, right? So you.
Karen Habercoss:
Oh, well, not really. I mean, no, no. I mean, really, like the training involves watching a video.
Ed Gaudet:
Really?
Karen Habercoss:
Like going up in an airplane.
Ed Gaudet:
That's it? Like watching the video?
Karen Habercoss:
The first time you go, you have to do a tandem jump. And they're not like letting you go out there by yourself. But yeah, the training was not nearly what I thought it was going to be. It was essentially a video and then they talked to you and then you jump out of an airplane. But it was fun. I don't recall ever being nervous about it. I wasn't hesitant about it. I mean, it was our turn to jump and we just went. And that was the end of it. I landed on my feet, so I was excited about that piece.
Ed Gaudet:
That's so awesome. Would you do it again?
Karen Habercoss:
I would, Yeah, sure.
Ed Gaudet:
Well, you said you've done many risky things. Give our listeners one more risky thing.
Karen Habercoss:
Oh, gosh. I mean, I don't know that any are that much more risky. So whitewater rafting, hot air ballooning, not as risky as.
Ed Gaudet:
Well, hot air ballooning today is fairly risky. I'm not sure .....
Karen Habercoss:
So I hear. There was another one that didn't think that it was any big deal. But I've talked to other people and they're like, wow, that's pretty risky.
Ed Gaudet:
Yeah, that's. Well, you could get shot out of the sky, too.
Karen Habercoss:
That's right.
Ed Gaudet:
You got to be careful if you.
Karen Habercoss:
That's right.
Ed Gaudet:
All right. Any last things you'd love to share with our audience about your career or about lessons learned in privacy or anything?
Karen Habercoss:
The best thing I can say is that it's really important, especially in healthcare for privacy right now, I think we are all pretty well-versed in HIPAA. It's been around for a really long time, and I think it's important for us to remember, now especially, that we have to understand that there are other things besides HIPAA in privacy that are probably very impactful to our organizations. And so I feel very strongly that we need to start looking at moving privacy away from just compliance into really, just because this is the risk podcast, but for real, we need to start moving into sort of a risk-based model for privacy, and that includes doing all of the things that folks who work in security are very used to, right? Like identifying gaps and risk ranking and all of those things that folks in privacy, this is really new to them for the most part. And using now the NIST privacy framework, which is kind of a novel thing for privacy and in healthcare. So I think that's the best advice I can give is sort of start to shift your mindset away from just compliance to compliance and risk.
Ed Gaudet:
Yeah. Think those worlds are converging. It's a good thing. But I also think that the importance is elevating outside of the silos that they've been in over the last decade or so into much more enterprise-level concerns and focus, which is a good thing for everybody.
Karen Habercoss:
Right. No, you definitely, as a privacy officer, have to embed yourself in every area of your organization.
Ed Gaudet:
Right.
Karen Habercoss:
You're going to miss something if you don't.
Ed Gaudet:
Well, data is a lifeblood, as they say.
Karen Habercoss:
So they say.
Ed Gaudet:
But they say that so.
Karen Habercoss:
So they say.
Ed Gaudet:
All right. Well, Karen, I appreciate your time and joining the podcast today. Thanks again for your service and everything you do at the University of Chicago Medicine Center. And thanks to our listeners. And if you're on the front lines of protecting patient healthcare and safety, we appreciate everything you do. And remember to stay vigilant because risk never sleeps.
Ed Gaudet:
Thanks for listening to Risk Never Sleeps. For the show notes, resources, and more information and how to transform the protection of patient safety, visit us at Censinet.com. That's C E N S I N E T.com. I'm your host, Ed Gaudet, and until next time, stay vigilant because risk never sleeps.
Sonix has many features that you'd love including automated translation, powerful integrations and APIs, collaboration tools, world-class support, and easily transcribe your Zoom meetings. Try Sonix for free today.
