In healthcare, cybersecurity decisions are rarely isolated technical discussions; they are deeply connected to patient care, clinical operations, research continuity, and human trust. Karen Habercoss has built her career at that intersection. As Vice President and Chief Information Security and Privacy Officer at UChicago Medicine, she leads security and privacy strategy across a highly complex academic, research, and clinical environment where resilience and operational alignment can directly impact patient outcomes. Her background spanning cybersecurity, privacy, compliance, behavioral science, and clinical social work gives her a distinctly human-centered approach to leadership, one focused as much on culture and relationships as technology itself.
That perspective makes her an especially compelling voice for CISO Diaries, a series exploring how today’s security leaders think, operate, and adapt behind the scenes. In this conversation, Habercoss reflects on the growing influence of agentic AI in healthcare, the challenge of balancing innovation with patient safety, and why security leaders must increasingly act as strategic partners rather than blockers. She also speaks candidly about leadership authenticity, mental well-being in high-pressure security roles, and the importance of building trust across clinical, operational, and executive teams before crises occur.
How do you usually explain what you do to someone outside of cybersecurity?
I describe the importance of placing patients at the center of our workforce’s ability to perform their clinical care, education, and research functions within our health system. My role in focuses on leading and managing the strategy, operations, and risk to protect our systems, technologies, and data from external and internal malicious threats and to safeguard patient safety in these technological processes and practices.
What does a “routine” workday look like for you, if such a thing exists?
I don’t think there is a routine day. Most days are spent meeting with clinical and operational leaders at all levels, as well as staff and faculty, to understand business priorities. I also spend a fair amount of time informing management about current and future cybersecurity and privacy risks, identified trends, and regulatory obligations, and educating everyone.
I meet weekly with my direct reports and often with other members of my team to understand what they are experiencing in our environment. I use those meetings to then make shifts in our security and privacy operational priorities where needed.
What part of your role takes the most mental energy right now?
Most of my energy these days is spent around artificial intelligence, specifically agentic AI, and the emerging attack patterns. It’s also become a significant focus for me to stay connected to my leadership peers in information technology, clinical care, and operations regarding how they want and plan to use AI. The use of AI in healthcare is significant not only for gaining efficiencies but also for health data analysis and clinical decision-making support.
I co-chair the AI governance steering committee for my health system. This ensures my team has advanced knowledge of the health system’s vision, allows my team to gain oversight, and places emphasis on upskilling where possible and as needed. Security and privacy must identify new ways of performing tasks to address better the rapid scale and scope of what AI brings. It’s important for our system to remain resilient and for our patients’ care to be safeguarded as much as possible, without security or privacy being a blocker to progress.
What’s one security habit or routine you personally never skip? (Work or personal.)
Every workday morning before I start, I spend time reading about cybersecurity and privacy reporting, analysis, threat intelligence, or other highlights and insights since the previous day. On a personal front, I play pickleball after work as much as I can.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I separate my work and personal devices and accounts. I use encryption and MFA wherever possible. I consistently update personal systems. I attempt to remove as much of my personal life as possible from the internet and rarely use social media. I block spam calls or texts as they come in.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
There are several books that have been impactful to me personally, and I often recommend. They are:
- Trust. Responsible AI, Innovation, Privacy, and Data Leadership by Dominique Shelton Leipzig. This book does a wonderful job exploring AI and digitally responsibility leadership.
- Healthcare Information Security and Privacy by Sean Murphy provides a great overview of best practices in the healthcare industry, specifically.
- Any book by Simon Sinek speaks to me, including Start With Why and Leaders Eat Last, because servant leadership is the style that speaks the most to me directly, and it’s how I personally lead.
- Also, Crucial Conversations by Kerry Patterson, Joseph Grenny, Ron McMillan, and Al Switzler. I recommend this book for new or emerging leaders. When you’re a new leader, the most challenging part of the job is working with the people around you and having difficult discussions.
In terms of influential leadership, the most important person resource in my own leadership journey has been a senior woman leader in my own organization who showed me that sponsorship is essential. It had a greater impact on my current career than any other direct supervisor or mentor I’ve ever had. She has been a tireless advocate for me, paved the way, and opened doors of opportunity for me to be represented by what I was capable of, long before many others knew what to expect of me.
What’s a lesson you learned the hard way in your career?
I don’t know that I learned this lesson the hard way, but the lesson that took me the longest to internalize was that no one expected me to know and have all the answers, every time, immediately. Others were aware of my leadership skills and performance before I could acknowledge them. It was acceptable to say “I don’t know, but I’ll find out,” to rely on others who knew more, and to be open to learning from them. Perfectionism ultimately undermines success and disrupts individual authenticity, a crucial aspect of leadership and moving forward. The times I wasn’t authentic to who I actually was were also the times I struggled in my career.
What keeps you up at night right now, from a security perspective?
The relentless nature of security keeps me wondering if what was done that day was ever enough. The constantly increasing complexities in the healthcare environment and the interconnectedness of the health ecosystem mean there are many things that can be outside your control or misaligned from a risk perspective, both internally and with the external third parties you depend on. The pace of technological change continues to accelerate, and regulations, skills, resourcing, etc., may not be keeping up as expected.
How do you measure whether your security program is actually working?
The best measure for me is whether my peer leaders understand and validate the cybersecurity and privacy risks I am discussing with them, and whether they carry that same message into meetings and rooms where I am not present. I feel especially effective when clinical and operational leaders see me as a partner in their strategic initiatives and engage with me well in advance.
What advice would you give to someone stepping into their first CISO role today?
The best advice I can give is to meet as many people as possible within the cybersecurity and privacy space and seek out those across all industries. There are so many ways to lead. No two people seem to handle security and privacy the same way. It allows you to gain diverse insights and, in turn, helps you understand how to build business relationships that will serve you well as a leader in your own organization.
What do you think will matter less in security five to ten years from now?
I think that security and privacy will become leaner operationally and will need to adapt to significantly increased automation.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Looking ahead, security teams may increase their focus on post-quantum resources and related threats to further increase resiliency. My hope is that security and privacy teams will increase focus on their own mental well-being in the context of their jobs. It can be an exhausting role, and without prioritization, mental well-being is easily an afterthought when it shouldn’t be.
