A Healthy Dose of Compliance

It’s hard to have more experience with computers than Thomas “TJ” Johnson (ITM ’12).

His first job in the field dates back to 1990, when—as an entry-level systems support specialist for South Holland Bank in the Chicago suburbs—he wheeled the bank’s two hefty computers around on a cart, moving them from employee to employee before booting up a Lotus 1 2 3 spreadsheet program from a floppy disk.

“I remember days when I was trying to make people use email, and I was met with massive disdain. ‘Why would I do this when I can walk over to her desk?’ they asked me,” Johnson says, before adding that he was guilty of a similar sentiment at times. “I was on the internet way back when it was all text. I thought it was a complete waste of time.”

Still, Johnson remained an early adopting techie, working his way up to become an information technology manager and later a vice president at the largest bank holding company in Illinois at the time. He became increasingly adept in cybersecurity, a practice he now oversees in an industry that many believe desperately needs it: health care.

“Compared to industries like finance, cybersecurity for health care is a greenfield industry. Compliance and regulations are relatively new, and they are not used to thinking about security first,” says Johnson, who is the deputy chief information security officer (CISO) at the University of Chicago Medical Center and its provider networks.

“HIPAA [the privacy law] is pretty new compared to banking regulations,” he adds. “I’m doing stuff [in compliance and regulation] at the medical center that I was doing 20 years ago at the bank...and the whole industry is like that.”

After working for two decades in the banking industry, including as vice president of information technology at the Chicago-based Metropolitan Bank Group, in 2012 Johnson was lured into consulting by firms that recognized the burgeoning need for cybersecurity specialists.

Aquiety and later Peters & Associates brought him on to build out their respective cybersecurity consulting programs to meet a growing demand.

“Companies at the time didn’t have a lot of cybersecurity in-house; it was mashed in with IT—the IT guys also built the firewall, managed antivirus software,” Johnson says. As a result, when companies—including Fortune 1000 companies and large banks—had to call in Johnson as a consultant, it was usually in reaction to a crisis.

“Nobody ever called me when they’re having a good day,” Johnson says. “I really cut my teeth on high-stress situations.”

Eric Dynowski, founder of Turing Group, a Chicago-based firm that advises clients on how to use public cloud storage, remembers when Johnson was referred to him to help an international client set up cybersecurity procedures.

“He was so good that after a couple engagements, we said ‘TJ, maybe you should work for us full-time.’ And he did,” Dynowski laughs.

Dynowski continues, “These compliance standards are huge—if you print them on paper, they would stack from the floor to the ceiling. Companies would say, ‘Oh my God, we can’t do this!’ But TJ is an approachable dude. He likes interacting with people—and he’s really good at breaking all that down and making it less threatening. TJ would disarm them and say, ‘Yes, we can tackle this.’”

As companies grow globally, Johnson says, his primary task is convincing them to adopt certified procedures such as biometric access to prove their compliance. More and more frequently, other companies won’t share or receive data with them unless they do.

Johnson recently turned his focus to health care, getting his job at UChicago Medicine in 2024. “I knew the newly appointed CISO there and she was building out a team. Because I did a lot of health care as a consultant, she thought that experience would help her accelerate her strategy.”

He remembers when, as a consultant in the 2010s, he was conducting a HIPAA compliance assessment with a Chicago-based medical center, and the head of operations told him, “I could give a crap about HIPAA. It’s a flash in the pan, it’s a fad.”

“That was 10 years ago. I think we’re past the days of kicking and screaming. Because of the attention some of these attacks are getting in the news cycle, everyone understands how serious it is now,” Johnson says. The 2024 cyberattack on the Ann and Robert H. Lurie Children’s Hospital of Chicago was a high-profile wake-up call for many in the local health care industry, Johnson notes.

“All of a sudden board members are asking questions, and that’s great,” he says.

Still, getting outside vendors to adopt the medical center’s more stringent compliance standards as the cost of doing business with it can often take some wrangling.

Ultimately, though, basic vigilance is essential for anyone responsible for private data.

“Question everything,” he says. “A lot of the attack vectors are still email-based. Now we are also seeing texts asking for specific information. Sometimes I wonder, ‘How do people fall for these?’ But it happens every single day.” —Tad Vezner