When Skip Sorrels, Director of Cybersecurity with Ascension Health, tells a clinician who may be frustrated with IT that he knows what they are going through, he means it. That’s because, in a past life, Sorrels served as an ICU nurse before moving to cyber. As such, he understands what it’s like to have a device or app go down in the middle of patient care, and also why some resist an application rationalization push that may seek to sunset their favorite tool. But Sorrels says such efforts are needed to drive towards standardization, without which costs go up and the ability to move clinicians around (and have them comfortable with the tools they encounter) goes down. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Sorrels discusses these issues, why he’s focused on cyber-hygiene over shiny new objects, and how he’s managed to create a sustainable work/life balance.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
I’m a former Dungeons and Dragons’ kid, I think in terms of castles and moats, and I try to use that analogy as defense in layers. You got the moat, you got the tar, you got the spikes, you got the wall, you’ve got the door, the drawbridge, each layer of defense. When I think in terms of cyber, I think that way – what’s at the most exterior, how do we ensure that we’re protected, and then step in a layer and go from there.
I throw IP addresses in there because they’re not a tangible asset but they’re relevant to the hardware, where it sits and how it communicates, and you need to understand. It’s just like the mailbox in front of the house on a country road. Knowing that address, where it exists, means that you also then have to understand how to protect it if somebody pulls up in the driveway. I think about our perimeter in that regard.
I would say the challenge in healthcare is often a lack of life cycle management. What I mean by that is we’ve got applications in our environment that have exceeded their useful life, meaning they’re no longer supported and can’t be patched. I’m speaking from a security lens, looking at how applications get to where they are. We’re in a budget-constrained environment, and so we tend to wear the wheels off the car before we change them.
Anthony: Welcome to healthsystemCIO’s interview with Skip Sorrels, Director of Cybersecurity with Ascension Health. I’m Anthony Guerra, Founder and Editor-in-Chief. Skip, thanks for joining me.
Skip: Thanks, Anthony. Pleasure to be here.
Anthony: Very good, Skip. Let’s start off, tell me a little bit about your organization and your role.
Skip: I work for the infrastructure arm of Ascension Health known as Ascension Technologies. It’s about 5,000 people that make up the infrastructure teams but, as a whole, Ascension Health is anywhere from 130,000 to 150,000 employees, 2,500 plus locations across the United States and, depending on which metric you look at on any given day, one of the top three largest non-profit healthcare providers in the United States.
Anthony: Any idea how many hospitals, just out of curiosity? Not a big deal if you don’t know. Approximate.
Skip: I think the hospital count is around 125, 130.
Anthony: That’s big. That’ll do it, right.
Skip: Yes, sir.
Anthony: Very good. Ascension Technologies is technically a separate company, correct? Technically its own entity in a sense?
Skip: I believe so. From a finance folks’ standpoint, I believe that’s correct.
Anthony: You provide services to Ascension. Do you provide services to any other health systems?
Skip: No. We’re a wholly-owned subsidiary, if you will.
Anthony: Just one customer, you have one big customer.
Anthony: I wonder if that type of dynamic – a lot of health systems don’t have that separate entity, but they’re always using the terminology that they want to, ‘treat our users like customers,’ in a sense, that ‘we’re a service department.’ Since you technically work for a different entity, does that help foster a customer dynamic?
Skip: I think it absolutely does. Because everyone who has an association to what Ascension Health is about has a heart for the mission; the mission of the hospital, the organization, the care of the poor and care of those in need. We’re all aligned with that, and so it doesn’t matter what it says on the paycheck or what budget my money comes from, we’re all in it together for the care of people.
Anthony: Let’s start with a big picture question. What are you thinking about these days? What trends are you watching? What’s top of mind?
Skip: Obviously, the buzz is artificial intelligence. I think it’s out there. We’ve got to be cognizant of it and we have to, in my mind, figure out how to embrace it for our betterment in terms of cyber defense, strategy, automation of workflows, whatever we could come up with. But that’s not the thing that keeps me up at night. Nothing really does. I shouldn’t say that. I sleep pretty good.
But if I wake up, my brain is usually thinking about something very basic, very fundamental – catch management, vulnerability management. It’s about securing our perimeter. What do we have technologically that’s exposed to the Internet that may have a chink in the armor, so to speak, that the so-called enemy out there is looking for to take advantage of?
Showing my age, I’m a former Dungeons and Dragons’ kid, I think in terms of castles and moats, and I try to use that analogy as defense in layers. You got the moat, you got the tar, you got the spikes, you got the wall, you’ve got the door, the drawbridge, each layer of defense. When I think in terms of cyber, I think that way – what’s at the most exterior, how do we ensure that we’re protected, and then step in a layer and go from there. All of that really boils down to the CIS controls.
I don’t know that anyone can ever perfect 1, 2, and 3 to say that they’ve gone beyond that with any semblance of perfection. It’s just not possible, things change. Inventory is key. If you don’t know what you don’t have, then you can’t protect it. I really do try to settle myself into the fundamentals and shy away from the shiny new things. I don’t believe in silver bullets. I believe in understanding the context and use case and really understanding the details. We can solve pretty much anything with technology if we understand the requirements, the limitations and our own capabilities.
Anthony: Very good. Let’s go into that a little bit. You sleep pretty well which is great. Actually, in a serious sense, I want to talk a little more about that because I think there’s a lot of cyber professionals who don’t. I want to try figure out what are some of the reasons they might not, maybe we can help them.
But let’s first start with the idea that you’re a cyber hygiene guy, focusing on the basic blocking and tackling. I hear that a lot. It makes a lot of sense. You’re trying to think, what did I miss, what’s out there that I didn’t see, what’s hanging out there that’s dangerous that’s exposed to the internet – what are some of the ways that you go about finding those holes?
Skip: So you can work from the outside in or the inside out. From the outside, you can utilize technologies that scan your perimeter. No different than a cyber threat or hacker would do. There’s all sorts of open source tools. There’s all sorts of paid tools that can be leveraged to look at your IP ranges exposed to the internet. Basically, think of it as an external vulnerability scanner looking for holes in the armor.
From the inside out, back to the inventory. I believe that IP addresses and natted IP addresses are a form of inventory and you have to understand what that IP space and range looks like and then understand your DMZ and your pathway from the inside out or outside in so that you can tie off on that, and really assess what’s going on and hopefully find systems that aren’t necessarily as secure and fix it. Get them off the internet or put controls in place to secure them.
Anthony: When you’re talking about inventory, are we talking mostly devices, including biomedical devices, or are we thinking applications as well? Are we thinking both?
Skip: Everything. CIS control, one would be hardware, two is your software and your applications. I throw IP addresses in there because they’re not a tangible asset but they’re relevant to the hardware, where it sits and how it communicates, and you need to understand. It’s just like the mailbox in front of the house on a country road. Knowing that address, where it exists, means that you also then have to understand how to protect it if somebody pulls up in the driveway. I think about our perimeter in that regard.
Anthony: If you have a sound procurement process around purchasing so that new applications, new devices, are all coming through security in a formal way, does this problem get mitigated quite a bit? You talked about inventory, right? How do we get our arms around inventory if new inventory keeps coming in and we don’t know about it? Talk about that dynamic.
Skip: Sure. The establishment of a risk assessment, or a technical assessment, at the beginning of the procurement process is imperative, because you want to identify the need of an organization or the want. They’re bringing it forward for financial approval. Before they can gain approval, it has to pass enterprise architectural reviews to make sure it falls within our reference architecture or standard. In order to control the de-standardization of an organization, you have to follow a standard. You want to eliminate things coming in that deviate from a set standard, you want to understand the risk.
So, to your point, having a system that puts a place holder in your database once the finances are approved and the order is placed so that you have a reconciliation point when it arrives at the dock or into the facility, is important. You can say, ‘I was expecting one of these and I got one of these. Now, I have the life beginning of an asset,’ so that cradle aspect of it. Then, the same thing with applications, the procurement process is the front door to understanding what may or may not come into the environment, so you can catalog that into a database as part of your inventory going forward.
Anthony: It’s not easy to get that governance in place, to get that culture of, it’s got to go through security. You’re in a massive organization, I’m sure things are popping up left and right in all the time. You used a really cool word that I like a lot, ‘de-standardization’, which to me would be a horrifying place for a health system, right?
Skip: I think the challenge in healthcare – and I think I can say this honestly having been a clinician, having been a trauma critical-care nurse for several years – is that physicians and clinicians historically have had their favorites; the medical device or the tool or the instrument that they prefer, no different than a mechanic likes Snap-on or Craftsman. When you take that into consideration, and you look at what’s happened over time, you can see why we have a lack of standards. You’ve got a little bit of everything everywhere.
In order to rationalize that, I think the key is to establish a form of governance that utilizes clinical peers.So the physicians in radiology, the physicians in cardiology, etc., that lead the organization and set the tone are the ones who should weigh in on what the standard should be based on tools, diagnostics, medical devices, et cetera.
If you can establish that, then you give them the choice and hopefully, we’re not there yet, but I would like to see it someday lead to a single or no more than dual-source vendor model where we have no more than three or four model versions of a particular, say, x-ray machine or ultrasound. There’s a couple of reasons for this.
First, standards decrease support overhead cost. Standards drive up the ability to negotiate better deals.Now, let’s talk about how it impacts your staff. In this world we live today, we are short staffed even more than we ever were in the clinical space and they’re looking for creative ways, not just our organization, healthcare in general, to shift staff to locations to load balance the need for care in this facility based on census, for example.
If you take me, as a nurse, from one ICU to the other and the equipment is different, I’m going to have a learning curve. I’m going to have some roadblocks and some limitations in my ability to jump into that job and be effective. Standards also help in regard to the mobilization of clinicians across multiple footprints in an organization, so that you can load balance staff potentially with the least amount of disruption.
Anthony: It makes a lot of sense, but I’ve heard that app rat, getting people to give up their favorite tools, is really hard. Can you talk about that?
Skip: Well, listen, I’ll be the first to admit I’m a creature of habit and I like my things, right? I had my favorites when I was at the bedside too, a particular monitor over another or whatever. We have our favorite pens and pencils, for crying out loud. When I think of application rationalization, you hear – ‘it feels right, it feels good because that’s the way I’ve always done it.’
On the back side of that, I would say the challenge in healthcare is often a lack of life cycle management. What I mean by that is we’ve got applications in our environment that have exceeded their useful life, meaning they’re no longer supported and can’t be patched. I’m speaking from a security lens, looking at how applications get to where they are. We’re in a budget-constrained environment, and so we tend to wear the wheels off the car before we change them.
Applications are no different. I think, quite frankly, it’s less of the favorite thing and more money-driven behavior, where we have to make do with what we have and then fortunately, where we sit today, security is right in the middle of that. Ten years ago, 12 years ago, not so much. It wasn’t really considered. Like for med devices and applications, ‘yes, security patch, whatever,’ it just didn’t have the attention that it has today.
I think app rationalization is one of the hardest things to do because you’re attempting to collapse what already exists and do it without disruption or disfavor. You can’t make everybody happy. As you are decommissioning an application, you’re also having to leave the ship and head to the other one through the lifeboat. That transition period, that organizational change management, becomes key so that you lessen the disruption, you set the expectation and, hopefully, train your staff adequately to move to the new system so you can jettison the old. That’s not an easy process.
If we didn’t have people, we wouldn’t have problems is one of the things I say (laughing). If it was just the technology swap, no big deal, right? But we have human beings involved, especially in healthcare, so we have to be aware of that.
Anthony: Right. That all makes perfect sense. We know application rationalization is something we would love to do. It’s really, really hard. But having said that, understanding how difficult it is to get rid of something makes us much more cautious and careful about what we bring in. Is that true?
Skip: That’s right. Yes. Getting something into the organization through the different gates that I discussed earlier, pre-procurement, assessments, architecture reviews, security reviews, et cetera, are really key going forward, especially now. Gosh, the last time I did nursing was 1988 or 99, and this was at the dawn of the electronic medical record. Everything we did was pen and paper, old school.
As I began to see the EMRs and the technology come along, it was fascinating to think about where we would be. Guess what, here we are in the future and I’m looking back and, wow, it’s even more important today. In the last 5 years alone, looking at the evolution of applications and security and the threats that came our way, it’s often overwhelming, and it does make it difficult to get your arms around it.
But I think the importance of, again, going back to having standards and limits to the quantities of things coming in benefits many in the long run. Again, we have to set the expectations and have people buy in and understand why it’s important.
Anthony: Very good. You said that you were a critical care nurse. Is that correct?
Skip: Yes, sir.
Anthony: That’s really interesting. I assume it’s helped you be a better cyber-leader.
Skip: I absolutely think it’s helped me in this role. I absolutely have a heart for the clinicians that struggle with technology if it’s not providing them what they expected at the time they need it. I honestly can say to a clinician who’s very frustrated, ‘Look I’ve been in your shoes.’ I’ve had those conversations. They’re like, ‘No you haven’t.’ I go, ‘Hold up a second. I used to be in the ICU, I know.’ I really do mean this genuinely – I understand what it means to have these challenges and these downtimes. It’s terrible, it’s hard.
The fact that technology and healthcare has become a force multiplier for the clinicians. What I mean by that is, back when I was in the ICU, you couldn’t handle more than two patients. It was impossible. That was the patient-nurse ratio. Now, it’s much greater than that. But the reason for it is because we have the technology that gives them the visibility from a remote location down the hall or whatever, the means by which to monitor, to take care of those patients. If something goes down, that force multiplier goes away and now we have some problems and some challenges. I absolutely can relate wholeheartedly to the clinicians’ work and the level of stress and how hard it is when things don’t go well.
In terms of knowing operations, we encourage and want our people to be in the healthcare theater, if you will, walking the halls, doing rounding, having an understanding, more importantly, having a relationship with people, so that when there is a problem, they don’t see a strange face, they understand the frustration going on. They can say, ‘Oh, that’s the person who can help me. I know them, they come around all the time. We’ve got a great relationship.”
I think building the relationships, forming the understanding and the communication, educating one another to the frustrations through that visibility and experience, is extremely important in the healthcare cybersecurity. It’s harder to get mad at somebody who you’ve broken bread with. Sharing meals sometimes, and the relationship that comes from that, allows you to have a lot more grace for one another. Again, relationships are extremely important.
Anthony: Yes, great way to put it. Having grace for each other – great way to put it. We only have a couple of minutes left. It goes fast. I do want to go back to that up-at-night concept. I do think that it’s a tough job. How do you not let it eat you up?
Skip: You have to have a hobby. My dad used to ask me, out of college – he knew I worked my tail off because I was trying to pay off student loans and I was excited because I had money in my pocket. But he’d always say, ‘how are you doing?’ We talk a little bit and his next question would be, ‘what are you doing for fun, what are your hobbies.’ That was his way of saying, ‘hey, I really respect what you’re doing but you have to have time for yourself.’ I would say that to anybody who asks me. You have to intentionally have time for yourself where you can disconnect.
I spent this weekend working on my Jeeps. It was therapeutic, it was awesome. The cellphone wasn’t near me, had the radio going, oil on my fingers, just mad as a hornet at certain things because they weren’t going my way. But at the end of it, I went, ‘hey, I did that and I had the mental break and it was completely different than thinking through cybersecurity and the stress of it,’ albeit a different form of stress, right? I’m not a mechanic by trade, but I felt like I could do it myself so I gave it a shot.
Anthony: I think that’s brilliant advice. I totally agree with you. Something that you could lose yourself in, right, that you enjoy and you can lose yourself in and it creates that mental break. You don’t need to – it’s impossible to turn your mind off, right? You don’t get to flip the switch to off but you can make it go somewhere else where it’s a more pleasant place to be for a while.
Skip: I agree. Absolutely agree.
Anthony: Brilliant, brilliant. Any other final word of advice other than that for your colleagues, things that you found have made you successful? Any final parting piece of advice?
Skip: Take a bath, hygiene, cyber hygiene.
Anthony: Cyber hygiene.
Skip: I think fundamentals are key. I’m asked a lot what are the technologies for today and tomorrow. Well, they’re going to be fantastic but the reality is we got to stick to the fundamentals. We got to do your basic blocking and tackling. In healthcare, we don’t have the budget or the luxury of going after the really cool shiny thing, right? We have to be very diligent, typically when we get something new, it’s because we’re replacing something and leaving it behind. It’s not a net-new add.
All of that is to say be careful in your thought process, don’t get overly zealous with silver bullets, stick to you hygiene and remember that cybersecurity is everybody’s responsibility. It’s not just mine or my team’s. It’s everybody out there in the world quite frankly. We see it in our banking. We have a PIN we have to enter. We’ve got dual-factor authentication. We don’t think about those things when we’re in healthcare, but it’s the exact same security posture you have at your bank.
I use those analogies a lot when people are frustrated because we institute something new and I’ll say, ‘well, what do you do with your bank, you got a phone right? Does it text you? Does it email you and say can you please confirm with this PIN?’ And they say, ‘Oh, yes, we’re doing the same thing.’ It’s no different.
I think take a step back, take a deep breath, focus on the fundamentals, try not to get too wound up about things, and enjoy what you do and know that everybody has got to play a part.
Anthony: Awesome, Skip. That was wonderful. I think people are really going to enjoy it. Thank you so much for your time.
Skip: You’re very welcome. Thank you. I appreciate it.