Q&A with Ascension Health Director of Cybersecurity Skip Sorrels: Getting to Know Users Diffuses Many Situations

When Skip Sorrels, Director of Cybersecurity with Ascension Health, tells a clinician who may be frustrated with IT that he knows what they are going through, he means it. That’s because, in a past life, Sorrels served as an ICU nurse before moving to cyber. As such, he understands what it’s like to have a device or app go down in the middle of patient care, and also why some resist an application rationalization push that may seek to sunset their favorite tool. But Sorrels says such efforts are needed to drive towards standardization, without which costs go up and the ability to move clinicians around (and have them comfortable with the tools they encounter) goes down. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Sorrels discusses these issues, why he’s focused on cyber-hygiene over shiny new objects, and how he’s managed to create a sustainable work/life balance.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

I’m a former Dungeons and Dragons’ kid, I think in terms of castles and moats, and I try to use that analogy as defense in layers. You got the moat, you got the tar, you got the spikes, you got the wall, you’ve got the door, the drawbridge, each layer of defense. When I think in terms of cyber, I think that way – what’s at the most exterior, how do we ensure that we’re protected, and then step in a layer and go from there.

I throw IP addresses in there because they’re not a tangible asset but they’re relevant to the hardware, where it sits and how it communicates, and you need to understand. It’s just like the mailbox in front of the house on a country road. Knowing that address, where it exists, means that you also then have to understand how to protect it if somebody pulls up in the driveway. I think about our perimeter in that regard.

I would say the challenge in healthcare is often a lack of life cycle management. What I mean by that is we’ve got applications in our environment that have exceeded their useful life, meaning they’re no longer supported and can’t be patched. I’m speaking from a security lens, looking at how applications get to where they are. We’re in a budget-constrained environment, and so we tend to wear the wheels off the car before we change them.

Anthony: Welcome to healthsystemCIO’s interview with Skip Sorrels, Director of Cybersecurity with Ascension Health. I’m Anthony Guerra, Founder and Editor-in-Chief. Skip, thanks for joining me.

Skip: Thanks, Anthony. Pleasure to be here.

Anthony: Very good, Skip. Let’s start off, tell me a little bit about your organization and your role.

Skip: I work for the infrastructure arm of Ascension Health known as Ascension Technologies. It’s about 5,000 people that make up the infrastructure teams but, as a whole, Ascension Health is anywhere from 130,000 to 150,000 employees, 2,500 plus locations across the United States and, depending on which metric you look at on any given day, one of the top three largest non-profit healthcare providers in the United States.

Anthony: Any idea how many hospitals, just out of curiosity? Not a big deal if you don’t know. Approximate.

Skip: I think the hospital count is around 125, 130.

Anthony: That’s big. That’ll do it, right.

Skip: Yes, sir.

Anthony: Very good. Ascension Technologies is technically a separate company, correct? Technically its own entity in a sense?

Skip: I believe so. From a finance folks’ standpoint, I believe that’s correct.