Skip Sorrels has traveled full circle in his career,
He began his career in the nursing profession in Texas working the gamut from intensive care and trauma units, to transplant teams. Computers were always an interest, and Sorrels also lent his spare time to a nonprofit organization doing IT work. Among his responsibilities there was procurement of IT gear from Dell, which eventually wooed him to its team where he did some solution work on Department of Defense contracts and for different branches of the military.
Today, Sorrels is director of cybersecurity at Ascension Technologies, which oversees the technology needs for Ascension Healthcare, one of the country’s biggest non-profit healthcare providers. His front-and-center experience as both a nursing practitioner and security executive puts him in prime position to discuss this week’s release of the 405(d) Task Group’s Health Industry Cybersecurity Practices (HICP).
The HICP identifies top cybersecurity threats to the healthcare industry, and 10 blocking-and-tackling mitigation practices and sub-practices aimed at not only larger, more resourced organizations, but also smaller healthcare providers.
Subscribe and listen to the Nexus podcast on your favorite platform.
In this episode of the Nexus podcast, Sorrels provides insight on the importance of the HICP, how it’s being used by healthcare delivery organizations (HDOs) today, and cybersecurity challenges facing the healthcare industry, including asset discovery and management, and vulnerability management.
“It’s really a dependency on the maturity of the organization and whether they have a strong IT department and are ready to cross that bridge into cyber awareness,” Sorrels said as to how extensively it’s being used. “It is a guiding document.”
The HICP is closely aligned to the NIST Cybersecurity Framework, and is meant as a reference document for healthcare cybersecurity teams looking to kick off or enhance their programs. The publication includes a main document called the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, as well as Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations and Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations.
The publication is structured in alignment to the top threats and cybersecurity practices aimed at blunting those threats with varying degrees of sophistication according to the size and maturity of the healthcare organization.
“There really isn’t a difference between the recommendations,” Sorrels said. “The difference is in how much they’re guiding a small organization to do versus a larger with more resources and money and is able to take on more mature activities. Fundamentally, it’s a body of work to help guide people in the direction of good cybersecurity controls and practices.”
While the risks are likely quite similar for HDOs of any size, larger organizations have more of an attack surface that threat actors may target, bringing increased prioritization on practices such as asset discovery and management, as well as patching and vulnerability management.
“The NIST documents, frameworks, HICPs all say basically the same thing,” he said. “I think it’s just compounded by enumeration for the larger organizations.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.