Chief Information Security Officer - Remote Opportunity

Position Title: Chief Information Security Officer - Remote Opportunity

Position Overview: We seek an experienced and highly skilled Chief Information Security Officer (CISO) to join our growing organization with 180+ distributed healthcare facilities, including Surgical Hospitals, Ambulatory Surgical Centers, and Clinics. As the CISO, you will lead and implement our comprehensive information security strategy to protect the confidentiality, integrity, and availability of sensitive patient data and critical systems across a distributed environment throughout the organization. This position will be crucial in safeguarding our healthcare and corporate environment against cyber threats, ensuring compliance with healthcare data regulations, and fostering a culture of security awareness among our colleagues.

As the senior most cybersecurity leader, this position will play an instrumental role in driving organizational cybersecurity and related risk posture through all levels – and will require a strong ability to influence and communicate with precision to a diverse range of audiences from providers, executive management, board of directors, etc.

Responsibilities:

Information Security Strategy and Governance:

• Partner with Audit, Compliance, Finance, Treasury, etc., to create a unified alliance promoting information security and governance practices.
• Develop and maintain a robust information security strategy and framework tailored to the healthcare industry's unique challenges and regulatory requirements.
• Collaborate with executive leadership to align information security initiatives with overall business objectives and risk tolerance.
• Establish and oversee information security governance processes, including risk assessment, vulnerability management, incident response, and compliance tracking.

Cybersecurity Operations:

• Manage the day-to-day operations of the information security team, ensuring the implementation and maintenance of security controls, technologies, and best practices.
• Conduct regular security assessments, vulnerability scans, and penetration tests to identify and address potential security weaknesses.
• Lead incident response efforts, coordinating with internal teams and external stakeholders to mitigate security incidents and minimize their impact.

Regulatory Compliance and Risk Management:

• Continuously calibrate the organizational controls including policies and procedures with evolving healthcare data privacy laws, regulations, and industry standards, such as HIPAA, PCI, NIST CSF, disclosures, etc., to ensure the organization's compliance with these requirements.
• Firm Understanding of IT SOX controls is a requirement to ensure compliance.
• Assess and manage information security risks, working with various departments and facilities to develop and execute risk treatment plans.

Security Awareness and Training:

• Implement a comprehensive security awareness and training program for all employees to enhance their understanding of security best practices and their role in protecting patient information.
• Foster a culture of security awareness, emphasizing the importance of safeguarding sensitive data and reporting potential security incidents.

Governance, Risk and Compliance:

• Assess the security posture of third-party vendors and service providers to ensure they meet healthcare industry standards and comply with relevant regulations.
• Establish and enforce vendor risk management policies and procedures to minimize potential security risks associated with third-party relationships.
• Conduct routine HIPAA and infrastructure/cyber risk assessments across healthcare facilities and create plans to improve upon risk and communicate progress to management continuously.

Security Incident Response and Recovery:

• Maintain incident response plans to address various types of security incidents, such as data breaches, malware attacks, and system intrusions.
• Coordinate and lead incident response activities, working closely with IT, legal, and communication teams to ensure timely and effective response and recovery.

Business Continuity:

• Lead the development, implementation, and maintenance of enterprise-wide business continuity strategies to ensure resilience against cyber threats and operational disruptions.
• Collaborate with IT, risk management, and business units to assess critical systems and data dependencies, define recovery time objectives (RTOs) and recovery point objectives (RPOs), and ensure alignment with organizational risk tolerance.
• Conduct regular business continuity planning (BCP) tests, audits, and tabletop exercises; analyze outcomes and drive continuous improvement in preparedness and response capabilities.

Qualifications and Experience:

• Bachelor's degree in Computer Science, Information Security, or a related field; advanced degrees are advantageous.
• Minimum of 8-10 years of experience in information security, with at least 5 years in a leadership or management role within the healthcare industry.
• In-depth knowledge of healthcare data privacy laws and regulations (e.g., HIPAA, PCI, NIST) and experience in implementing and maintaining compliance programs.
• Proven track record of developing and executing comprehensive information security strategies within complex healthcare environments by influencing stakeholders from all levels.
• Strong understanding of cybersecurity technologies, tools, best practices, and emerging threats and vulnerabilities.
• Excellent communication and leadership skills with the ability to articulate complex security issues to non-technical stakeholders.