JOB SUMMARY:

The Chief of Information Security and Security Officer (CISO) is responsible for providing leadership and operational excellence for developing and supporting security initiatives and policies along with developing strategies to protect sensitive data, managing security risks, investigating and remediating security incidents and promoting security awareness and compliance across the organization. The CISO acts as the primary contact for security-related matters and serves as the organization's HIPAA Security Officer. 

Job Responsibilities:

Leadership & Strategy: 

• Develop and manage a comprehensive information security and risk management program aligned with business objectives and regulatory requirements.
• Serve as the organization's HIPAA Security Officer and lead all activities related to ensuring the security of protected health information (PHI).
• Collaborate with executive leadership, legal, compliance, and IT teams to integrate security into all aspects of operations and technology.
• Serves in a leadership capacity in the execution of the organizations Cyber Incident Response plan, coordinating action, communication, and mitigation efforts in conjunction with Executive Leadership.
• Keep current with emerging security trends, conduct research and make recommendations for improvements to current processes. Advise, counsel and educate executive and management teams on technology’s relative importance and financial impact.

Governance, Risk & Compliance:

• Establish, implement, maintain, and audit information security policies, procedures, and controls in accordance with PathGroup’s Compliance Program, federal laws, and industry-standard best practices.
• Conduct regular risk assessments and security audits to identify vulnerabilities and recommend mitigations.
• Oversee security incident response planning and investigation of security breaches, including documentation and reporting.
• Work closely with the Chief Information Officer and Privacy Officer to develop and administer security awareness training for all employees and contractors.

Security Operations:

• Lead strategic security and incident response planning to achieve business goals by prioritizing defense initiatives through the deployment, monitoring, maintenance, development, and upgrading of current and future security tools, technologies, and systems.
• Ensure regular risk assessments, penetration testing, and remediation efforts are conducted on a regular and timely basis.
• Monitor and analyze network and system activity for anomalies and trends to prevent and remediate security incidents in a timely manner.
• Work with IT to implement secure system configurations and DevSecOps practices.

Third-Party, Vendor and Client Management:

• Evaluate third-party vendors and partners for security and compliance posture.
• Complete all required security assessments from existing or prospective clients.
• Participate in contract negotiations to ensure appropriate security requirements and data protection terms are in place.

Management:

• Manage the employee hiring process including developing and updating job descriptions, developing performance expectations, identifying essential functions and knowledge, skills and abilities required for applicable positions, and selecting and assigning staff.
• Supervise and manage employee and team performance by coaching, counseling, motivating, and evaluating employees on a continual basis. Implement disciplinary action as needed and in consultation with Human Resources.
• Coordinate team projects, schedule work assignments, set priorities, and direct the work of subordinate employees.
• Ensure effective employee relations by sustaining an ethical, non-discriminatory and safe work environment and establishing effective communication lines and methods. Identify and solve employee problems, manage conflict, and respond to grievances as needed.
• Perform all job responsibilities in alignment with the industry’s best security practices and regulatory guidelines to protect confidentiality, integrity, and availability of protected health information and other sensitive company data.
• Must be familiar with and abide by the Corporate Compliance Program and all Corporate policies, including the Privacy and Security policies.

NON-ESSENTIAL FUNCTIONS:

• Nothing in the job description restricts management’s right to assign or reassign duties and responsibilities to this job at any time.
• Other duties as assigned

Qualifications:

EDUCATION & LICENSURE:

• A bachelor’s degree or the equivalent combination of education and experience in Cybersecurity is required.

REQUIREMENTS:

• At least five to ten years of prior job-related experience in Healthcare Information Security is required.
• In-depth knowledge of HIPAA Security Rule, HITECH, and healthcare regulatory frameworks.
• Preferred advanced knowledge in at least one of the following cybersecurity frameworks: HITRUST, NIST CSF, ISA 27001.
• Proven ability to communicate effectively with IT leadership and executive stakeholders.

PREFERRED:

• Professional certifications such as CISSP, CISM, CISA, HCISPP, or HITRUST CCSFP.