Business Analyst (Third-Party Security & Privacy Risk Management)

Duration: 6 months to start

Job Description

Role Summary:

The Third Party Risk Management Analyst / Business Analyst (BA) is a temporary contractor supporting the Patient Trust initiative by identifying, strengthening oversight, accountability, and risk management of third-party processors that store, access, or handle patient data (including PHI/PII as applicable). The BA partners with Security, Privacy, Procurement, Legal, Risk, and business owners to define requirements, analyze current state and deliver foundational governance artifacts such as a unified third-party patient data inventory, a vendor lookback plan, and a risk-tiering model.

Key Responsibilities

• Deliver Phase 1 foundations for Workstream 3: translate the deck deliverables into requirements, detailed process steps, owners, and measurable outputs across the Vendor Lookback Plan, Unified Third-Party Patient Data Inventory, and Risk-Tiering Model.
• Vendor Lookback Plan (Apr-Nov): build the initial vendor universe: coordinate OneTrust pull, LeanIX pull, and define comparison logic to establish the starting population of potential patient-data vendors.
• Identify likely patient-data service areas: perform procurement taxonomy review, category classification, and targeted vendor list requests to focus on service areas most likely to process patient data.
• Consolidate and normalize the master vendor list: merge OneTrust/LeanIX/Procurement sources; deduplicate; standardize vendor names; and capture baseline context (service description, business owner, system/app linkage as available).
• Confirm patient data processing (in-scope determination): execute desktop validation and drive targeted business owner confirmations to finalize binary in-scope / out-of-scope decisions.
• Operationalize risk-based lookback triggers: define and document trigger logic (time since review, data sensitivity, volume, access level, criticality) and apply it to the in-scope vendor set to determine reassessment needs.
• Drive formal approval of the lookback methodology: prepare decision materials and facilitate approvals for scope, triggers, and prioritization logic with Workstream 3 stakeholders.
• Deliver the Unified Third-Party Patient Data Inventory (Jul-Nov): ensure the inventory captures required outputs (normalized vendor name, business owner, service description, patient data involvement yes/no, data types, geographic footprint, and risk tier once established).
• Build the Risk-Tiering Model (Aug-Nov) and prioritized lookback queue: define tier inputs (sensitivity, volume, access, criticality, time since review), group vendors into high/medium/low tiers tied to review expectations, and create an execution queue aligned to capacity, phased waves, and future automation.
• Support Phase 2 execution (Oversight & Monitoring): support conduct of lookback assessments and operationalization of the Third-Party Assurance Program (annual security & privacy reviews, evidence-based control testing, SOC 2 / ISO 27001 intake review processes).
• Continuous monitoring of critical vendors: help define the monitoring approach using questionnaires, external signals, and/or integrated vendor-risk tools; document thresholds, cadence, escalation paths, and reporting.
• Third-Party Incident Response Integration: define and document vendor notification and cooperation expectations within defined timeframes for patient data/PHI exposure events; align playbooks and handoffs with Security Incident Response and Privacy.
  
  

Required Qualifications

• 5 years of business analysis experience delivering process, data, and governance outcomes in regulated environments.
• Hands-on experience with third-party / vendor security risk management (TPRM), including risk assessments, evidence collection, remediation tracking, and stakeholder communications.
• Strong understanding of security and privacy fundamentals as they relate to third parties (e.g., access, data handling, encryption, incident response, audit artifacts).
• Demonstrated ability to build and maintain inventories or registries (vendors, applications, data flows) with attention to data quality, normalization, and reporting.
• Proficiency with requirements elicitation/documentation techniques (workshops, interviews, user stories, acceptance criteria) and process mapping.
• Excellent written and verbal communication skills; ability to translate technical and control concepts into business-friendly language.
• Experience working cross-functionally with Security, Privacy, Procurement/Vendor
• Management, Legal, IT, and business owners.

Preferred Qualifications:

• Experience supporting healthcare data programs and/or familiarity with HIPAA/HITECH concepts (or equivalent healthcare privacy/security frameworks).
• Experience reviewing third-party audit reports and certifications (SOC 2 Type II, ISO 27001, NIST Privacy Framework, ISO 27701) and translating results into risk decisions.
• Experience with TPRM and GRC tooling and/or enterprise inventory sources (e.g., OneTrust, LeanIX, procurement systems, vendor-risk platforms).
• Experience defining risk tiering methodologies and prioritization queues aligned to capacity and operational realities.
• Familiarity with contract/security addenda requirements and third-party incident notification language.
• Project delivery experience in Agile, hybrid, or waterfall environments; comfort with backlog management and delivery planning.