Information Security Officer

FLSA Status

Exempt

Job Role Summary

The Information Security Officer is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. This position works with Eskenazi Health's leaders to prioritize security needs and related costs according to financial constraints and directives. The Information Security Officer is responsible for enhancing and improving physical security and cyber security by identifying Eskenazi Health's protection goals and objectives, and ensuring alignment with the organization's strategic plans.

Essential Functions and Responsibilities

• Develops and implements policies, procedures, and plans related to: security of computer systems, networks and telecommunications; health information security and privacy compliance; business continuity, risk management, loss and fraud prevention; and emergency and incident response  
• Works closely with the Privacy Officer to ensure alignment between security and privacy compliance programs; acts as a liaison to the Information Systems and Compliance departments; assists with breach determination, remediation, and notification processes under HIPAA and applicable state breach rules and requirements
• Responsible for initial and ongoing information security risk assessment and analysis, mitigation and remediation; conducts audits to find holes in security platform 
• Establishes and administers a process for investigating and acting on security incidents which may result in a privacy breach 
• Identifies and prioritizes security initiatives and standards; addresses privacy, confidentiality and standards administration 
• Senior role in the Incident Response process including security breaches; develops and directs technical teams in the investigation and resolution of a variety of complex health information privacy and security issues using a systematic approach 
• Directs the activities relative to the monitoring and review of system logs and network activities for possible unauthorized intrusion
• Directs the development and delivery of security training to organizational personnel at all levels relative to the privacy and security of health information
• Researches and recommends appropriate hardware and software to implement and maintain health information privacy and security
• Initiates, facilitates, and promotes activities to foster information security awareness within the organization
• Oversee and direct the resolution of ServiceNow tickets related to cyber security issues and concerns.
• Evaluates security trends, evolving threats, risks and vulnerabilities; implements tools to mitigate risk as necessary
• Collaborates with senior management, Privacy Officer, and Corporate Compliance officer to establish governance for the security program
• Manages security incidents and events involving electronic protected health information (ePHI)
• Ensures organization has audit controls in place to monitor activity on electronic systems that contain or use electronic protected health information (ePHI)
• Oversees periodic monitoring and reviewing of audit records to ensure that activity is appropriate; includes but is not limited to logons and logoffs, file accesses, updates, edits and printing
• Participates in the development, implementation, and ongoing compliance monitoring of all BA's and business associate agreements, to ensure security concerns, requirements, and responsibilities are addressed
• Serves as senior information security subject matter expert to all departments for all cyber security matters
• Be prepared and able to flex and assist other cyber security mission areas as necessary.
• Serves in a key leadership role within the Information Security function helping drive a strategic and comprehensive information security program that defines, develops, maintains and implements processes that enable consistent, effective information security practices.

Job Requirements

• Bachelor's degree in Information Systems or a related healthcare field required
• Certified in Healthcare Privacy and Security (CHPS) certification and/or other healthcare industry related security credentials required
• Certified Information Systems Security Specialist (CISSP) certification is preferred
• Appropriate certification in risk management and/or health care compliance preferred
• 5+ years progressive experience in health information security management, health information management, information systems and/or health risk management is required

Knowledge, Skills & Abilities

• Extensive knowledge of various health care privacy, security and associated laws, rules and regulations including all applicable standards
• Extensive knowledge of the various sources and resources for information at the federal, state and local level in the privacy and security areas
• Extensive knowledge of computer systems, computer network systems, telecommunications and all associated hardware, software and associated protocols
• Extensive knowledge of the Internet, intranet and extranet technologies and applications
• Extensive knowledge of computer based patient record systems and various protocols relative to privacy and confidentiality of health information
• Extensive knowledge of risk analysis and the development of security systems and protocols
• Knowledge of various encryption techniques and their proper utilization
• Knowledge of computer hardware and software its use, function and design
• Knowledge of general hospital operations and of physician clinic operations
• Knowledge of the auditing process including various techniques relative to auditing and problem resolution
• Knowledge of team dynamics and the process of building consensus; ability to develop and lead teams toward stated objectives and goals
• An overall understanding of financial management and reporting in health care
• Ability to participate with upper management in a decision support mode through the development of appropriate management information
• Ability to effectively work with and coordinate the activities of outside consultants
• Ability to work with outside auditors relative to formal privacy and security auditing situations
• Ability and skill to influence personnel through a matrix organization
• Skill in networking both directly through colleagues and professional organizations along with the ability to utilize networking capabilities through internet news groups and list serves
• Interpersonal communication skills for training and working with personnel in sometimes tense situations
• Ability to facilitate diverse disciplines and personnel with disparate technical backgrounds
• Knowledge and experience in state and federal information security laws, including but not limited to HIPAA, including NIST, PCI and all other applicable regulations