Requisition Number: 11333
Reg/Temp: Regular
Employment Type: Full-Time
Shift: Day
Work Schedule: ..
Location Name: Information Technology Services
City: SALT LAKE CITY
State: UT
Department: UUH ISC 17F INFORMTN SECURITY
EEO Statement
The University of Utah Health Care is an Affirmative Action/Equal Opportunity employer. Upon request, reasonable accommodations in the application process will be provided to individuals with disabilities. The University of Utah Health Care is committed to diversity in its workforce. Women and minorities are encouraged to apply.
Overview:
As a patient-focused organization, the University of Utah Health Care exists to enhance the health and well-being of people through patient care, research and education. Success in this mission requires a culture of collaboration, excellence, leadership, and respect. University of Utah Health Care seeks staff that are committed to the values of compassion, collaboration, innovation, responsibility, diversity, integrity, quality and trust that are integral to our mission. EO/AA
This position is responsible for HIPAA security policy and risk analysis development and maintenance; and monitoring compliance with University security policy and applicable law. Assists in the design of HIPAA security policy, education, training and awareness activities. May be requested to assist with PCI, GLBA, GRAMA, FERPA, and FISMA.
Responsibilities:
- Reviews existing HIPAA Security and Privacy policies and procedures and interviews key personnel responsible for protecting ePHI
- Performs gap analysis with the Standards, Safeguards and Requirements contained in the HIPAA Security and Privacy Rules
- Provides observations related to positive practices and areas for improvement based on HIPAA implementation guidance, NIST special publications, and professional experience
- Provides prioritized implementation roadmap to assist the organization with prioritizing remediation activities
- Provides HITECH, Meaningful Use, and Omnibus specific remediation guidance
- Selects control standard and/or industry-regarded best practice
- Establishes inherent and residual risk scoring algorithms
- Formalizes and documents a repeatable risk management methodology and risk assessment program
- Conducts risk assessments based on newly-documented risk management methodology
- Prepares and issues risk assessment reports for assessed applications and/or systems that includes both inherent and residual risk scores, as well as a matrix of control compliance
- Reviews overall Information Security Programs and security-related activities
- Performs gap analysis with ISO 27001/27002 and/or NIST 800-53
- Provides observations related to positive practices and areas for improvement based on industry-regarded best practices
- Provides prioritized security roadmap to assist customers with planning and implementation of recommendations
Knowledge / Skills / Abilities:
- Knowledge of Risk Management Methodology Development and Risk Assessments for Health Care Providers and Business Associates.
- Expert level knowledge of HIPAA Security and Privacy Rules
- Expert level knowledge of HITECH, Meaningful Use and Omnibus
- Extensive understanding of NIST 800-53
- Extensive understanding of PCI, GLBA, GRAMA, FERPA, FISMA
- Ability to interface with all levels of stakeholders on remediation planning, budgeting and helping prioritize efforts
- Extreme passion for analyzing and assessing risk, and explaining risk management methodology in a way that enables informed business planning to remediate risks
- Exceptional presentation skills, with all levels of stakeholders
- Ability to recommend appropriate awareness and training content
Qualifications:
Required
- Eight years of information technology and information security experience. Working in health care providers, hospitals, and higher education institutions, with a demonstrated ability to align business strategic goals with regulatory compliance and internal policy requirements.
- Bachelor’s degree in Business, Information Systems, Healthcare Administration, or equivalent experience.
- Extreme passion for analyzing and assessing risk, and explaining risk management methodology in a way that enables informed business planning to remediate risks
- Certified in Risk and Information Systems Control (CRISC)
- Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) Course, Certified HITRUST CSF Practitioner
- Certified Authorization Professional (CAP)
- Information Systems Security Architecture Professional (ISSAP)
- Holistic Information Security Practitioner (HISP)
- ITIL Foundation Certification
- Certified Information Systems Security Professional (CISSP)
- SANS 401 Security Essentials
Qualifications (Preferred):
Preferred
- Risk management, regulatory and contractual compliance, and policy areas of information security
- Information Systems Audit and Control Association (ISACA)
- Information Security Systems Association (ISSA)
- International Information Systems Security Certification Consortium (ISC2)
- Holistic Information Security Practitioner Institute (HISP)
- Healthcare Information and Management Systems Society (HIMSS)
- Health Information Trust Alliance (HITRUST)
- Experience with: PCI, GLBA, GRAMA, FERPA, FISMA
Reg/Temp: Regular
Employment Type: Full-Time
Shift: Day
Work Schedule: ..
Location Name: Information Technology Services
City: SALT LAKE CITY
State: UT
Department: UUH ISC 17F INFORMTN SECURITY
EEO Statement
The University of Utah Health Care is an Affirmative Action/Equal Opportunity employer. Upon request, reasonable accommodations in the application process will be provided to individuals with disabilities. The University of Utah Health Care is committed to diversity in its workforce. Women and minorities are encouraged to apply.
Overview:
As a patient-focused organization, the University of Utah Health Care exists to enhance the health and well-being of people through patient care, research and education. Success in this mission requires a culture of collaboration, excellence, leadership, and respect. University of Utah Health Care seeks staff that are committed to the values of compassion, collaboration, innovation, responsibility, diversity, integrity, quality and trust that are integral to our mission. EO/AA
This position is responsible for HIPAA security policy and risk analysis development and maintenance; and monitoring compliance with University security policy and applicable law. Assists in the design of HIPAA security policy, education, training and awareness activities. May be requested to assist with PCI, GLBA, GRAMA, FERPA, and FISMA.
Responsibilities:
- Reviews existing HIPAA Security and Privacy policies and procedures and interviews key personnel responsible for protecting ePHI
- Performs gap analysis with the Standards, Safeguards and Requirements contained in the HIPAA Security and Privacy Rules
- Provides observations related to positive practices and areas for improvement based on HIPAA implementation guidance, NIST special publications, and professional experience
- Provides prioritized implementation roadmap to assist the organization with prioritizing remediation activities
- Provides HITECH, Meaningful Use, and Omnibus specific remediation guidance
- Selects control standard and/or industry-regarded best practice
- Establishes inherent and residual risk scoring algorithms
- Formalizes and documents a repeatable risk management methodology and risk assessment program
- Conducts risk assessments based on newly-documented risk management methodology
- Prepares and issues risk assessment reports for assessed applications and/or systems that includes both inherent and residual risk scores, as well as a matrix of control compliance
- Reviews overall Information Security Programs and security-related activities
- Performs gap analysis with ISO 27001/27002 and/or NIST 800-53
- Provides observations related to positive practices and areas for improvement based on industry-regarded best practices
- Provides prioritized security roadmap to assist customers with planning and implementation of recommendations
Knowledge / Skills / Abilities:
- Knowledge of Risk Management Methodology Development and Risk Assessments for Health Care Providers and Business Associates.
- Expert level knowledge of HIPAA Security and Privacy Rules
- Expert level knowledge of HITECH, Meaningful Use and Omnibus
- Extensive understanding of NIST 800-53
- Extensive understanding of PCI, GLBA, GRAMA, FERPA, FISMA
- Ability to interface with all levels of stakeholders on remediation planning, budgeting and helping prioritize efforts
- Extreme passion for analyzing and assessing risk, and explaining risk management methodology in a way that enables informed business planning to remediate risks
- Exceptional presentation skills, with all levels of stakeholders
- Ability to recommend appropriate awareness and training content
Qualifications:
Required
- Eight years of information technology and information security experience. Working in health care providers, hospitals, and higher education institutions, with a demonstrated ability to align business strategic goals with regulatory compliance and internal policy requirements.
- Bachelor’s degree in Business, Information Systems, Healthcare Administration, or equivalent experience.
- Extreme passion for analyzing and assessing risk, and explaining risk management methodology in a way that enables informed business planning to remediate risks
- Certified in Risk and Information Systems Control (CRISC)
- Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) Course, Certified HITRUST CSF Practitioner
- Certified Authorization Professional (CAP)
- Information Systems Security Architecture Professional (ISSAP)
- Holistic Information Security Practitioner (HISP)
- ITIL Foundation Certification
- Certified Information Systems Security Professional (CISSP)
- SANS 401 Security Essentials
Qualifications (Preferred):
Preferred
- Risk management, regulatory and contractual compliance, and policy areas of information security
- Information Systems Audit and Control Association (ISACA)
- Information Security Systems Association (ISSA)
- International Information Systems Security Certification Consortium (ISC2)
- Holistic Information Security Practitioner Institute (HISP)
- Healthcare Information and Management Systems Society (HIMSS)
- Health Information Trust Alliance (HITRUST)
- Experience with: PCI, GLBA, GRAMA, FERPA, FISMA