At Lyft, community is what we are and it's what we do. It's what makes us different. To create the best ride for all, we start in our own community by creating an open, inclusive, and diverse organization where all team members are recognized for what they bring.
Our drivers and passengers entrust Lyft with their personal information and travel details to get where they're going, and expect us to keep that data safe. Lyft's security team leads efforts across the company to ensure our systems are secure and worthy of our users' trust. The security team designs and builds out Lyft's security architecture, consults with other teams as they build and launch new products and features, and responds to incidents that occur. We're software engineers first, we believe in scaling security through engineering and automation, and we ship frequently. Our work spans the entire company and takes place at all levels of the stack, from infrastructure to web application security, as well as mobile apps and IT.
The mission of this position: Operational responsibility for assuring the organization provably complies with the HIPAA Security Rule.
The right candidate will become Lyft's HIPAA Security Official, responsible for the development and implementation of all policies and procedures necessary to appropriately protect the confidentiality, integrity, and availability of our ePHI related information and the systems that contain ePHI. You'll be responsible for the management and supervision of the security measures we use to protect ePHI data and the conduct of personnel in relation to the protection of ePHI data. You'll work with engineers to drive the automated application and validation of HIPAA related policies as well as providing evidence for necessary internal and external audits.
If you want to learn more about the kinds of things we've built, check out our open-source secret management service for AWS users at https://lyft.github.io/confidant.
Ensure our ePHI related information systems comply with all applicable federal, state, and local laws and regulations.
Ensure that no information system comprises the confidentiality, integrity, or availability of any other ePHI related information system.
Develop, document, and ensure dissemination of appropriate HIPAA related security policies, procedures, and standards for the users and administrators of ePHI related information systems.
Ensure that newly acquired ePHI related information systems have features that support required and/or addressable security Implementation Specifications.
Coordinate the selection, implementation, and administration of significant ePHI related security controls.
Ensure workforce members receive regular ePHI related security awareness and training.
Conduct periodic risk analysis of ePHI related information systems and security processes.
Develop and implementing an effective ePHI related risk management program.
Regularly monitoring and evaluating threats and risks to ePHI related information systems.
Monitor auditing records to identify inappropriate activity regarding ePHI information.
Maintain an inventory of all information systems that contain ePHI.
Ensure adequate physical security controls exist to protect ePHI.
Coordinate with the Data Privacy Team and Privacy Counsel to ensure that security policies, procedures, and controls support compliance with the HIPAA Privacy Rule.
Review the HIPAA Security policies and procedures documentation and update on an annual basis.
Communicate the HIPAA Security Official's role and responsibility throughout the organization.
Retain documentation (e.g. training materials, job description) of the practices in place as evidence of HIPAA compliance.
Experience & Skills:
Prior, deep experience with the HIPAA Security Rule
Maintenance of a policy library
Partnership with both internal and external auditors
Computer networking concepts and protocols, and network security methodologies
Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy
Vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins)
Infrastructure security principles and methods (e.g., firewalls, DMZs, encryption)
Current industry methods for evaluating, implementing, and disseminating security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities
New and emerging IT and cybersecurity technologies
Supply chain security and supply chain risk management policies, requirements, and procedures
Network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth)
Assessing security controls based on cybersecurity principles and tenets (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, ect.)
Technical writing, knowledge management, technical documentation techniques
Preparing and presenting briefings/presentations
Communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means
Collection, verification, and validation of test data
Understand technology, management, and leadership issues related to organization processes and problem solving
Interpret and translate customer requirements into operational action
Identify critical infrastructure systems with information communication technology that were designed without system security considerations