The Information Security Officer (ISO) position requires a leader with strong knowledge of privacy and information security best practices within the healthcare environment. The ISO must possess effective communication and people skills, strong leadership qualities, thorough understanding of security best practices, technologies, and controls, and the ability to translate these discrete concepts into business-friendly terminology. The ISO must also maintain a strong understanding of risk management and governance practices and the use of risk methodologies.
Reporting to the Deputy Chief Information Security Officer (CISO), the Affiliate Information Security Officer (ISO) is responsible for establishing and maintaining the information security program at Sutter Health affiliates, including hands-on execution and day-to-day management of the Affiliate Information Security Program. The ISO is responsible for identifying, evaluating, and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the organization.
The ISO enables the organization to achieve its mission of providing world-class health care to its communities and proactively works with business units to evaluate, educate, and implement practices that meet defined policies and standards for information security. The ISO effectively works with affiliate and enterprise leadership to determine acceptable levels of risk for the organization and reports on variance. The ISO maintains a deep knowledge about the business environment and ensures ongoing security controls are maintained.
In addition, the ISO advises the appropriate Organizational Unit (OU) DCISO regarding the Information Security Program Strategic Plan and Roadmap, and budget required to maintain the security risk profile as directed by the Sutter Health Board of Directors and senior leadership. The ISO represents Information Security at business executive leadership, steering, governance, and board committees.
As the security leader for the assigned area of responsibility, the ISO fosters a culture of security among the Sutter Health workforce within the affiliates and foundations. In addition, the ISO collaborate with affiliate and foundation executives, Compliance, Legal, Privacy, Human Resources, Sutter Health IS management and staff, and other personnel as appropriate in matters relevant to information security.
Bachelor's Computer Science, Information Security, Business, Management, Information Technology or related field. As typically found in 4 years in field required.
Master's Computer Science (MCS), Information Security (MSIS), Business (MBA), Healthcare Management (MSHCM), or related field preferred.
Certified Information Systems Security Professional
Certified Information Security Manager
Other Healthcare Certified Information Security HealthCare Information Security and Privacy Practitioner (HCISPP)
Security certifications preferred.
Seasoned leader with proven track record of leading information security initiatives in a healthcare environment Required
A minimum of 8 years' combined experience in IT and information security, three of which must be in information security Required
Leadership experience in programs, projects, and initiatives in a clinical provider environment Required
Demonstrated success in security program transformation initiatives and ability to apply creative and customized security solutions for the business Required
Experience interpreting and applying industry frameworks such as ISO 27001 and HIPAA Security and Privacy Rule requirements Required
Proven track record of building productive relationships with key business and IT leaders Required
Extensive experience managing information security in a complex technical environment consisting of all levels of hardware platforms, WAN/MAN/LAN, Client-Server and Thin Client applications, Intranet/Extranet/Internet and Web Required
Solid experience showcasing excellent project management and effective leadership of multidisciplinary teams that successfully defined, developed, and delivered various information security solutions Required
Comprehensive management experience demonstrating leadership across all of the major functions of security, technology, and interfacing with the business and clinical leaders Required
Skills and Knowledge
Knowledge and experience with Windows, Active Directory, group policy, DNS, encryption, patch management, anti-virus, system configuration management
Knowledge and experience with LAN, WAN, VPN, routers, firewalls, servers, IDS/IPS, SIEM, DLP and workstation administration
Knowledge and understanding of relevant legal and regulatory requirements including participating in audit teams/process, such as Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Meaningful Use, SSAEC-16 Soc 2 and other industry initiatives and regulations
Strong understanding of the business impact of security tools, technologies, and policies
Solid expertise in formal/structured IT security risk assessment methodology, including understanding the implementation challenges and advantages across all levels of hardware platforms and software applications
Broad working knowledge of health care operations and their related data/software/hardware requirements including, but not limited to, hospitals, clinics, medical offices, and their information technology needs
Comprehensive understanding of the compliance and legal requirements for information confidentiality and integrity especially as it relates to patient information in a healthcare environment (electronic health/medical records (EHR/EMR), HIPAA, HITECH, etc.)
Understanding of and experience with Lean or other process improvement philosophies and methodologies desired
Excellent written and verbal communication skills, including the ability to give presentations and translate complex technical concepts and the digital security viewpoint into business and clinician relatable language
Excellent problem-solving and analytical skills
Strong ability to establish and maintain a high level of customer trust and confidence
Demonstrated ability to work under stress in emergencies, and the flexibility to handle simultaneous high pressure demands
Proven ability to drive through obstacles and deliver computing capability across a broad spectrum of technologies and entities
Strong attention to detail
Ability to prioritize tasks so work is completed in an accurate, timely manner
Advanced level of competency in Microsoft Office Suite, as well as other relevant software for research and analysis
Highly self-motivated and self-directed
Must be creative and personable
Capable of pulling together many disparate facts and observations into one overall plan
Ability to work well in a group setting with a broad range of system experiences
Ability to quickly learn new systems/applications and grasp fundamentals/concepts of systems
Ability to shift gears midstream and move in different direction when needed
Strong negotiation and vendor relationship skills
Skill in developing information security policies and procedures, as well as successfully executing programs that meet the objectives in a dynamic environment
High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity
Ability to interact with all stakeholders and build strong relationships at all levels and across all business units and organizations
Understands business imperatives
Demonstrated comprehension of infrastructure and systems development
Demonstrated ability to develop and report on metrics
Excellent communication, facilitation, writing, and public speaking skills