Director Information Security Compliance

Ann & Robert H. Lurie Children's Hospital of Chicago provides superior pediatric care in a setting that offers the latest benefits and innovations in medical technology, research and family-friendly design. As the largest pediatric provider in the region with a 140-year legacy of excellence, kids and their families are at the center of all we do. Ann & Robert H. Lurie Children's Hospital of Chicago is ranked in all 10 specialties by the U.S. News & World Report.
Location
680 Lake Shore Drive
Job Description
General Summary:
The Director Information Security Compliance is responsible for developing, implementing, and operationalizing the enterprise Information Security program. The Director Information Security Compliance provides operational leadership and expert direction to continuously develop the organization's Information Security practices, reduce risk, and foster a strong Information Security posture. The Director Information Security Compliance drives operations to further the Information Security program. This includes identifying, evaluating, and reporting cybersecurity risk to information assets while supporting and advancing business objectives. The Director Information Security Compliance will maintain strong knowledge of business management, and expert knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. The Director Information Security Compliance is responsible for operationalizing and maintaining the Information Security program to ensure that information assets and associated technology, applications, systems, infrastructure, and processes are adequately protected.
The Director Information Security Compliance is directly responsible for managing the Information Security incident response process for incidents involving the unauthorized use, access, or disclosure of institutional information. The Director Information Security Compliance assures the Information Security control function in partnership with other control functions and collaborates within the organization to promote Information Security across the enterprise, conduct risk assessment, audit, benchmark and enhance program strength, specify risk mitigation workflows, educate, proactively manage vulnerability, and monitor the threat environment to maintain the operational and reputational integrity of the organization. The Director Information Security Compliance must be knowledgeable about both internal and external business environments and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory, and contractual obligations.
Essential Job Functions

• Develops and maintains an appropriate and protective Information Security program that includes policies and procedures, awareness training, risk analysis of new technologies, yearly budgeting, and ongoing threat management activities (including periodic analyses or assessments of potential security risks and vulnerabilities).
• Oversees a comprehensive security incident response program (including plans, run books, exercises and testing) to ensure detection, containment and response leading to heightened resiliency to help reduce the severity of potential attacks. Meaningfully contributes to Disaster Recovery and Business Continuity programs to ensure the integrity, confidentiality and availability of information owned, controlled or processed by the organization.
• Devise and implement strategies to improve risk-based controls throughout our environments, including controls to prevent unauthorized access, intentional or inadvertent modification, loss, theft, or damage of any IT resources, disclosure or destruction, reduced, interrupted or terminated processing capability, malicious logic or virus activity or malware.
• Collaborates with CISO and organizational leaders to deploy the security/education awareness program.
• Accounts for managing and enforcing Information Security directives as mandated by HIPAA, JCAHO and other regulatory bodies. Ensures the ongoing integration of Information Security with business strategies and requirements. Ensure that the access control, disaster recovery, business continuity, incident response and risk management needs of the organization are properly addressed.
• Audits and champions privacy and security changes and enhancements to the Information Management computing environments. Recommends appropriate security measures and creates policies and procedures that monitor and control access.
• Verifies effectiveness of data protection controls to functionality within various clinical and business applications. Develops recommendations for appropriate protection controls within the various Lurie Children's systems. Works with Human Resources as the liaison for security issues related to employees.
• Leads a comprehensive and effective third-party risk management program to ensure that appropriate security requirements are defined, documented, reviewed. Utilizes third-party risk assessments to guide appropriate mitigation, risk tolerance and/or authorization decisions. When necessary, assists legal counsel with drafting the appropriate security requirements and standards that need to be included in contracts and/or Business Associate Agreements.
• Acts as point person for external and internal compliance audits conducted by various third-parties, with responsibility to appropriately report results to Senior IM Leadership. Engage in penetration studies, threat analysis, vulnerability assessments, and security audit activities to ensure IT controls and security are effective.
• Develops business-relevant metrics to measure the efficiency and effectiveness of the overall Information Security program, facilitate appropriate resource allocation and increase the maturity of the security program.
• Provides strategic and tactical security guidance for IT projects, including the evaluation and recommendation of technical controls.
• Manages investigations relating to security threats, legal discovery, and violation of security policies and provide on-going communication with Senior IM Leadership.
• Acts as a liaison to the research organization, clinically integrated programs and business ventures for overall security posture as well as Security Compliance with organizational security policies and healthcare security regulations.
• Other duties as assigned.

Knowledge, Skills and Abilites:

• Demonstrated success in building and maintaining an Information Security program and aligning Information Security initiatives with organizational objectives in a cost-effective manner.
• Bachelor's degree in information management, information technology, or related field required. Master's Degree in information management, information technology, or related field preferred.
• Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), Certified Information Privacy Professional (CISSP), Certified Information Security Manager (CISM), or Certified Information Systems Auditor (CISA) preferred.
• At least five years of progressively responsible experience in Information Security leadership roles. At least two years of experience in Information Security leadership positions in a healthcare or life sciences environment.
• Strong understanding of computer forensics, IT security threats and preventative measures, security incident response measures, disaster management and recovery techniques and technologies, and IT security-related laws, regulations, and guidelines.
• Thorough knowledge of healthcare information standards, including HIPAA and other state and federal laws and compliance rules and regulations. Must possess mastery of Information Security and relevant privacy standards as well as Information Security frameworks and relevant standards, including NIST, HITRUST, Control Objectives for Information and Related Technologies (COBIT), Information Technology Infrastructure Library (ITIL), and Payment Card Industry Data Security Standard (PCI/DSS). Must have the ability to apply this knowledge in complex and unprecedented situations across multiple functional areas.
• Thorough knowledge of network, host, application, and security management technologies, particularly in a healthcare environment.
• Must have the ability to review and evaluate terms and conditions in software, hardware, and information technology services contracts as well as to negotiate appropriate agreements as they require input on Information Security and disaster planning.
• Must possess highly effective written and verbal communication skills with the ability to relate directly, openly, and effectively with both internal and external parties, including the organization's governing body. Must have the ability to motivate and bridge the terminology gap between information technology and frontline staff. Must possess superb listening skills and be a continuous learner.
• Ability to demonstrate broad and comprehensive knowledge of theories, concepts, practices, and policies with the ability to use them in complex and unprecedented situations across multiple functional areas.
• Must maintain current knowledge of laws, regulations, and standards affecting the organization's security program, such as knowledge of HIPAA, Health Information Technology for Economic and Clinical Health (HITECH), breach notification laws, and PCI/DSS.
• Must be comfortable in a collaborative, shared leadership environment. Must have the ability to effectively lead collaborative teams for larger projects or groups both internal and external to the organization and across functional areas, including when results have implications for the management and operations of multiple areas of the organization.
• Must demonstrate flexibility while maintaining adequate focus on the organization's strategy and objectives as well as the requirements of external entities. Must be decisive and exercise good judgment under pressure.
• Must have the ability to lead initiatives to meet or exceed customer service standards and expectations across multiple areas in a timely and respectful manner.
• Must uphold the highest standards of professional and business conduct, adhering to the Medical Center's Code of Conduct and all other applicable policies and standards. Must promote a culture of compliance throughout the organization and respond to all identified compliance concerns.

Education
Benefit Statement
For full time and part time employees who work 20 or more hours per week we offer a generous benefits package that includes:
Medical, dental and vision insurance
Employer paid group term life and disability
Employer contribution toward Health Savings Account
Flexible Spending Accounts
Paid Time Off (PTO), Paid Holidays and Paid Parental Leave
403(b) with a 5% employer match
Various voluntary benefits:

• Supplemental Life, AD&D and Disability
• Critical Illness, Accident and Hospital Indemnity coverage
• Tuition assistance
• Student loan servicing and support
• Adoption benefits
• Backup Childcare and Eldercare
• Employee Assistance Program, and other specialized behavioral health services and resources for employees and family members
• Discount on services at Lurie Children's facilities
• Discount purchasing program

Lurie Children's and its affiliates are equal employment opportunity employers. We value diversity and are committed to creating an inclusive environment for all employees. All qualified applicants will receive consideration for employment without regard to race, color, sex, sexual orientation, gender identity or expression, religion, national origin, ancestry, age, disability, marital status, pregnancy, protected veteran status, order of protection status, protected genetic information, or any other characteristic protected by law.
Support email: candidatesupport@luriechildrens.org