Summary:

Operate a Cyber Governance, Risk & Control (GRC) program based on the HITRUST Common Security Framework (CSF) and NIST Cybersecurity Framework, SOC 2 reporting, HIPAA and cyber risk quantification.

This role will research, design, implement, measure and communicate information technology and information security control standards, policies, guidelines, and procedures while providing industry best practices consulting and expertise. Analyst will partner with key stakeholders as a cybersecurity subject matter expert for procurement, legal, audit and compliance initiatives and to develop and continuously improve the information security and risk management program.

Essential Functions:

• Collaborate with IT, cybersecurity, audit, compliance, caregivers, third parties and other key stakeholders to identify, design, implement, measure and monitor IT controls that quantifiably reduce patient care and financial loss risks.

• Drive continuous improvement of our cybersecurity program by challenging its status quo, identifying top cyber control threats, risks and treatments following industry best practices

• Perform control assessments against the HITRUST Common Security Framework (CSF), or NIST Cybersecurity Framework and SOC 2 Type 2 controls, consult in control design and assessing control operating effectiveness ensuring controls deliver risk reducing value for investment

• Maintain a control catalog and control performance metrics to measure control effectiveness and inform control investment decisions

• Drive preparation for compliance audits and control evidence collection

• Conduct IT risk assessments, an annual HIPAA security assessment and track control remediation

• Conduct third-party IT risk management program activities by performing supplier security due diligence assessments and contract information security requirement reviews for new and existing suppliers

• Produce and continually enhance IT standards, policies, guidelines and procedures

• Coordinate and maintain an information security and risk management calendar events, such as regular penetration tests, control assessments, contract reviews, auditing activities, etc.

• Promote a cybersecurity aware culture, lead enterprise cybersecurity training, phishing campaigns and ensure training materials up to date and running occasional cybersecurity training sessions on select topics

• Provide cybersecurity expertise/consulting to teams and management

• Works independently, requiring guidance only in new or complex situations

• Effectively communicate the “why” of the cyber security program to caregivers, management, cyber insurers, and other stakeholders

• Leads root cause analysis to identify the root cause of problems to prevent future incidents

• Consistently produces quality measurable cyber risk reducing results

• Responds to caregiver’s requests by providing timely and accurate responses

• Writes clear, concise and accurate audience centric reports, presentations and communications

Other Duties:

• Participate in and maintain membership to cybersecurity and relevant healthcare industry information sharing organizations such as the Health-ISAC, WiCyS, AEHIS/CHIME, etc.

• Keep supervisor informed on areas of responsibility.

• Performs other duties as assigned

Education, License & Certification:

Required:

• Associate’s degree in Information Systems, Cybersecurity, Computer Science or related discipline

• 2+ years of IT, IT control assurance or cybersecurity GRC experience

• Security+ certification or GIAC Information Security Fundamentals (GISF) or (ISC)² Certified in Cybersecurity, and Microsoft Certified: Security, Compliance, and Identity Fundamentals required within 6 months of hire

• Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) or similar cloud certification within one year

Preferred:

• Bachelor’s degree in Information Systems, Cybersecurity, Computer Science or related discipline

• IT technical background

• Experience in reviewing cyber security legal contract language.

• GSEC: SANS GIAC Security Essentials, GIAC Critical Controls Certification (GCCC), (ISC)² Governance, Risk and Compliance (CGRC), Certified Cloud Security Professional (CCSP), Certified in Risk and Information Systems Control® (CRISC®) certification, or similar industry certification, Factor Analysis of Information Risk (FAIR) certification, Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) or similar cloud certification

Joining the Guthrie team allows you to become a part of a tradition of excellence in health care. In all areas and at all levels of Guthrie, you’ll find staff members who have committed themselves to serving the community.

The Guthrie Clinic is an Equal Opportunity Employer that welcomes and encourages diversity in the workplace.

The Guthrie Clinic is a non-profit, integrated, practicing physician-led organization in the Twin Tiers of New York and Pennsylvania. Our multi-specialty group practice of more than 500 physicians and 302 advanced practice providers offers 47 specialties through a regional office network providing primary and specialty care in 22 communities. Guthrie Medical Education Programs include General Surgery, Internal Medicine, Emergency Medicine, Family Medicine, Anesthesiology and Orthopedic Surgery Residency, as well as Cardiovascular, Gastroenterology and Pulmonary Critical Care Fellowship programs. Guthrie is also a clinical campus for the Geisinger Commonwealth School of Medicine.