Director Chief Information Security Officer - IS Technology

The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the enterprise vision, strategy, and program for protecting the organization's information assets, including all forms of protected health information (PHI) and confidential data. The CISO will lead the effort in identifying, assessing, and mitigating information security risks across clinical, administrative, and third-party environments, ensuring compliance with all applicable regulations, including HIPAA, and industry best practices.

This role requires a balance of strategic leadership, technical expertise, and a deep understanding of the unique challenges in the healthcare industry, with a focus on patient safety and care continuity.

• Develop and execute a comprehensive, long-term information security strategy and roadmap that is aligned with the organization's clinical and business objectives.

• Establish and maintain the organization's information security management framework (e.g., based on 405D, NIST CSF, ISO 27001, or HITRUST).

• Collaborate with SPH leadership, including the Board of Directors, to define the organization’s risk tolerance and regularly report on the overall security posture, emerging threats, and mitigation plans.

• Manage the information security budget and oversee all security-related technology investments.

• Lead enterprise-wide risk assessments to identify, prioritize, and manage security risks to all information systems and data. Partner with SPH Risk and Compliance Officer

• Ensure rigorous compliance with all relevant federal, state, and international data privacy and security regulations, including HIPAA/HITECH, GDPR, and other applicable laws.

• Oversee the development, implementation, and maintenance of all security policies, procedures, and standards.

• Manage audit readiness and lead remediation efforts for all internal and external security and compliance audits (e.g., HITRUST, SOC
  2).

• Oversee a robust Vendor and Third-Party Risk Management program to assess and mitigate security risks introduced by external partners.

• Direct security operations, including threat and vulnerability management, identity and access management (IAM), Security Information and Event Management (SIEM), and endpoint protection.

• Lead the development, implementation, and ongoing testing of the Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans to ensure operational resilience for clinical and administrative systems.

• Serve as the executive crisis manager for all major security incidents and breaches, coordinating investigation, forensic analysis, root cause determination, and executive-level communications.

• Oversee the security of electronic health record (EHR) systems, medical devices, and all clinical technology platforms.

• Build, mentor, and lead a high-performing information security team with expertise across governance, risk, compliance (GRC), and security operations (Sec Ops).

• Foster a strong, security-conscious culture across the entire organization (employees, clinicians, and contractors) through mandatory and role-specific security awareness and training programs.

• Act as a collaborative partner to all business units, including IT, Clinical Operations, Legal, and HR, to ensure security is embedded into all new technologies and clinical workflows.

KNOWLEDGE/

EXPERIENCE:

• Minimum 2 years of progressive experience in Information Security, with at least 2 years in a senior leadership/executive role (CISO or equivalent) preferred.

• Deep and demonstrated expertise in the healthcare industry, with a strong understanding of clinical workflows, EHR systems, and the protection of PHI preferred.

• Certified Information Security Manager (CISM)

• Certified Information Systems Security Professional (CISSP)

• Certified Chief Information Security Officer (CCISO)

• HITRUST CSF Practitioner (CCSFP)

• Cybersecurity Technologies:
  Expertise with enterprise-grade security architecture,…