Lead IT Security Analyst HIPAA Hitrust FISMA

NYU Langone Health is a fully integrated health system that consistently achieves the best patient outcomes through a rigorous focus on quality that has resulted in some of the lowest mortality rates in the nation. Vizient Inc. has ranked NYU Langone the No. 1 comprehensive academic medical center in the country for three years in a row, and U.S. News & World Report recently placed nine of its clinical specialties among the top five in the nation.

NYU Langone offers a comprehensive range of medical services with one high standard of care across 6 inpatient locations, its Perlmutter Cancer Center, and over 320 outpatient locations in the New York area and Florida. With $14.2 billion in revenue this year, the system also includes two tuition‑free medical schools, in Manhattan and on Long Island, and a vast research enterprise with over $1 billion in active awards from the National Institutes of Health.

We have an exciting opportunity to join our team as a Lead IT Security Analyst.

This position reports to the IT Controls & Regulatory Compliance Manager and serves as a senior individual contributor and subject matter expert responsible for leading enterprise risk assessments and evaluating the security of modern technology environments, including cloud‑based platforms.

The IT Controls Lead drives the design, execution, and continuous improvement of the organization’s risk assessment program to ensure compliance with regulatory and industry requirements, including HIPAA, HITRUST, PCI DSS, and FISMA.

This role partners closely with IT, Security, Clinical, Research, and Compliance stakeholders to assess risk across enterprise systems, research technologies, and cloud infrastructure, and to ensure that security controls are appropriately designed and operating effectively.

• Lead the execution and maturation of the enterprise risk assessment program aligned to regulatory and industry frameworks
• Conduct and oversee complex risk assessments
  , including HIPAA and HITRUST‑aligned evaluations
• Define and maintain risk assessment methodologies, scoring models, and standards
• Identify, analyze, and document risks, and develop actionable remediation strategies

• Lead security assessments of cloud and hybrid environments (e.g., IaaS, PaaS, SaaS)
• Evaluate key control domains, including:
  • Identity and access management
  • Network architecture and segmentation
  • Logging, monitoring, and detection capabilities
  • Data protection and encryption
• Assess alignment to frameworks such as:
  • HITRUST
  • PCI
  • NIST Cybersecurity Framework
  • ISO/IEC 27001
• Partner with engineering and security teams to validate that controls are effectively implemented in real‑world environments

• Lead security and risk reviews of research technologies and data use cases
  , including systems handling sensitive or regulated data
• Partner with clinical and research stakeholders to evaluate emerging technologies and ensure appropriate risk controls are in place
• Provide guidance on secure design and data protection strategies

• Serve as a senior escalation point for complex or high‑risk assessments across:
  • Enterprise systems
  • Third‑party/vendor solutions
  • Cloud and research environments
• Provide subject matter expertise and mentorship to team members supporting assessments and compliance activities
• Influence decision‑making across stakeholders without direct authority

• Support internal and external audit activities by providing subject matter expertise, documentation, and control validation
• Ensure risk assessments and control evaluations align with regulatory expectations and audit requirements
• Partner with the IT Controls Manager on audit responses and remediation planning

• Identify opportunities to enhance assessment processes, tooling, and automation
• Contribute to development of metrics, dashboards, and reporting to measure risk posture and program effectiveness
• Drive continuous improvement in how risk is identified, assessed, and managed across the…