Regional Director IT Governance & Risk Management Location Franklin, TN : Community Health Systems is one of the nation's leading healthcare providers. Developing and operating healthcare delivery systems in 41 distinct markets across 15 states, CHS is committed to helping people get well and live healthier. CHS operates 74 acute-care hospitals and more than 1,000 other sites of care, including physician practices, urgent care centers, freestanding emergency departments, occupational medicine clinics, imaging centers, cancer centers and ambulatory surgery centers. Summary: The Regional Director IT Governance & Risk Management serves as a key point of contact between facility IT Directors, Internal Audit, Information Security and corporate IT Governance and Risk Management in the region. The individual is responsible for leading, driving, and in some cases, implementing Information Security activities and measures in company facilities by working alongside facility IT, facility Administration, Security and Compliance, IT Governance, Risk Management, Cybersecurity, and Internal Audit supported by Regional Leadership, and Regional CIO. This position understands security risks and technological risks and is able to effectively communicate them to business owners and other leaders. This position shall drive scalability and agility, improve operational efficiencies and standardization across the region. This position serves as FISO for each facility in the region.
Essential Duties and Responsibilities: Track, coordinate, and gather data for audits and risk assessments within facilities using streamlined system wide tools and templates. Develop and maintain those tools for accurate and relevant reporting purposes Drive and manage execution of corrective action plans to address deficiencies identified during audit activities such as PCI, HIPAA, Security RIsk Analysis audits, MU/PI etc. Ensure the designated facility committees (e.g., Facility Compliance Committee, IT Governance Control-Owners Committee), receives and follows remediation of security control deficiencies, suspected security incidents, and complaints Confirm ongoing compliance with IS policies, standards, and operational procedures. Work with division and/or facility leaders to submit and approve quarterly, annual and any other necessary policy and procedure reviews. Facilitate and conform audit response activities for RFIs and remediation plans to address issues identified by Internal Audit, Security Compliance or external auditors (e.g., PCI, HIPAA Security audits, MU/PI). Provides leadership for communication of the security compliance standards, information security training and security awareness programs at each facility. Provides leadership for contingency planning activities, including security incident reporting working in tandem with facility FPOs and FCOs to coordinate all security incidents occurring at the facility Effectively communicate security-related concepts to all levels of organization personnel, this can include developing or providing documentation and presentations to others as required. Communicates on behalf of the Corporate Security Awareness Team and the Information Security Department Work with appropriate business, IT, supply chain, and corporate IS stakeholders, and audit control owners to help ensure region and facility-specific systems, services, and devices receive proper security assessments and remediation Coordinates with facility IT managers to ensure appropriate information security procedures are integrated into daily operations and procedures to ensure confidentiality, integrity, and availability of all company infrastructure and data Assist in Audit scoping discussions, conduct training, design and implement audit controls as required Assist in developing and implementing testing of controls to ensure proactively compliance management Implement continuous improvement strategies working with Corporate IT Governance and Risk Management Work with corporate to build Audit Awareness program across the region Implement Risk Management Strategies, Plan of actions and assist with GRC exceptions as needed Travel to the affiliated facilities and clinics as needed to fulfill the needs of audit and audit requests and collaborate with internal and external auditors Provides exceptional communication and motivation to all stakeholders regarding facility/region-level technology portfolio. Performs other duties as assigned. Qualifications: Required Education: Bachelor's Degree in computer science, information systems, business administration, cybersecurity, hospital management, or equivalent experience
Preferred Education: Master's Degree in computer science, information systems, business administration, cybersecurity, hospital management, or equivalent experience
Required Experience:
Minimum of 10 years of experience in some combination of audit, risk management, information security, privacy, and information technology. Experience in developing and analyzing technical and process-based controls, managing risk assessments/investigations, and working with organization management to integrate controls into the scope of existing business practices. Exposure to management and/or operations in a number of healthcare business or IT functional areas Knowledge of information security regulations (HIPAA Privacy/Security, Sarbanes-Oxley IT controls, Payment Card Industry (PCI), Security Risk Assessment, Cyber Security) Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives Possesses the ability to build and maintain positive team relationships at all levels of the facility, market, and corporate levels Owns a sense of responsibility and accountability - someone who takes ownership and initiative Demonstrates a high level of administrative and analytical skills necessary to provide overall direction and strategic planning in an information service environment Strong written and verbal communication skills across all levels of the organization High level of integrity, trustworthiness and confidence to represent the company, security, risk management, and compliance leadership with the highest level of professionalism Project management, multitasking and organizational skills. Demonstrates understanding and comprehension of a wide range of compliance and technology frameworks Delivers an extremely high level of interpersonal and communication skills, both verbal and written, to interact effectively with all customers Preferred Experience:
ServiceNow Reporting, data analytics, ITAM/CMDB Experience with automated vulnerability scanning tools and interpreting Return on investment ("ROI") analysis IT Equipment disposals including BioMed equipment disposals Contract review and management Team building Budget development and management Information system selection, implementation, support, and turn-down Strategic planning Data center, LAN/WAN operations Preferred License/Registration/Certification: HIPAA Privacy/Security, Sarbanes-Oxley IT controls, Payment Card Industry (PCI), Security Risk Assessment, Cyber Security Certifications, CISA certification
Physical Demands: In order to successfully perform this job, with or without a reasonable accommodation, the following are outlined below:
The Employee is required to read, review, prepare and analyze written data and figures, using a PC or similar, and should possess visual acuity. The Employee may be required to occasionally climb, push, stand, walk, reach, grasp, kneel, stoop, and/or perform repetitive motions. The Employee is not substantially exposed to adverse environmental conditions and; therefore, job functions are typically performed under conditions such as those found within general office or administrative work.
