BJC Careers

IT Security Risk Regulatory Assessor

Saint Louis, MO
Information Services


Job Description

Job ID: 1176994
Employment Status: Full-Time
Regular/Temporary: Regular

Your Career. Made Better.

BJC HealthCare is one of the largest nonprofit health care organizations in the United States, delivering services to residents primarily in the greater St. Louis, southern Illinois and mid-Missouri regions. BJC serves patients and their families in urban, suburban and rural communities through its 15 hospitals and multiple community health locations. Services include inpatient and outpatient care, primary care, community health and wellness, workplace health, home health, community mental health, rehabilitation, long-term care and hospice.

IS Security Services serves as an independent, objective catalyst for implementing effective and efficient controls to protect BJC HealthCare (BJC) information resources through collaboration with customers. We provide value to our customers and the organization by: Ensuring compliance with internal policies and external regulations; evaluating information system and application controls; educating BJC employees and other strategic partners on information systems security practices and concepts; acting as a resource on security controls for new and existing information systems and applications; recovering mission critical applications and data vital to the organization and strategic partners; investigating practices not in compliance with established BJC Information Services security policies and standards.


Join Us!


Role Purpose

Performs regulatory IT security risk assessments for BJC.  Serves as a subject matter expert in cybersecurity and security risks and controls as it relates to business solutions used to support clinical and other functional areas. Readily identifies mitigating controls for gaps identified to help defend the BJC infrastructure.


Responsibilities

  • Develop enterprise-wide and entity level risk assessment methodology. Present and obtain Senior IT Management approval and implement the process, completing the enterprise and entity level risk assessments on a timely, regular cadence.
  • Perform enterprise-wideband entity-specific regulatory security risk assessments on matters related to: Meaningful Use - This includes but is not limited to conducting on site periodic walk through, perform quarterly and other required reporting for the Book of Evidence as determined by the Meaningful Use Team. PCI-DSS compliance efforts -This includes but is not limited to performing PCI assessments, performing testing of controls, meeting with business solution owners and crafting appropriate and actionable remediating activities, performing follow up duties including gathering substantiation of mitigation plan completion and other duties. Responsible for effective, timely reporting of assessments and follow up. IT Audit and Compliance Projects, including oversight of external auditors, consultants and assessors. Leading the IT Security response to OCR investigations, as assigned.
  • Policy Development: Develop enterprise-wide compliance policies related to the HITECH/HIPAA Security Rule, PCI-DSS, Meaningful Use, GDPR and others. Develop IT Governance contract provisions for external service providers and vendors. IT Security by serving on various compliance and legal committees and other groups.
  • Perform full, detailed regulatory security risk assessments on high or critical applications, identifying control gaps and working with business owners to provide actionable risk remediation activities and timelines. Able to research, analyze, interpret, evaluate, and integrate complex data from a wide variety of sources and provide creative solutions that align with strategic clinical and business workflows. Ensure compliance of system and application security within scope of responsibility, in accordance with defined service levels, security practices/guidelines, and relevant technology standards. Perform quarterly follow up activities to report on status and/or mitigation completion. Skillfully interact with business process owners, IT technical and security personnel as well as vendors, management and other interested parties is required. This includes but is not limited to conducting meetings with business process owners and vendors, investigating vendor security posture and performance, reviewing baseline controls and gaps and documenting results. Effectively report findings in a formal Security Risk Assessment report. Identify and complete Risk Acceptance forms where an exception to a policy or requirement is significant and needs to be reported to Management for approval.
  • Conducts follow up and assists with resolution of all findings (internal/external audit, other) added to risk register. Add and maintain status updates for high and critical findings for high and critical business solutions.

  • Minimum Requirements

     

    Degree

  • Associate's Degree
  •  

    Experience

  • 5-10 years

  •  

    Preferred Requirements and Additional Job Information

     

    Degree

  • Bachelor's Degree
  •  

    Supervisor Experience

  • < 2 years
  •  

    Licenses & Certifications

  • CEH
  • CIA
  • CISA
  • Cert. Info Security Officer
  • CISSP
  • Healthcare Information Sec
  • Payment Card Industry
  • Qualified Security Assessor

  • Benefits Statement

    Note: not all benefits apply to all openings

    -  Comprehensive medical, dental, life insurance, and disability plan options
    -  Pension Plan*/403(b) Plan
    -  401(k) plan
    -  Tuition Assistance
    -  Health Care and Dependent Care Reimbursement Accounts
    -  On-Site Fitness Center (depending on location)
    -  Paid Time Off Program for vacation, holiday and sick time

    *Pension does not apply to Memorial Hospital, Memorial Hospital East, Memorial Medical Group, Alton Memorial or Parkland Health Center


    Legal Statement

    The above information on this description has been designed to indicate the general nature and level of work performed by employees in this position. It is not designed to contain or be interpreted as an exhaustive list of all responsibilities, duties and qualifications required of employees assigned to this job.

     

    Equal Opportunity Employer