For the protection of patients, team members and all who enter our facilities, BJC has made the decision to require COVID-19 vaccination for all team members, unless granted medical or religious exemption, as a condition of employment.

Check the Status of your Application

IT Security Risk Assessor

Job Description

Job ID: 1220359
Employment Status: Full-Time
More Information:

BJC HealthCare is one of the largest nonprofit health care organizations in the United States, delivering services to residents primarily in the greater St. Louis, southern Illinois and mid-Missouri regions. BJC serves patients and their families in urban, suburban and rural communities through its 15 hospitals and multiple community health locations. Services include inpatient and outpatient care, primary care, community health and wellness, workplace health, home health, community mental health, rehabilitation, long-term care and hospice.

IS Security Services serves as an independent, objective catalyst for implementing effective and efficient controls to protect BJC HealthCare (BJC) information resources through collaboration with customers. We provide value to our customers and the organization by: Ensuring compliance with internal policies and external regulations; evaluating information system and application controls; educating BJC employees and other strategic partners on information systems security practices and concepts; acting as a resource on security controls for new and existing information systems and applications; recovering mission critical applications and data vital to the organization and strategic partners; investigating practices not in compliance with established BJC Information Services security policies and standards.


Role Purpose

Performs confidentiality, integrity and availability IT security risk assessments for BJC.  Serves as a subject matter expert in cybersecurity and security risks and controls as it relates to business solutions used to support clinical and other functional areas. Readily identifies mitigating controls for gaps identified to help defend the BJC infrastructure.


  • Perform and advances the security risk assessment methodology. Present and obtain Senior IT Management approval of process improvements and implement process modifications successfully. Complete risk assessments the business solution risk assessments on a timely, regular cadence.
  • Perform security risk assessments on a wide variety of business solutions that include but are not limited to software, hardware, networks, mobile devices and medical devices as well as complex solutions that may include any number of the above configurations. Application of technical expertise and a comprehensive understanding of the related IT controls are required, but not limited to the following areas: Access and Authentication, Data Security, Secure Software Development, Infrastructure and Operations, Boundary Protection, Vulnerability Management, Business Continuity and Disaster Recovery. Responsible for effective, timely reporting of assessments and follow up. Oversee and/or participate in IT Audit and Compliance Projects. Responsible for compiling data, reviewing processes and developing formal responses to OCR and other requests for security events or incidents.
  • Perform full, detailed security risk assessments on high or critical applications, identifying control gaps and working with business owners to provide actionable risk remediation activities and timelines. Able to research, analyze, interpret, evaluate, and integrate complex data from a wide variety of sources and provide creative solutions that align with strategic clinical and business workflows. Ensure compliance of system and application security within scope of responsibility, in accordance with defined service levels, security practices/guidelines, and relevant technology standards. Perform quarterly follow up activities to report on status and/or mitigation completion. Skillfully interact with business process owners, IT technical and security personnel as well as vendors, management and other interested parties is required. This includes but is not limited to conducting meetings with business process owners and vendors, investigating vendor security posture and performance, reviewing baseline controls and gaps and documenting results. Effectively report findings in a formal Security Risk Assessment report. Identify and complete Risk Acceptance forms where an exception to a policy or requirement is significant and needs to be reported to Management for approval.
  • Policy Development: Develop enterprise-wide compliance policies related to the HITECH/HIPAA Security Rule, PCI-DSS, Meaningful Use, GDPR and others. Develop IT Governance contract provisions for external service providers and vendors. IT Security by serving on various compliance and legal committees and other groups.
  • Conducts follow up and assists with resolution of all findings (internal/external audit, other) added to risk register. Add and maintain status updates for high and critical findings for high and critical business solutions.

  • Minimum Requirements



  • Bachelor's Degree


  • 5-10 years

    Supervisor Experience

  • No Experience


    Preferred Requirements and Additional Job Information


    Licenses & Certifications

  • CEH
  • CIA
  • CISA
  • Cert. Info Security Officer
  • Healthcare Information Sec

  • Benefits Statement

    Note: not all benefits apply to all openings

    -  Comprehensive medical, dental, life insurance, and disability plan options
    -  Pension Plan*/403(b) Plan
    -  401(k) plan
    -  Tuition Assistance
    -  Health Care and Dependent Care Reimbursement Accounts
    -  On-Site Fitness Center (depending on location)
    -  Paid Time Off Program for vacation, holiday and sick time

    *Pension does not apply to Memorial Hospital, Memorial Hospital East, Alton Memorial or Parkland Health Center

    Legal Statement

    The above information on this description has been designed to indicate the general nature and level of work performed by employees in this position. It is not designed to contain or be interpreted as an exhaustive list of all responsibilities, duties and qualifications required of employees assigned to this job.


    Equal Opportunity Employer