Senior Security Director (Senior Director), EITS ...

Empower Every New Yorker - Without Exception - to Live the Healthiest Life Possible NYC Health + Hospitals is the largest public health care system in the United States. We provide essential outpatient, inpatient and home-based services to more than one million New Yorkers every year across the city's five boroughs. Our large health system consists of ambulatory centers, acute care centers, post-acute care/long-term care, rehabilitation programs, Home Care, and Correctional Health Services. Our diverse workforce is uniquely focused on empowering New Yorkers, without exception, to live the healthiest life possible. At NYC Health + Hospitals, our mission is to deliver high quality care health services, without exception. Every employee takes a person-centered approach that exemplifies the ICARE values (Integrity, Compassion, Accountability, Respect, and Excellence) through empathic communication and partnerships between all persons. Job Description The Senior Director, EITS Security is responsible for providing oversight and direction to ensure corporate information security polices, processes, and safeguards are consistently applied to protect patient, employee, and proprietary confidential data. The Senior Director, EITS Security is part of the Enterprise Information Technology Services, Information Security and Risk Management team and will work at an enterprise level to ensure a consistent delivery of information security and risk management services. This individual will act as a subject matter expert and lead the threat management program for the system. This includes overseeing and leading incident handling and perform in-depth forensic investigations, investigate alerts escalated by lower tiers, perform malware analysis, help review and enhance the current IR program, develop and lead the threat hunting program. Additionally, this individual should also be able to evaluate and lead implementation of complementary security tools, fine tune existing tools and develop use cases and generate detailed and summary reports, enable the incident response team to threat hunting on a regular basis, and assess risk and provide recommendations to improve security posture of the organization. This knowledge will enable the individual to assist in information security and compliance with HIPAA, Joint Commission and state cybersecurity laws. In addition to the needed security expertise, the position requires leadership and strong interpersonal skills to ensure the cybersecurity program continually improves at NYC Health + Hospitals. Duties & Responsibilities Support and advise the Chief Information Security Officer (CISO) in the development and execution of the enterprise security program including, ensuring this position will collaborate and work closely with members of the ISRM team to develop innovative and effective procedures for incident response operations, collaborate incident response efforts with multiple city agencies external partners, coordinate table top exercises and oversee training for the security operation center and remaining tiers for incident response. Develop effective working relationships with business and clinical leadership to champion information security initiatives and provide strategic influence throughout the enterprise. Develop, implement and manage threat hunting program by conducting in-depth malware analysis, host and network, forensics, log analysis, and be able to triage. Utilize Security Incident & Event Management (SIEM) technologies; ArcSight preferred, host forensics tools, Endpoint Detection & Response tools, and network forensics (full packet capture solution) to perform threat hunting and investigative activity. Stay current with vulnerability information across all the products in H+H environment, maintain knowledge of the threat landscape. Keep informed on current threats and industry regulations Attend regular team meetings and facilitate meetings between stakeholders, project leaders, and the Information Technology teams to help implement (where applicable) remediation plans in response to incidents. Provide incident response summaries in written or verbal format to EITS leadership when needed. Oversee the implementation of a 24 x7 managed security operations center (SOC) and ensure people, process and technology are embedded with H+H policies and procedures. Identify and implement emerging security technologies, information systems security issues, safeguards, and techniques. Review information security policies and procedures as directed by the organization's Information Security Policy Steering Committee and in conjunction with NYC H+H related policies Participate in all relevant audits and risk assessment activities. Respond to request from regulating bodies and certifications such as NYS, OCR, CMS, American College of Surgeons and Joint Commission Participate in emergency preparedness and business continuity planning exercises Ensure the execution of periodic reviews of our security stack to ensure optimal performance. Minimum Qualifications 1. Master's degree from an accredited college or university in Healthcare Administration, Health Care Planning, Business Administration, Public Administration or a related discipline; and seven (7) years of progressively responsible experience in health and medical service administration, public administration, personnel and labor relations, finance or appropriate functional discipline with an emphasis on planning, liaison and inter-organizational relationships, or related administrative or managerial functions; or 2. Bachelor's degree from an accredited college or university in disciplines, as listed in "1" above; and eight (8) years of progressively responsible experience in areas, as listed in "1"; or 3. Satisfactory equivalent combination of education, training and/or experience. However, all candidates must have a minimum of a Bachelor's degree in disciplines, as listed in "1" above. Department Preferences Certification(S)/NYS Licenses/Education: CISSP, GSEC, CEH, GCFA or other relevant security qualification Knowledge, Skills, Abilities and other Requirements: Healthcare industry experience required with understanding of EMR systems and data privacy issues related to PHI Excellent written and verbal communication skills; interpersonal and collaborative skills; and the ability to communicate information security and risk related concepts to technical and non-technical audiences. Experience with reviewing IT solution requirements and security controls implementation A strong understanding of the business impact of security tools, technologies and policies. Knowledge and experience working with various security technologies. Strong working knowledge of HIPAA, Joint Commission, CMS, and other regulatory legislation pertinent to the healthcare industry Working knowledge of information security frameworks such as NIST CSF, HITECH, ISO27001/27002, PCI DSS and COBIT Experience in conducting and responding to information security assessments and audits. Strong analytical skills and the ability to resolve complex security vulnerabilities and design compensating controls Cyber Threat and Intelligence and analysis Forensic and Malware Analysis Deep packet and log analysis Strong knowledge of Security Incident & Event Management (SIEM) technologies; ArcSight preferred Full understanding of Tier 1 responsibilities/duties and how the duties feed into Tier 2. Ability to take lead on incident research and mentor junior analysts Understanding vulnerability and patch management Strong knowledge of vulnerability scoring systems (CVSS/CMSS), and security frameworks like OWASP (Open Web Application Security Project), MITRE ATT&CK Years of Experience: At least 7 years of IT experience with at least 5 years dedicated to threat management and incident response Great interpersonal skills and the ability to manage a team while working well with peers and H+H leadership. If applying online, please include your cover letter in the same file attachment with your uploaded resume. NYC Health and Hospitals offers a competitive benefits package that includes: Comprehensive Health Benefits for employees hired to work 20+ hrs. per week Retirement Savings and Pension Plans Loan Forgiveness Programs for eligible employees Paid Holidays and Vacation in accordance with employees' Collectively bargained contracts College tuition discounts and professional development opportunities Multiple employee discounts programs Note: Candidates selected for a position are required to come to NYC as part of their onboarding.

Created: 2024-10-29