Security Engineer, Third Party Risk and Acquisition

Location

Franklin, TN | United States

Job description

Location/Work Schedule:

Hybrid in Franklin, TN

- The first 90 days will be in-office (5 days a week)

- After 90 days, the position will be hybrid (3 days in office; 2 days remote)

PURPOSE STATEMENT:

The Sr. Security Engineer for Third Party Risk and Acquisitions plays a pivotal role to proactively assess, mitigate, and manage security risks associated with third-party vendor relationships and the integration of newly acquired healthcare entities and joint ventures. This role is dedicated to ensuring the security and privacy of healthcare data while maintaining compliance with regulatory requirements, including HIPAA. By identifying vulnerabilities, implementing security measures, and supporting informed decision-making during mergers and acquisitions, the Security Engineer plays a vital role in safeguarding patient information, business continuity, and the ethical delivery of healthcare services in a rapidly evolving healthcare landscape. The Security Engineer supports our mission to provide exceptional patient care by safeguarding sensitive information and upholding the highest standards of data security and compliance.

ESSENTIAL FUNCTIONS:

1. Third-Party Risk Assessment:
1. Conduct comprehensive security assessments of third-party vendors, including evaluating their security policies, procedures, and controls.
2. Identify vulnerabilities and potential risks associated with third-party relationships and recommend necessary improvements.
3. Interpret and analyze SOC 2 Type 2 reports provided by third-party vendors and supply chain partners.
4. Evaluate the effectiveness of security controls and practices as outlined in the reports, with a focus on their relevance to the healthcare environment.
5. Collaborate with internal teams to address any identified issues or deficiencies in third-party and supply chain security controls.
2. Due Diligence for Acquisitions and Mergers:
1. Collaborate with cross-functional teams during due diligence processes for mergers and acquisitions to assess the security posture of potential partners.
2. Provide insights and recommendations to the senior leadership team to support informed decision-making.
3. Security Policy and Procedure Development:
1. Develop and maintain security policies and procedures tailored to the healthcare environment, ensuring compliance with industry regulations and best practices.
4. Vendor Security Management:
1. Work closely with procurement and vendor management teams to ensure that vendors meet security requirements and maintain ongoing compliance.
5. Supplier Security Audits:
1. Conduct security audits and assessments of key supply chain partners to ensure compliance with security requirements and regulations.
2. Develop and maintain relationships with suppliers to support ongoing security monitoring and risk management efforts.
6. Incident Response:
1. Participate in incident response planning and execution, especially in situations involving security incidents within third parties and the supply chain or acquired entities.
2. Collaborate with relevant teams to minimize the impact of third party and supply chain security breaches.
7. Compliance and Audit Support:
1. Support regulatory compliance efforts, such as HIPAA, by conducting security audits and assessments, and providing documentation and evidence as needed.
8. Security Awareness and Training:
1. Work closely with the Security Awareness and Training team to help develop security awareness training to third-party vendors and acquired entities to promote a culture of security.
9. Security Monitoring and Risk Reporting:
1. Implement and manage security monitoring systems to detect and respond to security events related to third-party vendors and acquisitions.
2. Prepare and deliver regular risk and compliance reports to executive management.

OTHER FUNCTIONS:

• Performs other duties as assigned.

STANDARD EXPECTATIONS:

• Complies with organizational policies, procedures, performance improvement initiatives and maintains organizational and industry policies regarding confidentiality.
• Communicate clearly and effectively to person(s) receiving services and their family members, guests and other members of the health care team.
• Develops constructive and cooperative working relationships with others and maintains them over time.
• Encourages and builds mutual trust, respect, and cooperation among team members.
• Maintains regular and predictable attendance.

EDUCATION/EXPERIENCE/SKILL REQUIREMENTS:

• Education: A bachelor’s degree or equivalent work experience.
• Experience: Minimum of 5 years of cybersecurity experience, with a preference for at least 3 years in third party risk or mergers and acquisitions.
• Expertise: Strong knowledge of cybersecurity principles, technologies, and best practices. Proven experience in healthcare security and knowledge of industry regulations, such as HIPAA and HITECH.
• Communication: Excellent communication and collaboration skills to work with diverse teams and vendors.
• Compliance: Knowledge and understanding of relevant legal and regulatory requirements, such as: Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard (PCI).
• Frameworks: Proficiency in common information security management frameworks, such as ITIL, Center for Internet Security (CIS) Critical Security Controls (CSC), and NIST, including 800-53 and Cybersecurity Framework and SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• Problem-Solving: Strong problem-solving and analytical abilities.
• Technology Proficiency: Candidates must be capable of effectively evaluating and implementing technical alternatives, staying up to date with emerging technologies, risk assessment methodologies, and incident response.
• Self-Motivation: Self-motivated with strong organizational skills and exceptional attention to detail.
• Multitasking: Ability to manage multiple tasks/projects simultaneously within strict time frames and adapt to frequent priority changes.
• Adherence: Capability to work within established policies, procedures, and practices set by the organization.
• Language Skills: Proficient in English to provide and receive instructions and directions effectively.

LICENSES/DESIGNATIONS/CERTIFICATIONS:

• Certifications: Desired by not required: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), GIAC Systems and Network Auditor (GSNA), Shared Assessments Certified Third Party Risk Professional (CTPRP) or Certified Third Party Risk Assessor (CTPRA), or other similar credentials.

SUPERVISORY REQUIREMENTS:

This position is an Individual Contributor

AHCORP

Job tags

Salary