HCA, Hospital Corporation of America Corporate Facility Information Security Official in Brentwood, Tennessee
WHY HCA? At its founding in 1968, Nashville-based HCA was one of the nation's first hospital companies. Today, one of the nation's leading providers of healthcare services, HCA is comprised of locally-managed facilities that include more than 250 hospitals and freestanding surgery centers in 20 states and the United Kingdom, employing approximately 230,000 people. Approximately four to five percent of all inpatient care delivered in the country today is provided by HCA facilities resulting in more than 26M patient encounters each year. HCA is committed to the care and improvement of human life and strives to deliver high quality, cost effective healthcare in the communities we serve. Building on the foundation provided by our Mission & Values, HCA puts patients first and works to constantly improve the care we provide by implementing measures that support our caregivers, help ensure patient safety and provide the highest possible quality.
• Ranked 63 in Fortune 500 • Competitive Fortune 100, industry matched salaries and yearly merit increase • Computerworld Top 50 Best Places to Work in IT annually since 2009 • Named one of the “World’s Most Ethical Companies” annually since 2010 • 106 HCA hospitals are on The Joint Commission’s list of top performers on key quality measures.
The Corporate Facility Information Security Official (FISO) is responsible for leading, driving, and in some cases, implementing Information Security (IS) activities and measures in company facilities, working alongside the physician practice FISO, supported by the division, under the supervision of the IT Security Manager as well as the Division Information Security Official (DISO).
These activities are part of the enterprise (company-wide) and division-specific IS programs and operations. IS activities at the facility-level are primarily based on: (a) ongoing IS work and expectations outlined in the company’s IS policies, standards, and guidance documents, (b) new and/or prioritized IS work in the Facility IS Action Plans from the Corporate IS Department, and (c) IS aspects in projects from the IS Department, IT&S Department, Business Units and Division.
/Enterprise IS Program:/
The enterprise (company-wide) IS program is led by the VP & CISO and IS Department in IT&S. Together with the DISO, the Corporate FISO is the “face” of the enterprise and division IS programs to facility leadership, workforce members, and other people and entities (e.g., physicians and certain vendors) affiliated with the facility. The Corporate FISO is responsible for implementing the company’s organizational IS agenda, championing improvements to reduce IS risks to patients and business operations in the facility, and serving as a bridge between the division and the facility.
/Division IS Program:/
The division IS program is led by the DISO. The division program includes implementation plans and activities for the enterprise IS Program and projects, and division-specific IS plans, activities and projects. Like the enterprise IS Program, the Corporate FISO is responsible for leading, driving and ensuring the division IS program is implemented in the Corporate FISO’s assigned facilities.
/Facility IS Program:/
Generally, the facility IS program and facility IS activities are based on implementation and ongoing, operational compliance with company IS requirements. These activities include both Information Technology (IT) and non-IT related areas. In addition, all facility workforce members have a role regarding IS. The Corporate FISO is responsible for leading, driving and helping the facility and facility workforce members appropriately comply with the company’s IS requirements.
The Corporate FISO drives the results the company wants by extending the reach of the enterprise IS program into facilities. This includes developing IS processes, building staff awareness and competencies for security, and effectively collaborating across boundaries to ensure enterprise IS goals and company priorities are met and business value is realized.
This role requires extensive focus on building and expanding relationships with key stakeholders such as Facility leadership, Facility workforce members, Physicians, Division leadership, Division IT team, IS department, business partners and vendors, and other people and entities who support the IS objectives and activities at the facility.
The Corporate FISO must have and will use a combination of skills including IT technical skills, IS knowledge, people relating skills, written and verbal communication skills, interpersonal skills and the ability to develop, communicate and follow processes to get technical and non-technical work accomplished.
Lead, drive and implement (where appropriate) IS activities in the facility.
• Provide leadership, drive implementation and drive ongoing compliance in the facility with IS requirements including IS policies and standards, HIPAA Security activities, Facility IS Action Plans, division IS program activities, enterprise IS program, and facility-specific needs. • In conjunction with the appropriate division and facility teams, address IS issues identified by the facility, by the division, by corporate groups including Internal Audit or the IS Department, and by outside entities including auditors (e.g., CMS HIPAA Security audits). • Work with Facility leadership, DISs, LSCs, and facility staff to drive the accomplishment of IS goals. • Help coordinate non-IT IS work and responsibilities at the facility. • Coordinate with HR Director, Facility Privacy Official and Ethics & Compliance Officer to ensure that sanctions related to IS issues are applied appropriately and consistently. • Bridge the distance between the HCA information security group and the facility through collaboration, coordination, communication, and operating as part of each.
IS Account Management
• For facility and department managed applications, ensure that application administrators are aware of and adhere to company account management requirements. • Ensure Appropriate Access and other user access reviews occur in the facility in accordance with company guidelines.
IS Project Execution
• Lead and coordinate implementation of IS technologies and projects in the facility. Ensure progress and completion of identified tasks in the Facility Information Security Plan.
Issues Tracking and Resolution
• Track and drive resolution of facility HIPAA issues. • Coordinate facility related troubleshooting of HIPAA issues and questions. • Support and coordinate incident response activities involving the facility. • Provide facility-level reporting to the DISO to identify and act on facility-specific IS issues.
IS Risk Management
• Lead risk management processes and decision-making involving each facility, within the framework established in the enterprise IS program. • Ensure the designated facility committee (e.g., Security Committee, Facility Ethics & Compliance Committee) receives, documents, tracks, investigates and acts on suspected IS breaches and complaints. • • Work with facility personnel and the DISO to complete, submit, and track Risk Acceptance Forms (RAF). • Team with facility and division personnel to remediate system issues that are noted in approved RAFs.
IS Vendor Systems Security
• Coordinate IS activities with vendors at the facility. • Ensure proper vendor contracts are in place for division and facility IT systems and services. • Ensure division and facility-specific IT systems and services receive proper assessments before implementation. • Ensure implementation of specified IS architectures for enterprise vendors (e.g., anti-virus, logging, auditing, authentication, authorization, configuration management, encryption and remote access management/monitoring). • Ensure vendor systems use approved connectivity, remote management and monitoring.
• Facilitate, and lead where appropriate, IS communication and awareness in the facility. • Coordinate with the facility HR and training departments to ensure that periodic workforce training includes company-required IS content (e.g., protection from malicious software; procedures for monitoring log-in attempts and reporting discrepancies; procedures for creating, changing, and safeguarding passwords; procedures for reporting security incidents).
Represent Facility IS Needs to Division
• Serve as the advocate for IS in facility planning. • Represent facility needs in division strategic planning, budgeting and work prioritization. • Identify development in the IT&S IS department services and operations needed to resolve IS operational issues in the facility.
Support division IS initiatives and the DISO
• Assist the DISO in driving key elements in the enterprise and division IS programs at the facility level.
• Adheres to the Code of Conduct and Mission and Value Statements • Assists with other duties as assigned.
/Knowledge, Skills, and Abilities:/
• Knowledge of HIPAA Privacy/Security Regulations and Sarbanes-Oxley IT control standards • Strong understanding of Information Security processes, technologies, and practices • Must possess excellent written and verbal communication, organization, decision-making, advanced problem solving, and presentation/training skills; as well as initiative, adaptability, and customer focus • Must possess the ability to build positive team relationships with all levels of individuals at the facility/ market/ division; corporate level
• College graduate preferred
: • Management experience desired • Bachelor’s degree in IT, Health Information Management, or related field. • Three to ten years of related work experience in Information Security and/or IT focused Health Information Management
• Information Security Certification(s) with demonstrated work experience is preferred. Desired certifications include: CISSP, CISA, or HIPAA related certifications, such as Certified HIPAA Professional (CHP).
Job: *Information Technology
Title: Corporate Facility Information Security Official
Location: Tennessee-Brentwood-Corporate Brentwood
Requisition ID: 10207-24952