All across UW Medicine, our employees collaborate to perform the highest quality work with integrity and compassion and to create a respectful, welcoming environment where every patient, family, student and colleague is valued and honored.
UW Medicine’s IT Services department has an outstanding opportunity for an Chief Information Security Officer!
UW Medicine’s Information Technology Services (ITS) department is a shared services organization that supports all of UW Medicine. UW Medicine is comprised of Harborview Medical Center (HMC), UW Medical Center-Montlake (UWMC-Montlake), UW Medical Center-Northwest (UWMC-NW), Valley Medical Center (VMC), UW Neighborhood Clinics (UWNC), UW Physicians (UWP), UW School of Medicine (SOM) and Airlift Northwest (ALNW). In addition, UW Medicine shares in the ownership and governance of Children’s University Medical Group and Seattle Cancer Care Alliance (a partnership between UW Medicine, Fred Hutchinson Cancer Research and Seattle Children’s). ITS is responsible for the ongoing support and maintenance of the infrastructure and applications which support all of these institutions, along with the implementation of new services and applications that are used to support and further the UW Medicine mission.
Under the general guidance of the UW Medicine Information Technology Services Chief Information Office, and with a dotted line reporting relationship to the President, UW Medicine Hospitals and Clinics, the Chief Information Security Officer (CISO) will provide leadership for planning, developing, directing, and operating an innovative, trusted and reliable information security program to support the confidentiality, integrity and availability of electronic institutional information. Electronic institutional information includes electronic medical records and other institutional information systems, computerized devices including medical devices and their associated infrastructure technology. The security program must be compliant with UW policy, applicable laws, and regulations in three core assets: Electronic Data, Computing Device, System Security and Workforce.
The CISO also serves as the UW Medicine HIPAA Security Official and will advise UW Medicine and UW Medicine IT Services (ITS) leadership on enterprise security strategies, best practices, security architecture and security design work; support UW Medicine Compliance in its accountable role for ensuring HIPAA compliance across the enterprise; conduct risk assessments and analysis of findings and development of mitigation strategies; oversee operational implementation of mitigation efforts; ensure robust operational processes in support of the overall information security program; partner with UW Medicine Compliance and the University of Washington Office of the CISO to ensure regulatory compliance with HIPAA, CMS, NIST, FERPA and other healthcare standards and regulations.
This position will direct a team of IT security professionals and analysts knowledgeable in clinical and business activities who support UW Medicine by developing, implementing, and supporting IT security solutions to meet user information needs and the strategic goals of the organization that are compliant with applicable UW policy, state and federal laws and regulations. This position will also be responsible for developing annual capital and operating budgets for the UW Medicine Security Program.
Strategy and Leadership (60%)
Identify UW Medicine’s Information Security and Identity and Access Management (IAM) needs and risks and develop/communicate strategies and establish operational plans that align with the organization’s vision, mission, and objectives, and support long-term Information Security growth and sustainability.
Establish and sustain Information Security and IAM technology standards, process improvements, governance processes and performance metrics to ensure that the organization delivers value and protects the company’s information assets.
Establishes and executes the Information Security and IAM budget with a complex and diverse portfolio of work to drive increases in enterprise security maturity measured against industry-leading risk management and security frameworks.
Ensure the monitoring of UW Medicine’s Information Security and IAM strategies, policies, compliance controls, and programs to meet UW Medicine business needs. Oversee the development of required security and access standards for application, infrastructure, and complex technology environments including vendor provided services.
Direct the management and implementation of an enterprise-wide information risk methodology for the purpose of conducting and enabling business initiatives with clinical, business and research systems, third parties, system interconnections, service level agreements, etc. to ensure all appropriate information is gathered and assessment of business and technology risks are appropriately identified and evaluated. Oversee the development and implementation of appropriate measures to identify risks associated with applications/business functions.
Coach and mentor the Information Security and IAM teams to evolve skills, capabilities, and teamwork across ITS.
Provide management oversight to all activities related to organizational Information Security and IAM compliance with regulatory as well as audit requirements, ensuring that information security best practices are being followed for areas to include Information Security, Risk Management and Identity and Access Management.
Manage regular intrusion detection and vulnerability reporting, internal and external IT audit groups reviews, and the coordination of all required fixes.
Provide leadership and management in the event of an actual incidents for response and recovery capabilities. Responsible for directing and evaluating tabletop and recovery exercises for security incidents with both business and technical staff.
Continually seek and consider innovative solutions to business problems and apply in support of the organization’s mission, culture, and philosophy. Develop best practices while driving the process of creative thinking and solutions. Lead change and the adoption of new processes and technologies.
In collaboration with senior leaders, develop and achieve a resilient organizational structure and workforce to support long-term cybersecurity as well as ITS objectives. Provide opportunities and framework for team members’ career advancement. Responsible for the interpretation, communication, and understanding of department and company goals, mission and philosophy to associates. Provide consistent performance feedback.
Develop business metrics to measure the effectiveness of the Information Security and IAM programs and increase the maturity of the Information Security and IAM programs. Provide regular reports on the status of the Information Security and IAM programs to SPEC, executive and business leaders.
Lead, organize and positively influence a team of professionals that may consist of teams within teams.
Instill UW Medicine and ITS vision and guiding principles to all staff; implement mission-oriented HR practices.
Promote an environment that is attractive to the employee and that facilitates the recruitment and retention of professional, technical, and support staff. This includes, but is not limited to, staff development, recognition, motivation, and communications.
Make hiring decisions and recommendations for separations, reclassification recommendations, salary adjustment recommendations, handle complaints and grievances as well as generally planning, assigning and approving the work of these positions.
Recruit, hire, train, coach, motivate, and manage performance of permanent, temporary, and contract staff.
Conduct performance evaluations and measuring on a regular basis, and other standard practices, consistent with all ITS teams.
Provide functional and technical expertise to Managers and other staff.
Establish and enforce technical and functional standards.
Ensure compliance with security and confidentiality requirements.
Promote, monitor, and support UW Medicine HIPAA policy and procedures.
Assist in providing a framework to be the employer of choice.
Develop a service-oriented work force with exceptional technical talent.
Ensure all employees understand the linkage to the mission and vision of UW Medicine and to the UW Medicine Patients Are First principles and adhere to the professional conduct policy of UW Medicine.
Develop the teams and staff necessary to implement, enhance, and support ITS goals, projects, and programs.
Foster staff engagement.
Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that UW Medicine maintains a strong information security posture.
Liaise with UW Campus information security and privacy program leaders.
Partner with UW Medicine Compliance and HIPAA Privacy program leaders to ensure coordinated HIPAA security and privacy programs.
Monitor the industry and external environments for emerging threats and advise SPEC, executive and business leaders on appropriate courses of action.
Manage and respond to external, internal, and client audits and security reviews.
Maintain knowledge of competing projects and programs across all departments within UW Medicine and UW Campus. Collaborate with peers to prioritize projects, deliverables and resolve competing priorities. Work with internal and external business partners, project management, and senior IT management to ensure priority security initiatives are appropriately resourced.
Bachelor's degree in Computer Science, Information Technology, Business Administration, or related field.
10+ years’ experience must include the following:
10+ years of demonstrated IT leadership experience with significant responsibilities in the area of IT security.
5+ years in a senior level position leading IT technical and business/clinical analyst professionals, including cybersecurity engineers. Experience includes talent assessment, mentoring and coaching.
Demonstrated familiarity with HIPAA requirements.
Demonstrated familiarity with information systems used in patient care, medical education, and research environments.
Demonstrated experience in a highly complex organization.
Relevant industry certification in security (i.e. CISSP, CISM, CISA, CRISC, CHPS).
Previous experience in and knowledge of academic health care systems operations is preferred.
Broad knowledge of integrated healthcare delivery administration, practices, and principles.
Effective communication and interpersonal skills for working with a diverse group of individuals at all levels of the organization to achieve a common mission.
Strong understanding of current information security theory, frameworks, industry best practices, security tools and forensics.
Understanding the regulatory environment in a health care institution and demonstrated ability to navigate healthcare security regulatory environment.
Knowledge and experience in information security risk management, including but not limited to risk and gap analysis, risk evaluation and ranking, risk mitigation, and reporting on the risk profile and residual risk.
Experience in leading responses to incidents and investigations with sensitivity, tenacity, and an understanding of the level of detail required.
Proven ability to make administrative/procedural decisions and provide guidance and leadership to professional personnel.
Understanding of user privileging and management and authentication and authorization in a complex, multi-entity environment.
Organizational understanding of managing information technology in a multi-vendor, heterogeneous, federated environment.
Ability to explain, both verbally and in writing, technical security issues for both technical and non-technical audiences.
Previous experience in and knowledge of academic healthcare systems and/or operational environments.
Advanced degree (e.g., Master’s, PhD, etc.)
CONDITIONS OF EMPLOYMENT
This is an Information Technology deadline-driven work environment.
The individual in this position is expected to work normal daytime hours. The work may be performed in either an office environment or by telecommuting with manager approval; however, significant off-hours and weekends may be needed to resolve problems and respond to emergencies. This individual is expected to be available for emergencies (business continuity/disaster recovery efforts) on a 24x7 basis as needed.
Must have the ability to meet in person as directed by manager.
Will be required to participate in an on call rotation.
Because of the physically separated sites for UW Medicine, this position requires the ability to travel to alternative work locations as needed.
Must coordinate projects without direct supervisory authority.
Must work within the constraints of multiple technical environments.
ITS provides services to all UW Medicine organizations – HMC, UWMC-Montlake, UWMC-NW, VMC, UWNC, UWP, SOM, and ALNW. The individual in this position must learn many organizational structures and cultures and continually foster collaboration.
Ability to communicate effectively in English, both verbally and in writing.
Founded in 1861, the University of Washington is one of the oldest public institutions in the west coast and one of the preeminent research universities in the world. The University of Washington is a multi-campus university comprised of three different campuses: Seattle, Tacoma, and Bothell. The Seattle campus is made up of sixteen schools and colleges that serve students ranging from an undergraduate level to a doctoral level. The university is home to world-class libraries, arts, music, drama, and sports, as well as the highest quality medical care in Washington State and a world-class academic medical center. The teaching and research of the University’s many professional schools provide undergraduate and graduate students the education necessary toward achieving an excellence that will serve the state, the region, and the nation. As part of a large and diverse community, the University of Washington serves more students than any other institution in the Northwest.