Facility Information Security Official (FISO) Job Summary: The Facility Information Security Official (FISO) for the HCA Physician Services Group (PSG) is responsible for leading, driving and, in some cases, implementing Information Security (IS) activities and measures in company facilities supported by PSG, under the supervision of the PSG Director of Information Security Operations (DISO). Facilities Supported This position will service the PSG Offices in Brentwood, TN, physician practices across the country, company-managed physician offices, etc. Depending on the needs and complexity of the PSG market, the PSG FISO may be assigned to lead and drive IS activities in multiple or possibly all practices. These responsibilities are part of the enterprise (company-wide) and PSG-specific IS programs and operations. IS Activities IS activities at the facility-level are primarily based on: (a) ongoing IS work and expectations outlined in the company's IS policies, standards, and guidance documents, (b) new and/or prioritized IS work in the Facility IS Action Plans from the Corporate IS Department, and (c) IS aspects in projects from the IS Department, IT&S Department, Business Units and PSG. Approach The PSG FISO drives the results the company wants by extending the reach of the enterprise IS program into the physician practice facilities. This includes development and communication of IS processes, building staff awareness and competencies for security, and effectively collaborating across boundaries to ensure enterprise IS goals and company priorities are met and business value is realized. IS Program Overview Enterprise IS Program: The enterprise (company-wide) IS program is led by the VP & CISO and IS Department in IT&S. Together with the DISO, the FISO is the "face" of the enterprise and PSG IS programs to facility leadership, workforce members, and other people and entities (e.g., physicians and certain vendors) affiliated with the facility. The FISO is responsible for implementing the company's organizational IS agenda, championing improvements to reduce IS risks to patients and business operations in the facility, and serving as a bridge between PSG and physician practice/facility. PSG/Division IS Program: The PSG IS program is led by the DISO. The PSG IS program includes implementation plans and activities for the enterprise IS Program and projects, and PSG-specific IS plans, activities and projects. Like the enterprise IS Program, the PSG FISO is responsible for leading, driving and ensuring the PSG IS program is implemented in all assigned facilities. Facility IS Program: Generally, the facility IS program and facility IS activities are based on implementation and ongoing, operational compliance with company IS requirements. These activities include both Information Technology (IT) and non-IT related areas. In addition, all facility workforce members have a role regarding IS. The FISO is responsible for leading, driving and helping the facility and facility workforce members appropriately comply with the company's IS requirements. Key Focus Areas & Skills This role requires extensive focus on building and expanding relationships with key stakeholders such as Facility leadership, Facility workforce members, PSG leadership, PSG IT team, other FISOs, IS department, customers, business partners and vendors, and other people and entities who support the IS objectives and activities at the facility. The FISO must have and will use a combination of skills including IT technical skills, IS knowledge, people relating skills, written and verbal communication skills, interpersonal skills and the ability to develop, communicate and follow processes to get technical and non-technical work accomplished. Supervisor: PSG Manager, FISO Program Duties (included but not limited to): Lead, drive and implement (where appropriate) IS activities in the facility: * Provide leadership, drive implementation and drive ongoing compliance in the facility with IS requirements including IS policies and standards, HIPAA Security activities, Facility IS Action Plans, PSG IS program activities, enterprise IS program, and facility or customer-specific needs. * In conjunction with the appropriate PSG and facility teams, address IS issues identified by the facility, by PSG, by corporate groups including Internal Audit or the IS Department, and by outside entities including auditors (e.g., CMS HIPAA Security audits). * Work with Facility leadership, IT Directors, Local Security Coordinators (LSCs), and facility staff to drive the accomplishment of IS goals. * Help coordinate non-IT IS work and responsibilities at the facility. * Coordinate with HR Directors, Facility Privacy Officials and Ethics & Compliance Officers to ensure that sanctions related to IS issues are applied appropriately and consistently. * Bridge the distance between the HCA information security group and the facility through collaboration, coordination, communication, and operating as part of each. IS Account Management: * For facility and department managed applications, ensure that application administrators are aware of and adhere to company account management requirements. Ensure appropriate access and other user access reviews occur in the facility in accordance with company guidelines. Audit Preparation and Access Reviews * Assist with the preparation for regulatory and internal audits * Coordination of Appropriate Access audits, Administrative access and Audit log reviews IS Project Execution: * Lead and coordinate implementation of IS technologies and projects in the facility. Issues Tracking and Resolution: * Track and drive resolution of facility IS issues. * Provide technical expertise to resolution of IS issues in the facility. * Support and coordinate incident response activities involving the facility. * Respond to user related threat events in the facility by working with the respective department manager to facilitate user awareness. * Ensure issues in IS reports are addressed (e.g., SAPortal reports, SATracker, Internal Audit Self-Monitoring Report). * In conjunction with the PSG IT team, ensure corporate-mandated service packs, patches and hotfixes are applied to facility servers and workstations within the defined time periods. * Provide facility-level reporting to the DISO to identify and act on facility-specific IS issues. IS Risk Management: * Lead risk management processes and decision-making involving each facility, within the framework established in the enterprise IS program. * Ensure the designated facility committee (e.g., Facility Security Committee, Facility Ethics & Compliance Committee) receives, documents, tracks, investigates and acts on suspected IS breaches and complaints. * Perform walkthrough of the facility to identify potential or actual IS issues on at least a quarterly basis (e.g., physical security of MDF/IDFs; active sessions on unattended workstations; posted passwords). * Work with facility personnel and the DISO to complete, submit, and track Risk Acceptance Forms (RAFs). IS Vendor Systems Security: * Coordinate IS activities with vendors at the facility. * Ensure proper vendor contracts are in place for PSG and facility IT systems and services. * Ensure PSG and facility-specific IT systems and services receive proper assessments before implementation. * Ensure implementation of specified IS architectures for enterprise vendors (e.g., anti-virus, logging, auditing, authentication, authorization, configuration management, encryption and remote access management/monitoring). * Ensure vendor systems use approved connectivity, remote management and monitoring. IS Communication: * Facilitate, and lead where appropriate, IS communication and awareness in the facilities. * Coordinate with the facility HR and training departments to ensure that periodic workforce training includes company-required IS content (e.g., protection from malicious software; procedures for monitoring log-in attempts and reporting discrepancies; procedures for creating, changing, and safeguarding passwords; procedures for reporting security incidents). Represent Facility IS Needs to PSG: * Serve as the advocate for IS in facility planning * Represent facility needs in division strategic planning, budgeting and work prioritization. * Identify development in the IT&S department services and operations needed to resolve IS operational issues in the facility. Support PSG IS initiatives and the DISO: * Assist the DISO in driving key elements in the enterprise and PSG IS programs at the facility level. Other Duties: * Adheres to the Code of Conduct and Mission and Value Statements. * Assists with other duties as assigned. Qualifications Knowledge, Skills & Abilities * Knowledge of HIPAA Privacy/Security Regulations and Sarbanes-Oxley IT control standards * Strong understanding of Information Security processes, technologies, and practices * Facility, Clinical System, IT Director, LSC, IT Audit, and project management experience desired * Must possess excellent written and verbal communication, organization, decision-making, advanced problem solving, and presentation/training skills; as well as initiative, adaptability, and customer focus * Must possess the ability to build positive team relationships with all levels of individuals at the facility, PSG, customer and corporate level Experience: College graduate preferred Management experience desired * Bachelor's degree in IT, Healthcare IT Management, or related field * Three to ten (3-10) years of related work experience in Information Security and/or IT-focused Health Information Management Certificate/Licensure: * Information Security and/or HIPAA-related Certification(s) with demonstrated work experience is preferred. * Desired certifications include: CISSP, CISA, CISM, GSEC, GCIH, GCUX, GCIA, CHP, CIPP, CAHIMS, CPHIMS Physical Demands / Working Conditions: * Information Security and/or HIPAA-related Certification(s) with demonstrated work experience is preferred. * Desired certifications include: CISSP, CISA, CISM, GSEC, GCIH, GCUX, GCIA, CHP, CIPP, CAHIMS, CPHIMS * Requires prolonged sitting, some bending, stooping and stretching. Lifting of light papers and boxes may be required at times. * Requires eye-hand coordination and manual dexterity sufficient to operate a keyboard, photocopier, telephone, calculator and other office equipment. * Requires normal range of hearing and eyesight to record, prepare and communicate appropriate reports. Work is an office environment and may be stressful at times. Contact may involve dealing with angry or upset individuals. Staff must remain flexible and available to provide staffing assistance for any/all disaster or emergency situations. Safety & Health: The normal work routine involves no exposure to blood, body fluids, or tissues (although situations can be imagined or hypothesized under which anyone, anywhere, might encounter potential exposure to body fluids). Persons who perform these duties are not called upon as part of their employment to perform or assist in emergency care or first aid, or to be potentially exposed in some other way.