The Senior IT Compliance Lead is responsible for improving Health New England’s information technology control environment so that it meets regulatory requirements (HIPAA, Medicare, MassHealth). The individual works collaboratively with information technology and operational management to implement solutions and provide assurance to management that weaknesses and deficiencies are remediated. The Senior IT Compliance Lead is also tasked with investigating information technology compliance incidents, performing root cause analysis, and making recommended improvements. They perform, and work with staff to perform, information technology control monitoring routines and control testing over our highest risk areas.
The position will work with external auditors and consultants to coordinate deliverables and assist management with finalizing our annual HIPAA risk assessment and SOC1/SSAE 18 externally performed reviews. The position will build relationships with external auditors/consultants and develop an understanding of Health New England’s information system and control structure to assist the Director with validation and assessment of identified risks or weaknesses.
The Senior IT Compliance Lead is responsible for oversight of staff and assisting implementation of our role based access control program. They will work with staff and perform segregation of duties analysis, access recertification, deliver education programs, and make adjustments to existing and new roles.
The position is responsible for reviewing and having knowledge of all IT Compliance policies and procedures. They report directly to the Director of Compliance, Internal Audit, and Risk Management.
Essential Functions: List in order of importance the essential duties and responsibilities of this role, and estimate the percentage of time spent on each. Include management and supervisory responsibilities, if any.
IT Security and Compliance Strategy
- Execute and implement work plan deliverables as assigned by Director
- Oversee IAM coordinator and other staff as assigned
- Develop and apply management techniques to ensure communication of staff deliverables are provided to Director regularly
- Monitor on IT compliance, legislative and regulatory trends for impact and potential non-compliance/gaps
IT Control Development and Assurance
- Lead completion of internal/external identified control deficiencies as assigned by members of the Information Security leadership. Provide insight and recommendations on control improvements.
- Meet with internal information technology business owners to discuss and evaluate implementation of IT controls, collectively develop solutions that can be deployed, and report collaboratively with business owners back to members of the Information Security leadership team for approval.
- Perform an assessment of corrective action plan control improvements made by IT business owners to ensure all deliverables and actions agreed upon have been implemented. Report status and identified concerns regularly to Director.
- Perform walkthroughs of IT Control processes and system controls as assigned by Director. Produce process flow documentation and recommended control improvements.
IT Compliance Audits, Engagements, and Risk Assessments
- Work directly with external Information Technology auditors and/or consultants to oversee relationship, timing, and communications to ensure business engagements run on time and within budget
- Serve as the internal liaison to our auditors/consultants for the annual SOC1/SSAE-16 IT audit, IT Components of our annual financial audit, and our annual IT HIPAA Security risk assessment by building a network of internal relationships, managing document requests, and providing guidance to our operational owner’s in response to external findings
Role-based Access Control Program
- Works directly with temporary consultant staff as assigned to oversee and/or perform standardized onboarding of operational departments or new roles within our established RBAC framework.
- Maintains RBAC change control procedures and ensures quality and integrity of RBAC source information.
- Oversees IAM Coordinator processes for accuracy and completeness, including recertification procedures, RBAC SoD analysis, and change control quality assurance.
- Administer educational programs to internal stakeholders to ensure process and change management is understood
IT Compliance Security Incidents
- Investigate IT Security incidents/leads as assigned related to areas of regulatory, compliance, and violation of policy and procedure. Work with Director to discuss and evaluate steps required to make conclusions.
IT Compliance Policies and Procedures
- Understand IT Compliance policies and procedures, provide recommendations to improve to the Director, and review annually for Director level approval.
- Evaluate IT Security owned policies and procedures; provide recommendations to improve to IT Business Owners.
IT Control Monitoring
- Perform, and work with staff to perform, information technology control monitoring routines and control testing over our highest risk areas.
Bachelor’s degree in Computer Science, MIS or related field with three-five years of relevant experience in information security, technology, risk management, audit, compliance or consulting in a complex technology environment; or an equivalent combination of education and experience.
- Experience in health care or managed care is a plus
- Knowledge of and exposure to HIPAA & SSAE 18 preferred
- Knowledge of and skill in applying internal auditing principles and practices
- Understanding of audit, control, and security standards (e.g., NIST, ISACA / COBIT, etc.)
- Knowledge of security controls for network, database, application and operating systems
Knowledge of network architectures and design, administrative, technical and physical security controls, Windows Active Directory, Windows server; database and application architecture
- Ability to earn trust of sponsors and key stakeholders; mobilize and motivate teams; set direction and approach; resolve conflict; execute with limited information and ambiguity
- Ability to think through complex problems, determine proper analytical processes and procedures, independently derive conclusions and present results to management.
- Must be able to summarize and communicate technical data to a non-technical audience
- Data Entry
- Continually Hearing
- Continually Seeing
- Continually Sitting
- Continually Talking