• HCA
  • Coppell, TX, USA
  • Oct 26, 2018

Job Description

Job Code: 10201-26014


No Weekends


HCA, a Fortune 100 company with more than 200,000 employees, is one of the nation's leading providers of healthcare services, operating over 170 locally managed hospitals and over 100 freestanding surgery centers in 20 states and the United Kingdom. With its founding in 1968, HCA created a new model for hospital care in the United States, using combined resources to strengthen hospitals, deliver patient-focused care and improve the practice of medicine. HCA is a learning healthcare system that uses more than 27 million annual patient encounters to advance science, improve patient care and save lives. HCA has been named one of the world's most ethical companies for nine years in a row.

At HCA, we are driven by a single goal: the care and improvement of human life.

Summary of Duties:

Overall: The Zone Facility Information Security Official (FISO) is responsible for leading, driving and, in some cases, implementing Information Security (IS) activities and measures in company facilities supported by the division, under the supervision of the Division Director of Information Security Operations (DISO).

Facilities: These include hospitals, company-managed physician offices, Consolidated Service Centers (CSCs), Ambulatory Surgery Division (ASD) centers and certain other facilities in the division. Depending on the IT model and complexity of the division, the Zone FISO may be assigned to lead and drive IS activities in a few facilities or possibly all facilities in a market or division.

IS Activities: These activities are part of the enterprise (company-wide) and division-specific IS programs and operations. IS activities at the facility-level are primarily based on: (a) ongoing IS work and expectations outlined in the company's IS policies, standards, and guidance documents, (b) new and/or prioritized IS work in the Facility IS Action Plans from the Corporate IS Department, and (c) IS aspects in projects from the IS Department, IT&S Department, Business Units and Division.

Enterprise IS Program: The enterprise (company-wide) IS program is led by the VP & CISO and IS Department in IT&S. Together with the DISO, the Zone FISO is the "face" of the enterprise and division IS programs to facility leadership, workforce members, and other people and entities (e.g., physicians and certain vendors) affiliated with the facility. The Zone FISO is responsible for implementing the company's organizational IS agenda, championing improvements to reduce IS risks to patients and business operations in the facility, and serving as a bridge between the division and the facility.

Division IS Program: The division IS program is led by the DISO. The division program includes implementation plans and activities for the enterprise IS Program and projects, and division-specific IS plans, activities and projects. Like the enterprise IS Program, the Zone FISO is responsible for leading, driving and ensuring the division IS program is implemented in the Zone FISO's assigned facilities.

Facility IS Program: Generally, the facility IS program and facility IS activities are based on implementation and ongoing, operational compliance with company IS requirements. These activities include both Information Technology (IT) and non-IT related areas. In addition, all facility workforce members have a role regarding IS. The Zone FISO is responsible for leading, driving and helping the facility and facility workforce members appropriately comply with the company's IS requirements.

Approach: The Zone FISO drives the results the company wants by extending the reach of the enterprise IS program into facilities. This includes developing IS processes, building staff awareness and competencies for security, and effectively collaborating across boundaries to ensure enterprise IS goals and company priorities are met and business value is realized.

Relationships: This role requires extensive focus on building and expanding relationships with key stakeholders such as Facility leadership, Facility workforce members, Physicians, Division leadership, Division IT team, other Zone FISOs, IS department, business partners and vendors, and other people and entities who support the IS objectives and activities at the facility.

Other: The Zone FISO must have and will use a combination of skills including IT technical skills, IS knowledge, people relating skills, written and verbal communication skills, interpersonal skills and the ability to develop, communicate and follow processes to get technical and non-technical work accomplished.

Duties Include But Are Not Limited To:

Lead, drive and implement (where appropriate) IS activities in the facility:
  • Provide leadership, drive implementation and drive ongoing compliance in the facility with IS requirements including IS policies and standards, HIPAA Security activities, Facility IS Action Plans, division IS program activities, enterprise IS program, and facility-specific needs.
  • In conjunction with the appropriate division and facility teams, address IS issues identified by the facility, by the division, by corporate groups including Internal Audit or the IS Department, and by outside entities including auditors (e.g., CMS HIPAA Security audits).
  • Work with Facility leadership, HDISs, LSCs, and facility staff to drive the accomplishment of IS goals.
  • Help coordinate non-IT IS work and responsibilities at the facility.
  • Coordinate with HR Director, Facility Privacy Official and Ethics & Compliance Officer to ensure that sanctions related to IS issues are applied appropriately and consistently.
  • Bridge the distance between the HCA information security group and the facility through collaboration, coordination, communication, and operating as part of each.

IS Account Management
  • For facility and department managed applications, ensure that application administrators are aware of and adhere to company account management requirements.
  • Ensure Appropriate Access and other user access reviews occur in the facility in accordance with company guidelines.

IS Project Execution
  • Lead and coordinate implementation of IS technologies and projects in the facility. Ensure progress and completion of identified tasks in the Facility Information Security Plan.

Issues Tracking and Resolution
  • Track and drive resolution of facility IS issues.
  • Provide technical expertise to resolution of IS issues in the facility.
  • Coordinate facility troubleshooting of issues and questions.
  • Support and coordinate incident response activities involving the facility.
  • Monitor resolution of IS alerts in the facility (e.g., Spyware, SMART anomalies, invalid Social Security Numbers).
  • Respond to user related threat events in the facility by working with the respective department manager to facilitate user awareness.
  • Ensure issues in IS reports are addressed (e.g., SAPortal reports, Passport reports, SecurID activity reports, Internal Audit Self-Monitoring Report).
  • In conjunction with the division IT team, ensure corporate-mandated service packs, patches and hotfixes are applied to facility servers and workstations within the defined time periods.
  • Provide facility-level reporting to the DISO to identify and act on facility-specific IS issues.

IS Risk Management
  • Lead risk management processes and decision-making involving each facility, within the framework established in the enterprise IS program.
  • Ensure the designated facility committee (e.g., Facility Security Committee, Facility Ethics & Compliance Committee) receives, documents, tracks, investigates and acts on suspected IS breaches and complaints.
  • Perform walkthrough of the facility to identify potential or actual IS issues on at least a quarterly basis (e.g., physical security of MDF/IDFs; active sessions on unattended workstations; posted passwords).
  • Work with facility personnel and the DISO to complete, submit, and track Security Exception Request Forms (SERFs).
  • Team with facility and division personnel to remediate system issues that are noted in approved SERFs.

IS Vendor Systems Security
  • Coordinate IS activities with vendors at the facility.
  • Ensure proper vendor contracts are in place for division and facility IT systems and services.
  • Ensure division and facility-specific IT systems and services receive proper assessments before implementation.
  • Ensure implementation of specified IS architectures for enterprise vendors (e.g., anti-virus, logging, auditing, authentication, authorization, configuration management, encryption and remote access management/monitoring).
  • Ensure vendor systems use approved connectivity, remote management and monitoring.

IS Communication
  • Facilitate, and lead where appropriate, IS communication and awareness in the facility.
  • Coordinate with the facility HR and training departments to ensure that periodic workforce training includes company-required IS content (e.g., protection from malicious software; procedures for monitoring log-in attempts and reporting discrepancies; procedures for creating, changing, and safeguarding passwords; procedures for reporting security incidents).

Represent Facility IS Needs to Division
  • Serve as the advocate for IS in facility planning.
  • Represent facility needs in division strategic planning, budgeting and work prioritization.
  • Identify development in the IT&S IS department services and operations needed to resolve IS operational issues in the facility.

Support division IS initiatives and the DISO
  • Assist the DISO in driving key elements in the enterprise and division IS programs at the facility level.

  • Adheres to the Code of Conduct and Mission and Value Statements
  • Assists with other duties as assigned.

Knowledge, Skills, and Abilities
  • Knowledge of HIPAA Privacy/Security Regulations and Sarbanes-Oxley IT control standards
  • Strong understanding of Information Security processes, technologies, and practices
  • Hospital, Meditech System, HDIS, LSC, IT Audit, and project management experience desired
  • Must possess excellent written and verbal communication, organization, decision-making, advanced problem solving, and presentation/training skills; as well as initiative, adaptability, and customer focus
  • Must possess the ability to build positive team relationships with all levels of individuals at the facility/ market/ division; corporate level

  • College graduate preferred

  • Management experience desired
  • Bachelor's degree in IT, Health Information Management, or related field.
  • Three to ten years of related work experience in Information Security and/or IT focused Health Information Management

  • Information Security Certification(s) with demonstrated work experience is preferred. Desired certifications include: CISSP, CISA, CISM, GSEC, GCIH, GCNT, GCFW, GCUX, GCIA

Physical Demands/Working Conditions: Requires prolonged sitting, some bending, stooping, and stretching. Requires hand-eye coordination and manual dexterity sufficient to operate a keyboard, photocopier, telephone, calculator, and other office equipment. Requires normal range of hearing and eyesight to record, prepare, and communicate appropriate reports. Staff must remain flexible and available to provide staffing assistance for any/all disaster or emergency situations. Must have a willingness to travel in the local region.

OSHA Category: The normal work routine involves no exposure to blood, body fluids, or body tissues (although situations can be imagined or hypothesized under which anyone, anywhere, might encounter potential exposure to body fluids). Persons who perform these duties are not called upon as part of their employment to perform or assist in emergency care or first aid, or to be potentially exposed in some other way.

Last Edited: 10/25/2018