Division Director of IT&S Assurance

11 - 15 years experience  •  Healthcare IT

Salary depends on experience
Posted on 11/08/17
San Antonio, TX
11 - 15 years experience
Healthcare IT
Salary depends on experience
Posted on 11/08/17



At its founding in 1968, Nashville-based HCA was one of the nation's first hospital companies. Today, one of the nation's leading providers of healthcare services, HCA is comprised of locally-managed facilities that include more than 250 hospitals and freestanding surgery centers in 20 states and the United Kingdom, employing approximately 230,000 people. Approximately four to five percent of all inpatient care delivered in the country today is provided by HCA facilities resulting in more than 26M patient encounters each year. HCA is committed to the care and improvement of human life and strives to deliver high quality, cost effective healthcare in the communities we serve. Building on the foundation provided by our Mission & Values, HCA puts patients first and works to constantly improve the care we provide by implementing measures that support our caregivers, help ensure patient safety and provide the highest possible quality.

Additional Facts:

• Ranked 63 in Fortune 500
• Computerworld Top 50 Best Places to Work in IT since 2009
• Named one of the “World’s Most Ethical Companies” since 2010
• 106 HCA hospitals are on The Joint Commission’s list of top performers on key quality measures.


Division Director of Information Security Assurance (DISA)   SUMMARY OF DUTIES 

Oversees all aspects of the Information Security Program for all facilities associated with the Division or Line of Business (LOB) to assure strategic alignment with the HCA Information Protection Program and maturity of IT operational security controls. Serves as a key member of the IT&S leadership team and works effectively with Division/Facility Privacy Officials (FPO), Ethics and Compliance Officers (ECO), and other key decision-makers serving on the Division/Facility Security Committee. Champions, administers, and provides interpretation of Information Security Program policies/procedures to facilitate risk-based decisions by key stakeholders.  



Launch and oversee Information Security Program for all facilities and division/LOB through (25% of the time) 

  • Manage governance structure for each in-scope entity (e.g., Facility Security Committee) to facilitate effective, efficient, and standardized approach to align with HCA Information Protection Program (executive dashboards, agendas, minutes, etc.) 
  • Facilitate risk-based decisions by key decision-makers that focus on preventing (or correcting) identified business issues through implementation of reasonable administrative, physical, and/or technical controls
  • Partner with FPO and ECO on cross-disciplinary compliance activities
  • Identify, establish and maintain strategic relationships with key stakeholders to help increase maturity of Program throughout operational processes, projects, and other initiatives

Validate and operationalize facility readiness for internal and external audits of information security/protection controls on behalf of CIO (25% of the time)

  • Lead division-wide and facility-specific information risk management program to continually assure the maturity of administrative, technical, and physical controls
  • Partner with IT&S colleagues to assure ongoing maturity of IT operational security controls by leveraging inputs from SAPortal, SATracker, ProofPoint, Data Leak Protection (DLP), FileShare scanning, and other monitoring tool
  • Partner with FPO and/or ECO to assure facilities are able to respond timely to time-sensitive notification by providing evidence of the facility’s administrative controls (e.g., documented operational procedures to comply with HIPAA

Champion HCA Information Protection Program initiatives (20% of the time)

  • Drive visible action to implement initiative within established deadlines (i.e., may be a time-sensitive regulatory requirement and/or a company-prioritized risk reduction activity) 
  • Initiate compelling communications with key stakeholders to launch initiative
  • Increase awareness and/or understanding of needed actions to correct identified information security risks

Oversee integration of defined role-based training into facility operations (15% of the time)

  • Provide or "train-the-trainer" to deliver role-based training based on identified risks and/or related to compliance with policies/procedures
  • Validate effectiveness of role-based training to monitor the health of each facility's Information Security Program

Staff Development: Staffing and Recruiting, Career Development, Mentoring and Coaching, Succession Planning, Performance Management (15% of the time)

  • Actively involved in Human Resources recruitment, performance evaluations, and management of IT division staff (e.g., Zone FISO)
  • Ensures appropriate training and development programs are utilized to attract, retain, and develop personnel required to support information security program
  • Participates in division IT&S succession planning activities with CIO

Oversee and coordinate information security incident investigation and reporting (varies %)

  • Partner with Corporate departments and/or external entities (e.g., law enforcement) as required to facilitate rapid response 
  • Partner with FPO and/or ECO on cross-disciplinary incident investigation and reporting


Duties Include But Are Not Limited To


Determination about the “reasonableness” of safeguards/controls that must be implemented to protect sensitive or restricted data being stored, processed, and/or transmitted by (or on behalf of) business owners and/or the facility. Determinations must be made by striking a balance between business/clinical objectives and available administrative, physical, and/or technical safeguards. Consequences of poor determinations may result in the following negative impacts: 

  • Inappropriate/unreasonable disruptions of business/clinical objectives
  • Inappropriate disclosure or breach of sensitive or restricted data 
  • Monetary penalties
  • Criminal penalties at the personal level
  • Investigations from the Office of Civil Rights (OCR)
  • Corrective Action Plan with OCR
  • Written notification from HCA to the patient, HHS, and in some situations, local media in the event of a breach (as defined by HITECH).

Determination about the most appropriate approach for engaging with key stakeholders and/or decision-makers serving on the Division/Facility Security Committee to develop and implement corrective action plans to mitigate/correct identified information security risks. Must leverage strategic relationships, compelling communications, and use of governance structure to drive business decisions (e.g., funding, resources, timing). Consequences of a weak approach may result in the following negative impacts:

  • Lack of business understanding and/or support to mitigate or correct identified information security risks that could lead to disruptions of business/clinical objectives
  • Same negative impacts as listed in the previous example above





  • Strong understanding of information security principles, processes, technologies, and practices – required
  • Ability to communicate effectively at an executive level - required
  • Skill in developing and maintaining effective relationships with medical and administrative staff, and technical staff – required
  • Strong written, verbal, and presentation skills – required
  • Skill in exercising initiative, judgment, problem solving, decision-making – required
  • Strong leadership skills, personal drive, and ability to see projects through to execution in a matrixed environment – required
  • Skill in planning, organizing and supervising – required
  • Skill in developing comprehensive reports – required
  • Ability to analyze and interpret complex data – required
  • Ability to research and prepare comprehensive reports – required
  • Knowledge of computer systems and applications – required
  • Strong analytical skills in budgeting, planning and policy maintenance and development – required
  • Knowledge of information security regulations (HIPAA Privacy/Security, Sarbanes-Oxley IT controls, Payment Card Industry (PCI)) – preferred
  • Information Security certifications (e.g., CISSP, CISA, CISM, GSEC) – preferred
  • Knowledge of healthcare – preferred


  • College Graduate Required
  • Bachelor's degree in IT, Health Information Management, or related field.
  • Master’s degree preferred


  • 6 - 10 Years Information Security experience
  • 10 + Years of IT experience
  • Leadership experience
  • Management experience
  • Must be able to travel in the continental U.S.

Job Code: 25388-78687

Not the right job?
Join Ladders to find it.
With a free Ladders account, you can find the best jobs for you and be found by over 20,0000 recruiters.