Industry: Accounting, Finance & Insurance•
5 - 7 years
Posted 47 days ago
Position Summary Implements and oversees information technology processes, and programs to support: information assurance, regulatory compliance, internal control, vendor management, model audit, internal/external audits, and risk management activities. Advises the Director of Compliance, IT, and business management regarding appropriate IT policies, procedures, and regulations set forth by HNE and by state and federal laws, including but not limited to HIPAA, Medicare, and Medicaid with the goal of maintaining compliance and regulatory requirements, safeguarding information assets, strengthening internal operations, and achieving strategic objectives. Leads, develops, and maintains the IT HIPAA Security risk assessment. Actively promotes culture of risk and control awareness across the organization.
Collaborates with IT and other areas of management on the status of technology risk and internal control concerns per assessment, internal or external audit results, and information from monitoring and control systems. Advises and develops solutions regarding remediation and mitigation strategies and approaches. Performs risk management and control improvement activities across IT functional areas. This position serves as a liaison to associates and management at all levels as well as with business partners, regulators, examiners, and other interested stakeholders as needed.
This position reports directly to the Director of Compliance. This position will exercise a high degree of independent judgment in determining relevant information needed to perform an adequate review and will have access to all relevant personnel, books and records in the areas under review. This position provides independent, objective assurance and consulting activity to add value and assist the organization in improvements across all operations.
- Assist the Director of Compliance in the ongoing development of strategic planning and implementation of the Compliance Program and its related activities including reporting, education and training, investigations, corrective actions, and developing consistent compliance communications that establish expectations for all Health New England associates and third Parties to meet all elements of State and Federal guidance regarding the elements of an effective compliance program.
- Provide leadership over the IT HIPAA Security Risk assessment which is responsible for providing independent assessment and assurance of the effectiveness and efficiency of the IT Security control environment.
- Proactively work with internal and external auditors, model audit teams, vendor management teams, as well as various technology teams and business partners in the design and implementation of IT risk assessments, control assessments, and improvement practices
- Manage and oversee processes to identify, assess, improve, and optimize compliance requirements, internal control, and risk practices within the IT, regulatory, and compliance environment.
- Manage and oversee IT components of audits performed by internal and external audit including but not limited to the SOC1/SSAE-16. Work with the Director of Compliance to coordinate and develop communication as required.
- Manage and investigate IT Security incidents/leads as assigned related to areas of regulatory, compliance, and violation of policy and procedure. Report issues to the Director of Compliance.
- Develop and maintain processes, policies, standards, and procedures to assess, oversee, escalate, remediate and report on IT internal control, compliance, and risk issues
- Manage development and implementation of business unit Corrective Action Plans (CAPs) to bring areas of concern into compliance.
- Collaborate with IT functional teams and assist in the development, implementation, monitoring, assessment, and reporting of compliance requirements, control processes, documentation and risk activities
- Monitor on IT compliance, legislative and regulatory trends for impact and potential non-compliance/gaps
- Facilitate and assist in the preparation of audit and compliance-related reports, regulatory filings, and management response to internal/external audit
- Serve as a subject matter expert and information risk and control advisor, to facilitate the identification and assessment of technology risks and to improve the effectiveness and efficiency of IT compliance requirements and internal controls.
- Develops, plans, manages and executes vendor Compliance and HIPAA based audits using a risk based approach.
- Work directly with process owners and management and participate in various activities (e.g., planning, systems development and product selection) to assist in the design and implementation of information technology controls (manual and automated) in IT processes and systems in light of risks, strategic objectives, and regulatory requirements.
- Establish, monitor, and report on relevant performance metrics and applicable IT compliance metrics.
- Generate compliance reports as required, detailing the status of the IT Compliance Program, and coordinating with other areas of operations as required. Present periodic reports and quarterly evaluations on the Compliance Program to management, executive leadership, and the Compliance Committee.
- Design and deliver compliance education and training programs in collaboration with the Director of Compliance
- At the direction of the Director of Compliance, perform other duties necessary for the effective operation of the Compliance Department. Minimum Requirements Bachelor’s degree in Computer Science, MIS or related field with five years of relevant experience in information security, technology, risk management, compliance or consulting in a complex technology environment; or an equivalent combination of education and experience.
- Demonstrated leadership experience
- Advanced business and IT processes, IT risk management, information security, and privacy experience required.
- Detailed knowledge of industry regulatory environment (HIPAA, CMS, EOHHS) required
- Broad understanding of audit, control, and security standards (e.g., AICPA, ISACA / COBIT, etc.) required.
- Solid grasp of concepts on a wide array of technology platforms, controls (ex: ITIL) and IT processes (ex: SDLC).
- Considerable knowledge of and skill in applying internal auditing principles and practices, and management principles and preferred business practices
- Demonstrated knowledge of security controls for network, database, application and operating systems.
- Knowledge of network architectures and design, administrative, technical and physical security controls, Windows Active Directory,
Windows server; database and application architecture
- Ability to earn trust of sponsors and key stakeholders; mobilize and motivate teams; set direction and approach; resolve conflict; execute with limited information and ambiguity
- Ability to think through complex problems, determine proper analytical processes and procedures, independently derive conclusions and present results to management.
- Must be able to summarize and communicate technical data to a non-technical audience