Director, IT Security

About The Position

Requirements

• 10+ years of cybersecurity leadership experience, ideally within healthcare or other regulated environments.
• Deep understanding of HIPAA, healthcare privacy, patient data workflows, and clinical IT systems.
• Strong technical background across endpoint and cloud security, identity management, network security, and incident response.
• Ability to communicate effectively with clinicians, IT leaders, and executive teams.
• Relevant certifications preferred (e.g., CISSP, CISA, CISM, HCISPP, CHISL, CCSP).

Nice To Haves

• Experience leading security programs in hospitals, payers, digital health companies, or biotech.
• Familiarity with HIPAA, GDPR, and NIST-based maturity models.
• Ability to balance strong security controls with clinical usability and patient safety.
• Proven success in developing high-functioning security teams and managing budgets.
• Strong leadership, crisis management, and cross-functional collaboration skills.

Responsibilities

• Define and execute a comprehensive IT security strategy aligned with clinical, operational, and business priorities.
• Develop and maintain policies and controls that strengthen security across clinical workflows and systems as well as supporting environments and systems.
• Advise executive leadership and the board on cybersecurity risk, investment visibility, emerging threats, and compliance posture.
• Maintain compliance with regulatory requirements, which may include: HIPAA/HITECH GDPR CFR 21 Part 11 State privacy laws as applicable
• Partner closely with Privacy, Legal, and Compliance teams to manage audits, breach notifications, and other safeguards.
• Oversee enterprise risk assessments across clinical operations, IT systems, cloud environments, and third-party vendors.
• Lead 24/7 threat monitoring, incident response, and forensic investigations—prioritizing patient safety and operational resilience.
• Build playbooks and tabletop exercises tailored to clinical disruptions, such as ransomware attacks impacting system availability, IoT/medical devices, or care delivery.
• Drive continuous improvements through post incident reviews and data-driven risk reduction.
• Partner with IT, Operations, and R&D teams to secure clinical systems and other technologies.
• Develop, document, and implement baseline security standards for major systems, processes, and technologies
• Create and/or modify IT security related policies and procedures in line with best practices and compliance requirements
• Implement a vulnerability management and monitoring program and provide recommendations for remediation
• Oversee IAM, Zero Trust, data loss prevention, endpoint security, and network segmentation—especially for clinical networks and IoMT ecosystems.
• Oversee IT vendor risk management, including partners managing systems, processes, etc..
• Establish rigorous onboarding, security assessments, and ongoing monitoring for all IT critical vendors.
• Lead organization-wide security culture change, including staff education, phishing resistance, and workflow‑friendly security controls.
• Translate complex security concepts into business and clinical impact for executives, clinicians, and operational leaders.
• Build collaborative relationships with IT, Operations, R&D, HR, etc. to ensure security enables—not disrupts—care delivery.