Vice President, Chief Information Security Officer

About The Position

Requirements

• Bachelor’s degree in Information Technology, Cybersecurity, Healthcare Administration, or related field required; Master’s degree preferred.
• 10+ years of progressive leadership in information security and risk management, with 5+ years in healthcare or another highly regulated industry.
• Demonstrated success implementing enterprise cybersecurity programs in a multi-hospital health system, payer, or large healthcare delivery network.
• Deep knowledge of HIPAA, HITECH, CMS, OCR enforcement, FDA guidance for medical devices, and healthcare-specific risk management frameworks.
• Expertise in EHR security (Epic preferred), identity and access management, cloud security, and medical device security.
• Strong business and clinical acumen; ability to align security with patient care priorities.
• Exceptional communication skills with the ability to present to clinical leaders, executives, and boards.

Nice To Haves

• Relevant certifications strongly preferred: CISSP, HCISPP, CISM, CISA, or CHPS.

Responsibilities

• Strategic Leadership -Develop and implement a multi-year information security strategy that aligns with organizational priorities, digital transformation goals, and regulatory requirements.
• Advise the CEO, CDO, COO, and Board of Directors on emerging cyber threats, risks to patient care, and mitigation strategies.
• Lead enterprise participation in healthcare security coalitions, information sharing groups (e.g., H-ISAC), and public–private partnerships.
• Governance, Risk & Compliance -Establish and maintain a security governance program based on healthcare-aligned frameworks (NIST CSF 2.0, HITRUST CSF, HICP, HIPAA/HITECH).
• Drive enterprise risk assessments and develop mitigation plans for cybersecurity, privacy, and clinical safety risks.
• Ensure compliance with HIPAA, HITECH, CMS, FDA (for medical device security), and state privacy regulations.
• Oversee security audits, penetration tests, and third-party/vendor risk assessments, ensuring remediation of findings.
• Clinical & Operational Security -Protect the Electronic Health Record (EHR), patient-facing portals, and digital health platforms against compromise, downtime, or data loss.
• Partner with Clinical Engineering and Biomedical teams to secure medical devices and Internet of Medical Things (IoMT).
• Lead preparedness for ransomware, phishing, insider threats, and advanced persistent threats with an emphasis on minimizing patient safety impact.
• Oversee disaster recovery and business continuity planning in alignment with emergency preparedness and patient safety frameworks.
• Collaboration & Culture -Partner with Digital, Compliance, Privacy, Clinical, and Operational leaders to embed security into new initiatives, system design, and patient engagement platforms.
• Build and lead organization-wide security awareness and phishing-resistance training tailored to caregivers, clinicians, and administrative staff.
• Serve as the public face of information security during regulatory reviews, patient safety investigations, and stakeholder engagements.
• Team Leadership -Recruit, develop, and lead a high-performing healthcare cybersecurity team across areas such as threat intelligence, incident response, IAM, and risk management.
• Promote a culture of accountability, clinical safety, and innovation in cybersecurity practices.
• Provide coaching and mentoring for next-generation security leaders.

Benefits

• Sutter Health is an equal opportunity employer EOE/M/F/Disability/Veterans.