Position Overview:
The IT Security Program Manager is responsible for executing and managing the day-to-day operations of Recovery Centers of America’s cybersecurity program. Reporting to the manager of infrastructure under the IT OPS director and ensures that RCA’s security posture remains compliant with HIPAA, HITECH, and NIST 800-53 standards while continuously improving the effectiveness of the organization’s security controls and risk management framework.
This role will coordinate and perform audits, oversee third-party risk management, manage RCA’s security awareness and phishing programs, drive policy governance, and ensure the timely resolution of open risk items and vulnerabilities. The ideal candidate is an organized, hands-on leader with a strong understanding of healthcare security and compliance who can align security initiatives with RCA’s mission of saving one million lives.
Essential Duties and Responsibilities
Program Management & Governance
- Manage the daily operations of RCA’s cybersecurity program under the guidance of the CISO.
- Coordinate and track the completion of internal and external security audits, including HIPAA, SOC 2, and NIST-based assessments.
- Maintain and monitor the Information Security Risk Register, ensuring timely resolution of identified issues and mitigation of critical findings.
- Lead tabletop exercises and incident response simulations to test and improve RCA’s preparedness and business continuity planning.
- Collaborate with RCA leadership and department heads to ensure that security policies and controls are understood and effectively implemented across all business units.
Third-Party Risk & Vendor Management
- Manage the third-party risk assessment program, ensuring that all vendors with access to PHI or critical systems undergo security evaluation and periodic reassessment.
- Review BAAs, security questionnaires, and compliance attestations; ensure corrective action for identified gaps.
- Partner with Procurement and Legal to integrate security requirements into new and existing vendor contracts.
Policy, Compliance, and Reporting
- Work with the CISO to review, update, and publish information security policies, standards, and procedures in accordance with HIPAA, HITECH, and NIST frameworks.
- Develop dashboards and recurring reports to track security metrics, compliance posture, and program maturity for presentation to the CISO and executive leadership.
- Monitor and interpret changes to regulatory requirements, ensuring timely updates to RCA’s compliance program.
Security Awareness & Training
- Administer and optimize RCA’s KnowBe4 Security Awareness and Phishing Training Program.
- Track user engagement and training completion rates, and provide metrics and recommendations to leadership.
- Develop creative awareness campaigns to strengthen RCA’s security culture.
Vulnerability & Infrastructure Management
- Identify and track critical infrastructure vulnerabilities, working with IT and Infrastructure teams to ensure remediation and continuous monitoring.
- Oversee MDM security, ensuring appropriate device controls, encryption, and enforcement of mobile security policies.
- Support the CISO in analyzing threat intelligence, vulnerability trends, and endpoint security performance (e.g., CrowdStrike, firewall alerts).
Risk and Compliance Leadership
- Ensure continuous compliance with HIPAA, HITECH, and NIST 800-53 / 800-171 requirements.
- Coordinate with Compliance, Legal, and Clinical leadership to ensure consistent risk management practices.
- Participate in post-incident reviews, documenting lessons learned and recommending process improvements.
Education
- Bachelor’s degree in Information Security, Computer Science, Information Technology, or related field required.
Experience
- Minimum of 5–7 years of progressive experience in cybersecurity, IT risk management, or audit within a regulated environment (preferably healthcare).
- At least 2 years in a program management or leadership role overseeing information security functions.
- Strong working knowledge of HIPAA, NIST 800-53, HITRUST, and security risk management frameworks.
Certifications (preferred but not required)
- Security +, CISSP, CISM, CRISC, HCISPP, or equivalent security certification.
- PMP or similar project management certification is a plus.
Technical Skills
- Understanding of endpoint protection, SIEM tools, MDM platforms (e.g., Intune), and vulnerability management solutions.
- Experience with vendor risk tools, audit tracking systems, and compliance reporting.
- Familiarity with Microsoft 365 Security Suite, KnowBe4, and GRC platforms.
Core Competencies
- Strong analytical and problem-solving skills.
- Excellent written and verbal communication skills, with the ability to translate technical risks for non-technical stakeholders.
- Highly organized and detail-oriented, with the ability to manage multiple priorities simultaneously.
- Demonstrated ability to build cross-functional relationships and drive accountability.
- Passionate about RCA’s mission and maintaining the privacy and security of patient information
Benefits:
- 401(k)
- 401(k) matching
- Dental insurance
- Employee assistance program
- Flexible spending account
- Health insurance
- Health savings account
- Life insurance
- Paid time off
- Professional development assistance
- Referral program
- Retirement plan
- Tuition reimbursement
- Vision insurance
Work Location: Remote