[Hiring] Chief Information Security Officer @PAM Health Corp Business Office

Role Description

The Chief Information Security Officer (CISO) is the senior leader accountable for establishing and operating PAM Health’s enterprise information security program. The CISO protects the confidentiality, integrity, and availability of information assets—especially electronic protected health information (ePHI)—while enabling clinical operations, business continuity, and digital transformation. This role sets security strategy; governs cybersecurity risk; ensures alignment with applicable regulatory and contractual requirements (including HIPAA/HITECH); leads incident preparedness and response; and partners with executive leadership, IT, Compliance, Privacy, Legal, and clinical/operational leaders to reduce risk to patient care and the organization.

While remote candidates may be considered, preference will be given to candidates based near our Plano, TX or Enola, PA offices.

Responsibilities

• Leads the enterprise cybersecurity program across corporate and facility environments, including networks, endpoints, servers, cloud services, applications, EHR/clinical systems, identity and access management, and third parties that create, receive, maintain, or transmit ePHI.

Essential Duties & Responsibilities include, but are not limited to:

• Develop and maintain a multi-year information security strategy and roadmap aligned to PAM Health’s risk appetite, clinical needs, and business objectives.
• Establish security governance (policies, standards, and procedures) and oversee a risk-based security program aligned to recognized frameworks (e.g., NIST CSF), healthcare requirements, and organizational priorities.
• Oversee HIPAA Security Rule administrative, physical, and technical safeguard alignment for ePHI, including periodic risk analysis, risk management plans, and documentation/evidence required for audits and assessments.
• Own enterprise cybersecurity risk management: maintain a security risk register, drive prioritization, ensure remediation tracking, and provide executive-level risk reporting and metrics.
• Direct security operations, including vulnerability management, threat detection/monitoring, security tooling strategy, and response processes (internal team and/or managed security service providers).
• Lead incident response preparedness and execution: develop and test playbooks, coordinate tabletop exercises, manage escalation, ensure lessons-learned remediation, and coordinate regulatory/contractual notification readiness.
• Partner with IT and business leaders to embed security into architecture and delivery (security-by-design), including secure configuration baselines, segmentation, encryption standards, logging, and change management.
• Oversee identity and access management governance (role-based access, privileged access, access reviews, and least-privilege) to support “minimum necessary” access principles for ePHI.
• Establish and operate a third-party risk management program for vendors/business associates, including due diligence, security requirements in contracting, periodic reassessments, and remediation tracking.
• Collaborate with Privacy, Compliance, Legal, and HR on security awareness, training, and enforcement of policies and sanctions related to security and acceptable use.
• Oversee business continuity and disaster recovery security requirements in partnership with IT/Operations, including ransomware resilience, backup protections, and recovery testing.
• Provide executive-level communication on security posture, material risks, and improvement plans; prepare reporting suitable for senior leadership and Board/Board committees as applicable.
• Stay current on healthcare cyber threats (including ransomware and third-party/supply chain risks) and translate emerging risks into actionable mitigation strategies.

Qualifications

• Bachelor’s degree in Information Security, Computer Science, Information Systems, or related field required; Master’s degree (e.g., MS, MBA, MHA) preferred.
• Current security leadership certifications strongly preferred (e.g., CISSP, CISM, CISA, CRISC).
• Healthcare security/privacy training and continuing education expected.
• Minimum of 10 years progressive information security experience, including 5+ years in senior leadership with accountability for enterprise security program delivery.
• Demonstrated experience in healthcare environments (provider and/or post-acute preferred), including protection of ePHI, regulatory readiness (HIPAA/HITECH), incident response leadership, and third-party/vendor risk management.
• Preferred experience includes: security program governance (NIST CSF), risk assessment and remediation planning, vulnerability/patch management, security monitoring, ransomware preparedness, business continuity/disaster recovery testing, and business associate/vendor security due diligence.

Requirements

• Deep knowledge of cybersecurity principles and controls, including identity and access management, encryption, network security/segmentation, endpoint security, logging/monitoring, vulnerability management, and secure configuration baselines.
• Strong understanding of healthcare security and compliance requirements, including HIPAA/HITECH and safeguarding of ePHI; ability to translate regulatory requirements into operational controls and evidence.
• Proven ability to lead incident response and crisis communications, coordinate cross-functional teams, and drive post-incident remediation.
• Ability to communicate risk clearly to executives and non-technical stakeholders; produce actionable metrics, dashboards, and executive summaries.
• Demonstrated leadership skills: team development, vendor/partner management, negotiation, and influence without authority.
• Strong analytical and decision-making skills; sound judgment under pressure; ability to prioritize based on patient safety, operational resilience, and risk reduction.
• High integrity and commitment to confidentiality, professionalism, and stewardship of organizational resources.

Benefits

• Competitive pay.
• Generous paid benefit time.
• Excellent insurance options.
• Opportunities for professional growth through our Education Advancement Program.