Information Security Risk Analyst

Job Description

Join a world-class academic healthcare system, UChicago Medicine, as an Information Security Risk Analyst in our Information Security department. This position will be primarily a work from home opportunity with the requirement to come onsite as needed. You will need to be based in the greater Chicagoland area.  

 

The Information Security Risk Analyst is a key member within the Governance, Risk and Compliance team, supporting and executing the information security and risk management strategy for the University of Chicago Medicine.  The analyst will conduct risk analysis on information systems, platforms, and processes in accordance with established regulations and organizational standards.  The analyst will assist in identifying, assessing, tracking, reporting, and supporting the mitigation of information security risks across the organization. This position plays a key role in ensuring the organization’s adherence to HIPAA, NIST, and other healthcare cybersecurity regulations and frameworks. The analyst will work closely with internal stakeholders, IT Partners, and third-party stakeholders to ensure risks are identified, documented, mitigated, and aligned with regulatory and policy requirements to promote a risk-aware culture and safeguard patient and institutional data. The role supports the continuous improvement of the organization’s risk management program and provides insights for strategic decision-making, The ideal candidate will have a strong understanding of security frameworks, risk assessment methodologies, risk assessments, risk register, management of audit and penetration testing findings, monitoring of regulatory developments while promoting a culture of risk awareness. 

 

    

Essential Job Functions    

• Conduct comprehensive information security risk analysis for IT assets, applications, processes, medical devices, and third-party vendors.  

• Evaluate threats and vulnerabilities affecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) and any other confidential or sensitive information, ensuring alignment with HIPAA Security Rule requirements and other applicable regulatory frameworks (e.g., NIST,). 

• Support risk management initiatives based on analysis outcomes, including the development and maintenance of the organization’s risk register and scoring methodology.  

• Assist in managing penetration testing findings, internal audit findings, and collaborate with key IT Partners and stakeholders to ensure timely resolution of identified risks.  

• Monitor regulatory changes and industry threats to proactively identify emerging risks, recommend appropriate mitigation strategies, and document findings.  

• Work with stakeholders to implement and verify risk treatment actions.  

• Participate in risk acceptance processes and provide input to governance committees or leadership on risk posture and exceptions. 

• Assist in the development and improvement of policies, procedures, and technical documentation related to cybersecurity risk management. 

• Help enhance the organization’s cybersecurity awareness and training efforts by communicating risk insights to technical and non-technical audiences.   

• Other duties as assigned. 

  

Required Qualifications    

• Bachelor's degree required in Information Security, Computer Science, Engineering, Information Technology, or a related field 

• 1-2 years of experience in information security risk management, preferably in a healthcare environment 

• Knowledge of IT risk analysis, auditing and/or information security practices 

• Understanding of regulatory compliance and industry best practices towards maintaining compliance with HIPAA, NIST and other relevant healthcare regulations and standards 

• Ability to conduct thorough cybersecurity risk assessments 

• Ability to prepare both executive and detailed reports on risk findings and status 

• Ability to develop remediation plans and guide technology departments with remediation strategy 

• Ability to build positive team relationships with all levels of the enterprise and across a diverse set of departments 

• Ability to plan and execute project plans, risk tracking, and documentation 

• Ability to learn quickly and work effectively in a team environment 

• Knowledge and ability to integrate cybersecurity risk management with business operations, healthcare delivery, and IT services 

• Effective oral and written communication skills and interpersonal skills, with the ability to translate technical risk into business-relevant language 

• Ability to understand and work with healthcare professionals, educators, and researchers 

• One or more of the following security certifications are preferred at the time of hire or must be obtained within 2 years of hire: CompTIA Security+, CC, CRISC, CISM, or any other applicable certification 

 

Preferred Qualifications  

• Master’s degree 

   

Position Details    

• Job Type/FTE: Full Time (1.0 FTE)   

• Shift: Days   

• Location: Flexible (Hyde Park; Darien)  

• Unit/Department: Information Security Office   

• CBA Code: Non-Union 

 

Why Join Us

We’ve been at the forefront of medicine since 1899. We provide superior healthcare with compassion, always mindful that each patient is a person, an individual. To accomplish this, we need employees with passion, talent and commitment… with patients and with each other. We’re in this together: working to advance medical innovation, serve the health needs of the community, and move our collective knowledge forward. If you’d like to add enriching human life to your profile, UChicago Medicine is for you. Here at the forefront, we’re doing work that really matters. Join us. Bring your passion.

 

UChicago Medicine is growing; discover how you can be a part of this pursuit of excellence at: UChicago Medicine Career Opportunities.

 

UChicago Medicine is an equal opportunity employer.  We evaluate qualified applicants without regard to race, color, ethnicity, ancestry, sex, sexual orientation, gender identity, marital status, civil union status, parental status, religion, national origin, age, disability, veteran status and other legally protected characteristics.

 

Must comply with UChicago Medicine’s COVID-19 Vaccination requirement as a condition of employment. If you have already received the vaccination, you must provide proof as part of the pre-employment process. This is in addition to your compliance with the Flu Vaccination requirement as well. Medical and religious exemptions will be considered consistent with applicable law. Lastly, a pre-employment physical, drug screening, and background check are also required for all employees prior to hire.

 

Compensation & Benefits Overview

 

UChicago Medicine is committed to transparency in compensation and benefits.  The pay range provided reflects the anticipated wage or salary reasonably expected to be offered for the position.

 

The pay range is based on a full-time equivalent (1.0 FTE) and is reflective of current market data, reviewed on an annual basis. Compensation offered at the time of hire will vary based on candidate qualifications and experience and organizational considerations, such as internal equity. Pay ranges for employees subject to Collective Bargaining Agreements are negotiated by the medical center and their respective union.

 

Review the full complement of benefit options for eligible roles at Benefits - UChicago Medicine.