HCA, Hospital Corporation of America Director of IT&S Security Assurance in San Antonio, Texas

Why work for HCA IT&S? * For the eighth consecutive year, in 2016, HCA’s Information Technology & Services was recognized as one of the/Top 100 Best Places to Work in IT/by_Computerworld_Magazine. * * *HCA has been recognized by the Ethisphere Institute as one of the World's Most Ethical Companies. * * *You can be a part of a fast growing Fortune 79 company.

Division Director of Information Security Assurance (DISA)*


Oversees all aspects of the Information Security Program for all facilities associated with the Division or Line of Business (LOB) to assure strategic alignment with the HCA Information Protection Program and maturity of IT operational security controls. Serves as a key member of the IT&S leadership team and works effectively with Division/Facility Privacy Officials (FPO), Ethics and Compliance Officers (ECO), and other key decision-makers serving on the Division/Facility Security Committee. Champions, administers, and provides interpretation of Information Security Program policies/procedures to facilitate risk-based decisions by key stakeholders.


Launch and oversee Information Security Program for all facilities and division/LOB through (25% of the time)

  • Manage governance structure for each in-scope entity (e.g., Facility Security Committee) to facilitate effective, efficient, and standardized approach to align with HCA Information Protection Program (executive dashboards, agendas, minutes, etc.)
  • Facilitate risk-based decisions by key decision-makers that focus on preventing (or correcting) identified business issues through implementation of reasonable administrative, physical, and/or technical controls
  • Partner with FPO and ECO on cross-disciplinary compliance activities
  • Identify, establish and maintain strategic relationships with key stakeholders to help increase maturity of Program throughout operational processes, projects, and other initiatives Validate and operationalize facility readiness for internal and external audits of information security/protection controls on behalf of CIO (25% of the time)
  • Lead division-wide and facility-specific information risk management program to continually assure the maturity of administrative, technical, and physical controls
  • Partner with IT&S colleagues to assure ongoing maturity of IT operational security controls by leveraging inputs from SAPortal, SATracker, ProofPoint, Data Leak Protection (DLP), FileShare scanning, and other monitoring tool
  • Partner with FPO and/or ECO to assure facilities are able to respond timely to time-sensitive notification by providing evidence of the facility’s administrative controls (e.g., documented operational procedures to comply with HIPAA Champion HCA Information Protection Program initiatives (20% of the time)
  • Drive visible action to implement initiative within established deadlines (i.e., may be a time-sensitive regulatory requirement and/or a company-prioritized risk reduction activity)
  • Initiate compelling communications with key stakeholders to launch initiative
  • Increase awareness and/or understanding of needed actions to correct identified information security risks Oversee integration of defined role-based training into facility operations (15% of the time)
  • Provide or "train-the-trainer" to deliver role-based training based on identified risks and/or related to compliance with policies/procedures
  • Validate effectiveness of role-based training to monitor the health of each facility's Information Security Program Staff Development: Staffing and Recruiting, Career Development, Mentoring and Coaching, Succession Planning, Performance Management (15% of the time)
  • Actively involved in Human Resources recruitment, performance evaluations, and management of IT division staff (e.g., Zone FISO)
  • Ensures appropriate training and development programs are utilized to attract, retain, and develop personnel required to support information security program
  • Participates in division IT&S succession planning activities with CIO Oversee and coordinate information security incident investigation and reporting (varies %)
  • Partner with Corporate departments and/or external entities (e.g., law enforcement) as required to facilitate rapid response
  • Partner with FPO and/or ECO on cross-disciplinary incident investigation and reporting

Duties Include But Are Not Limited To

Determination about the “reasonableness” of safeguards/controls that must be implemented to protect sensitive or restricted data being stored, processed, and/or transmitted by (or on behalf of) business owners and/or the facility. Determinations must be made by striking a balance between business/clinical objectives and available administrative, physical, and/or technical safeguards. Consequences of poor determinations may result in the following negative impacts:

  • Inappropriate/unreasonable disruptions of business/clinical objectives
  • Inappropriate disclosure or breach of sensitive or restricted data
  • Monetary penalties
  • Criminal penalties at the personal level
  • Investigations from the Office of Civil Rights (OCR)
  • Corrective Action Plan with OCR
  • Written notification from HCA to the patient, HHS, and in some situations, local media in the event of a breach (as defined by HITECH). Determination about the most appropriate approach for engaging with key stakeholders and/or decision-makers serving on the Division/Facility Security Committee to develop and implement corrective action plans to mitigate/correct identified information security risks. Must leverage strategic relationships, compelling communications, and use of governance structure to drive business decisions (e.g., funding, resources, timing). Consequences of a weak approach may result in the following negative impacts:
  • Lack of business understanding and/or support to mitigate or correct identified information security risks that could lead to disruptions of business/clinical objectives
  • Same negative impacts as listed in the previous example above


  • Strong understanding of information security principles, processes, technologies, and practices – required
  • Ability to communicate effectively at an executive level - required
  • Skill in developing and maintaining effective relationships with medical and administrative staff, and technical staff – required
  • Strong written, verbal, and presentation skills – required
  • Skill in exercising initiative, judgment, problem solving, decision-making – required
  • Strong leadership skills, personal drive, and ability to see projects through to execution in a matrixed environment – required
  • Skill in planning, organizing and supervising – required
  • Skill in developing comprehensive reports – required
  • Ability to analyze and interpret complex data – required
  • Ability to research and prepare comprehensive reports – required
  • Knowledge of computer systems and applications – required
  • Strong analytical skills in budgeting, planning and policy maintenance and development – required
  • Knowledge of information security regulations (HIPAA Privacy/Security, Sarbanes-Oxley IT controls, Payment Card Industry (PCI)) – preferred
  • Information Security certifications (e.g., CISSP, CISA, CISM, GSEC) – preferred
  • Knowledge of healthcare – preferred *EDUCATION *
  • College Graduate Required
  • Bachelor's degree in IT, Health Information Management, or related field.
  • Master’s degree preferred

EXPERIENCE * 6 - 10 Years Information Security experience * 10 Years of IT experience * Leadership experience * Management experience * Must be able to travel in the continental U.S.

Title: Director of IT&S Security Assurance

Location: Texas-San Antonio-San Antonio Division Office

Requisition ID: 25388-71073