Internal Risk Analyst

Surescripts serves the nation through simpler, trusted health intelligence sharing, in order to increase patient safety, lower costs and ensure quality care. We deliver insights at critical points of care for better decisions - from streamlining prior authorizations to delivering comprehensive medication histories to facilitating messages between providers.

Job Summary:

The Internal Risk Analyst will be part of the Governance, Risk, & Compliance team and will be responsible for performing internal risk assessments for applications, solutions, projects and third parties. This role reports to the Director, Governance, Risk, & Compliance and will work closely with the Senior Information Security Compliance Analyst. As part of this role, the Internal Risk Analyst will identify risks, provide recommended remediation plans, and maintain a register of identified risks. The Internal Risk Analyst will ensure that patient health information remains secure and identify ways to improve the risk assessment workflow.

Responsibilities:

• Assess security risks, create written security requirements, and recommendations for use by product, project management, and technical teams:

  • Assist with assessment of the risks of applications (internally and externally developed), solutions, projects, and third parties - using best practices for threat modeling and security, as well as Surescripts policies and standards.

  • Aid with providing security requirements that mitigate risks.

  • Document all requirements and recommendations clearly so that product, development, and project management teams can understand responsibilities.

  • Participate in providing additional security guidance as needed and requested by stakeholders as they implement the security requirements.

  • Maintain process and documentation for security risk assessment methodology and steps.

  • Utilize risk assessment software to assess risk.

  • Follow-up as needed for additional details to finalize security risk assessment.

  • Document gaps and risk mitigation plans.

• Assist with periodic risk reporting as directed by the Director, Governance, Risk, and Compliance.

• May assist with business continuity planning.

• Other duties could include supporting security awareness training, customer inquiries, and security certification activities (HITRUST, SOC2, HIPAA).

Qualifications:

Basic Requirements:

• Bachelor's degree in a related field, or equivalent experience.

• Must have 2+ years of information security internal risk assessment experience (performing risk assessments for the company/employer's in-house applications, solutions, and projects).

• Demonstrated effective critical thinking to extract essential information about potential risk including assessing what are the risks, what do we have in place to mitigate risks, and documentation of residual risk.

• Knowledge of formal risk methodologies.

• Familiarity with access control systems.

• Knowledge of information technology such as Windows, macOS, Linux, Unix, networks, and endpoints.

• Demonstrated effective critical thinking to extract essential information about potential risk including assessing what are the risks, what do we have in place to mitigate risks, and documentation of residual risk.

• Exceptional written and verbal communication skills for documentation and information gathering.

• Ability and experience conducting interviews with team members and/or vendors to uncover potential risk.

• Solid cross-team collaboration and influencing skills to gain the required information for a proper risk assessment.

• Exposure and/or knowledge of system configuration, vulnerability management and hardening guidelines.

• Remain current with information security trends and threats.

Preferred Qualifications:

• Experience using information security risk assessment software such as OnSpring GRC.

• ISACA certifications or similar.

• Familiarity with HIPAA, HITRUST, and other healthcare related standards and regulations.

• Familiarity with Business Continuity Planning.

Keywords: internal risk, risk assessment, information security

#LI-HYBRID

Surescripts embraces flexibility through its Flexible Hybrid Work model for most positions. This model allows employees to work virtually while still utilizing our offices as collaboration centers. With alignment and agreement from your leadership, you can come and go from the office as needed.

What You're Like

You're technical. Analytical. Imaginative. Maybe you're building your own crypto-mining rig-or not. Either way, your mind works to anticipate vulnerabilities and protect the company and its information against those vulnerabilities. You do the right thing because it's the right thing without seeking to point fingers or brag. And of course, you're always willing to keep learning.

What We're Like

We're a team of friendly folks who do serious work. Our best work is done by rising to the occasion under stress, but we keep each other cool under pressure. We're a tight team but we also look for ways to partner across the business. Our style is casual and laid back, but we shoulder our responsibility to protect patient data from sophisticated adversaries, which sometimes means delivering a difficult truth.

What the Work is Like

Our challenge is to protect our customers' data and our company. This requires anomaly analysis, risk reviews, pen testing of our controls, red-teaming and tabletops, policy and procedure work, documentation, and audits. We also engineer and maintain our security products and tools. It's not always a typical 9-to-5 gig, of course, but then again, you work in information security, so you already know that.

Why Wait? Apply Now

We're a midsize company. This means you're not just another employee ID number. Here, you can build real relationships and feel supported by truly awesome people with diverse backgrounds and talents in an innovative and collaborative work culture. We strive to create an environment where you can be yourself, share your ideas and work your way. We offer opportunities for employee development, as well as competitive compensation packages and extensive benefits.

At Surescripts, base pay is one part of our Total Rewards Package (which may also include bonus, benefits etc.) and is determined within a range. The base pay range for this position is $79,800 - $97,600 per year. Your base pay may vary within or outside of this range depending on a number of factors, including (but not limited to) your qualifications, skills, experience, and location.

Benefits include, but are not limited to, comprehensive healthcare (including infertility coverage), generous paid time off including paid childbirth and parental leave and mental health days, pet insurance, and 401(k) with company match and immediate vesting. To learn more, review the , , and links under the section of our careers site.

This role requires critical thinking and strong communication skills both written and verbal.Physical and Mental Requirements

While performing duties of this job, an employee may be required to perform any, or all of the following: attend meetings in and out of the office, travel, communicate effectively (both orally and in writing), and be able to effectively use computers and other electronic and standard office equipment with, or without, a reasonable accommodation. Additionally, this job requires certain mental demands, including the ability to use judgement, withstand moderate amounts of stress and maintain attention to detail with, or without, a reasonable accommodation.

Surescripts is proud to be an Equal Employment Opportunity and Affirmative Action employer. We do not discriminate on the basis of race, color, religion, age, national origin, ancestry, disability, medical condition, marital status, pregnancy, genetic information, gender, sexual orientation, parental status, gender identity, gender expression, veteran status, or any other status protected under federal, state, or local law.