[COMMENT1]           SPARROW HOSPITAL AND HEALTH SYSTEM

                       JOB DESCRIPTION

  MANAGEMENT

 

 

1. Job Title:  Data Security Manager / Chief Security Officer    2. Date:    5/25/2001                

 

3. Corresponding Role Statement:        Executive     X  Director       Manager       Supervisor                                                   

4. Department #:   8357    Department Name:   Data Security Administration                          

 

5. Class Code:          Pay Grade:               6. Status:     X  Exempt       Non-Exempt

 

7. Reports Directly To (Position):  Vice President Information Services / CIO                          

 

8. Purpose of Job: 

The Sparrow Health System Data Security Director / Chief Security Officer oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to the Health System’s policies and procedures covering the security of, and access to, Health System data, information and equipment in compliance with federal and state laws, accreditation standards and Sparrow’s information privacy practices.

 

9. Principal Duties and Responsibilities (Consistent with the Role Statement):

 

a)       Lead, direct and plan Sparrow Health System's comprehensive enterprise-wide Information Security and Privacy strategy that protects Sparrow's highly sensitive computer-based and paper-based health data and equipment while maintaining efficient, effective, and cost-sensitive operations in a manner consistent with Sparrow's mission in accordance with federal and state regulations and accreditation standards.

b)       Direct and implement the necessary controls and procedures to cost-effectively protect information assets from intentional or inadvertent modification, disclosure or destruction.

c)       Serve in a leadership role for the Security Oversight Committee’s activities.

d)       Perform initial and periodic information security risk assessments, conduct related ongoing compliance monitoring activities in coordination with Sparrow Health System's compliance and operational assessment functions.

e)       Plan, organize, direct, and control the activities of Data Security Administration and related staff.

f)        Develop and manage the capital and operating budget with specific responsibility for Data Security Administration.

g)       Lead major compliance and/or security-related Health System Projects to achieve desired objectives.

h)       Work with legal counsel and management, Health System entities, and committees to develop and maintain appropriate security policies, procedures, controls and materials reflecting current organization and legal practices and requirements.

i)         Oversee, direct, and optimize delivery of security training and orientation to all associates, volunteers, medical and professional staff, contractors, alliances, business associates, and other appropriate third parties.

j)         Participate in the development, implementation, and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all security concerns, requirements, and responsibilities are addressed.

k)       Establish with management and operations, a mechanism to restrict access to sensitive information and protected health information in accordance with Sparrow Health System policies and as required by law.

l)         Work cooperatively with the Security and Parking Director and other applicable organization units in overseeing physical security as it relates to restricting access to and protecting technology and information assets.

m)      Work collaboratively with the Chief Privacy Officer to establish and administer a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s privacy and security policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel.

n)       Administer compliance with security practices and consistent application of sanctions for failure to comply with security policies for all individuals in the organization’s workforce, extended workforce, and for all business associates, in cooperation with Human Resources, the Chief Privacy Officer, Administration, and legal counsel as applicable.

o)       Initiate, facilitate and promote activities to foster information security awareness within the organization and related entities.

p)       Work collaboratively with the Chief Privacy Officer to align all system-related information security plans and practices with privacy plans and practice throughout the Health System.

q)       Maintain current knowledge of applicable federal and state security and privacy laws and accreditation standards, and monitor advancements in information security/privacy technologies to ensure organizational adaptation and compliance.

r)        Serve as information security consultant to the organization for all departments, affiliates and subsidiaries.

s)       Cooperate with the Department of Health and Human Services, other legal entities, and organization officers in any compliance reviews or investigations.

t)        Work with organization administration, legal counsel, and other related parties to represent the organization’s information security interests with external parties (state or local government bodies) who undertake to adopt or amend security legislation, regulations, or standards.

u)       Participate in the development, communication, and implementation of Information Services strategy plan and annual goals and objectives.

v)       Plan and encourage professional development of the Data Security Administrators through VIP appraisals, career development counseling and on-the-job training. Responsible for supervision of staff which includes recruitment, selection, retention, counseling, discipline, and termination of employees when necessary.

w)      Administer and control security incident management procedures to ensure appropriate, effective and orderly response to security incidents. Perform periodic analysis of information security violations and problems.

x)        Maintain institutional knowledge of the Health System’s constantly growing information security requirements and stay abreast of management and technical advances in information technology and security.

 

10. Working Conditions:

 

a)       Office and computer room environment.

b)       Some travel required.

c)       Extensive keyboard usage and exposure to CRT/monitor.

d)       Minimal exposure to latex, less than 10%.

 

11. Positions That Report Directly To This Position:

 

a)       Data Security Administrator - Associate, Data Security Administrator - Intermediate, Data Security Administrator - Senior, Data Security Administrator - Lead.

b)       Must develop and maintain effective collegial relationship with staff, physicians, executives and Board Members. Manages all individuals as relates to their responsibilities of privacy and confidentiality.

 

 12. Knowledge, Skills, Experience Required (Consistent With The Role Statement):

 

a)       Bachelor’s degree or equivalent combination of education and work experience required.  Masters preferred.

b)       Minimum of ten years of progressively increasing responsibility and experience in Information Systems. Working knowledge of healthcare operations in an organization of similar size and complexity required.

c)       Certified Information Systems Security Professional or Certified Information Systems Auditor plus: a secondary industry-recognized security-related certification (including CISSP, CISA, CCSA, CCSE, SSCP, GCIH, GCIA, GCFA, GSEC I, GSEC II) or, industry-recognized technical certification (including CNA, CNE, Master CNE, CDE, MCP, MCSE, ACP, CCP, CCNA, CCNP, CCIE, CCDP, CCDA) preferred with experience relative to the size and scope of the organization.

d)       Knowledge and experience in information security and privacy laws, access, and release control technologies. 

e)       Knowledge of and the ability to apply industry recognized security standards, project management, systems and process thinking and change management. Readily accepts change and influences organizational change.

f)        Interpersonal skills at a level to function well in a wide range of administrative management and patient care environments and maintain a strong image of professional discipline.

g)       Proficient computer, written and verbal communication skills.  Excellent presentation skills with ability to relate effectively to physicians, all levels of the organization and associates in a fluid, flexible and adaptive fashion.

 

13. Approvals:

 

    Director:                                                                          Date:                                 

 

    Executive:                                                                         Date:                                 

 

    Human Resources:                                                              Date:                                  

 

This description is intended to indicate the kinds of activities and levels of work difficulty required for positions with this title and should not be construed as declaring the specific duties and responsibilities of any particular position.  The duties described should not be held to exclude other duties not mentioned that are of similar kind or level of difficulty.