Director Governance, Risk & Compliance (GRC)

Director of Healthcare Governance, Risk, and Compliance

The Director of Healthcare Governance, Risk, and Compliance, reporting to the CISO, is responsible for developing, implementing, and overseeing comprehensive governance, risk management, and compliance programs within a healthcare organization. This includes establishing and maintaining frameworks that ensure adherence to federal, state, and local laws, regulations, and industry standards (e.g., HIPAA, HITECH). The director will work across different departments to integrate GRC principles into all areas of the organization, fostering a culture of patient safety, data privacy, and ethical conduct.

• Developing and maintaining the organization's GRC framework, including policies, standards, and procedures for risk management, compliance, and information security. (e.g., NIST CSF, HITRUST).- Providing guidance and leadership to ensure that business objectives are met within the established governance framework.- Leading the identification, assessment, and mitigation of enterprise-wide risks, including operational, financial, reputational, legal, cybersecurity, and patient safety risks.- Developing and implementing risk assessment methodologies, mitigation strategies, and action plans.- Maintaining and reporting on the organization's risk register, tracking remediation activities, and providing insights to leadership.- Conducting vendor risk assessments and ensuring third-party compliance with security and privacy standards.- Ensuring compliance with all applicable healthcare laws, regulations, and industry standards (e.g., HIPAA, HITECH, NIST).- Developing and delivering compliance training programs to staff and leadership to promote awareness and adherence to ethical standards.- Overseeing internal and external audits, coordinating responses, and managing remediation efforts.- Staying current on evolving regulatory environments, security threats, and compliance best practices, and updating policies and procedures accordingly.- Collaborating with quality and safety teams to integrate GRC into patient care delivery, focusing on preventing avoidable harm and improving patient outcomes.- Supporting the development and implementation of patient safety initiatives.
• Bachelor's degree in a relevant field such as Healthcare Administration, Information Security, Law, Business Administration, or a related field.- Minimum of 5-10 years of experience in healthcare privacy, risk management, or compliance roles, with a focus on information security, privacy, and regulatory compliance.- CISSP, CISM, or equivalent certifications preferred.- In-depth knowledge of healthcare regulations and frameworks (e.g., HIPAA, NIST).- Experience conducting audits, risk assessments, and regulatory reporting in a healthcare environment.
• Proven experience leading complex consulting engagements, including CIO / CISO engagementsdriving all phases of the client engagement lifecycle (project kickoff, interviews, document reviews, analysis, deliverable creation, executive briefing, and closeout).- Strong leadership and program management skills; able to interface with client leadership teams and provide direction to internal, client, and vendor teams.- Strong communication skills, including the ability to lead executive-level deliverable presentations and briefings.- Develop high-quality deliverables, such as reports, presentations, policies, procedures, and architectural diagrams.
• In-depth knowledge of cybersecurity frameworks (e.g., NIST CSF, ISO 27001, COBIT).- Strong understanding of network protocols, operating systems, cloud platforms (Azure, GCP), and security technologies (SIEM, EDR, firewalls, WAFs).- Expertise in one or more of the following cybersecurity domains (or related) : Cyber Risk Management, Incident Response, Data Protection, OT Security, Vulnerability Management, Identity and Access Management, Cyber Resilience.- Experience with risk management methodologies and tools.- Familiarity with regulatory compliance standards (e.g., GDPR, HIPAA, PCI DSS, SOC 2)
• Bachelor's Degree or 4 years of work experience above the minimum qualification- 5 years of experience