Chief Information Security Officer (CISO) | PAM Health Corporate

The

Chief Information Security Officer (CISO)

is the senior leader accountable for establishing and operating PAM Health’s enterprise information security program. The CISO protects the confidentiality, integrity, and availability of information assets—especially electronic protected health information (ePHI)—while enabling clinical operations, business continuity, and digital transformation. This role sets security strategy; governs cybersecurity risk; ensures alignment with applicable regulatory and contractual requirements (including HIPAA/HITECH); leads incident preparedness and response; and partners with executive leadership, IT, Compliance, Privacy, Legal, and clinical/operational leaders to reduce risk to patient care and the organization.

• While remote candidates may be considered, preference will be given to candidates based near our Plano, TX or Enola, PA offices*

Accountability \& Scope

: Leads the enterprise cybersecurity program across corporate and facility environments, including networks, endpoints, servers, cloud services, applications, EHR/clinical systems, identity and access management, and third parties that create, receive, maintain, or transmit ePHI.

Essential Duties \& Responsibilities

include, but are not limited to:

• Develop and maintain a multi-year information security strategy and roadmap aligned to PAM Health’s risk appetite, clinical needs, and business objectives.
• Establish security governance (policies, standards, and procedures) and oversee a risk-based security program aligned to recognized frameworks (e.g., NIST CSF), healthcare requirements, and organizational priorities.
• Oversee HIPAA Security Rule administrative, physical, and technical safeguard alignment for ePHI, including periodic risk analysis, risk management plans, and documentation/evidence required for audits and assessments.
• Own enterprise cybersecurity risk management: maintain a security risk register, drive prioritization, ensure remediation tracking, and provide executive-level risk reporting and metrics.
• Direct security operations, including vulnerability management, threat detection/monitoring, security tooling strategy, and response processes (internal team and/or managed security service providers).
• Lead incident response preparedness and execution: develop and test playbooks, coordinate tabletop exercises, manage escalation, ensure lessons-learned remediation, and coordinate regulatory/contractual notification readiness.
• Partner with IT and business leaders to embed security into architecture and delivery (security-by-design), including secure configuration baselines, segmentation, encryption standards, logging, and change management.
• Oversee identity and access management governance (role-based access, privileged access, access reviews, and least-privilege) to support “minimum necessary” access principles for ePHI.
• Establish and operate a third-party risk management program for vendors/business associates, including due diligence, security requirements in contracting, periodic reassessments, and remediation tracking.
• Collaborate with Privacy, Compliance, Legal, and HR on security awareness, training, and enforcement of policies and sanctions related to security and acceptable use.
• Oversee business continuity and disaster recovery security requirements in partnership with IT/Operations, including ransomware resilience, backup protections, and recovery testing.
• Provide executive-level communication on security posture, material risks, and improvement plans; prepare reporting suitable for senior leadership and Board/Board committees as applicable.
• Stay current on healthcare cyber threats (including ransomware and third-party/supply chain risks) and translate emerging risks into actionable mitigation strategies.

Leadership

• Inclusiveness: Promotes cooperation, fairness and equity; shows respect for people and their differences; works to understand perspectives of others; demonstrates empathy; brings out the best in others and in his/her team
• Managing Staff: Coaches, evaluates, develops, and inspires staff; sets expectations; recognizes achievements
• Stewardship and Resource Management: Demonstrates accountability and sound judgment in managing company resources; appropriate understanding of confidentiality and company values; adheres to and supports company policies, procedures and safety guidelines
• Problem-Solving: Identifies problems and involves others in seeking solutions; conducts appropriate analysis and searches for best solutions; effectively and efficiently implements appropriate responses to correct problems; responds promptly and effectively to new challenges
• Decision-Making: Makes clear, consistent decisions; acts with integrity in all decisions; distinguishes relevant from irrelevant information; makes timely, appropriate decisions.
• Strategic Planning and Organizing: Understands company vision and aligns priorities accordingly; measures outcomes; uses feedback to redirect as required; evaluates alternatives; appropriately organizes complex issues to desirable resolution
• Communication: Connects with peers, subordinate employees and all customers; actively listens; clearly and effectively shares information; demonstrates effective oral and written communication skills; negotiates effectively.
• Quality Improvement: Strives for efficient, effective, high-quality performance in self and in the department; delivers timely and accurate results; resilient when responding to matters that are challenging; takes initiative to make improvements
• Leadership: Motivates others; accepts responsibility; maintains high morale in department; develops trust and credibility; expects honest and ethical behavior of self and staff
• Teamwork: Encourages cooperation and collaboration; builds effective teams; works in partnership with others; is flexible; responsive to the needs of others
• Development: Maintains up-to-date skills through involvement with professional organizations and/or continuing education

Customer Service

• Maintains the highest level of customer service via courtesy, compassion and positive communication.
• Promotes the mission and vision of PAM Health within the work environment and the community.
• Respects dignity and confidentiality by adherence to all applicable policies and procedures.

Health and Safety

• Works in a manner that promotes safety; wears clothing appropriate to the performance of the job.
• Participates in OSHA required training.
• Follows universal precautions as appropriate for position; complies with Employee Health requirements for continued employment.
• Reports unsafe practices to management.
• Knows own role in case of an emergency.

Education and Training:

Bachelor’s degree in Information Security, Computer Science, Information Systems, or related field required; Master’s degree (e.g., MS, MBA, MHA) preferred. Current security leadership certifications strongly preferred (e.g., CISSP, CISM, CISA, CRISC). Healthcare security/privacy training and continuing education expected.

Experience:

Minimum of 10 years progressive information security experience, including 5\+ years in senior leadership with accountability for enterprise security program delivery. Demonstrated experience in healthcare environments (provider and/or post-acute preferred), including protection of ePHI, regulatory readiness (HIPAA/HITECH), incident response leadership, and third-party/vendor risk management. Experience with cloud security, identity governance, security operations, and partnering with IT and clinical/operational leaders.

• Preferred experience includes: security program governance (NIST CSF), risk assessment and remediation planning, vulnerability/patch management, security monitoring, ransomware preparedness, business continuity/disaster recovery testing, and business associate/vendor security due diligence.

Knowledge, Skills, And Abilities

• Deep knowledge of cybersecurity principles and controls, including identity and access management, encryption, network security/segmentation, endpoint security, logging/monitoring, vulnerability management, and secure configuration baselines.
• Strong understanding of healthcare security and compliance requirements, including HIPAA/HITECH and safeguarding of ePHI; ability to translate regulatory requirements into operational controls and evidence.
• Proven ability to lead incident response and crisis communications, coordinate cross-functional teams, and drive post-incident remediation.
• Ability to communicate risk clearly to executives and non-technical stakeholders; produce actionable metrics, dashboards, and executive summaries.
• Demonstrated leadership skills: team development, vendor/partner management, negotiation, and influence without authority.
• Strong analytical and decision-making skills; sound judgment under pressure; ability to prioritize based on patient safety, operational resilience, and risk reduction.
• High integrity and commitment to confidentiality, professionalism, and stewardship of organizational resources.