Cybersecurity Medical IT Risk Assessor

Bon Secours Health System, Inc.
Richmond, VA
13 Feb 2025

Vacancy expired!

At Bon Secours Mercy Health, we are dedicated to continually improving health care quality, safety and cost effectiveness. Our hospitals, care sites and clinicians are recognized for clinical and operational excellence.Summary of Primary Function/General Purpose of Position

The Cybersecurity Medical IT Risk Assessor II will support the programs of Cybersecurity Risk and Assurance, Biomedical (Supply Chain), Compliance, I&T and Legal by supporting various initiatives with a focus on a broad range of critical networked medical devices. They will conduct risk assessments, incident reports, monitoring, and investigations related to medical devices and I&T. They are specifically responsible for understanding workflows in acute and ambulatory care delivery areas: nursing, laboratory, cardiology, radiology, pharmacy, ICU, ED, surgery, respiratory, and homecare. They will also assess impact of security capabilities with oversight for risk properties of patient safety, care effectiveness and data security.

Essential Job Functions
  • Plans and executes the Medical Device Risk Management Process and Risk Assessment process when incorporating medical devices onto the Medical IT-Network.
  • Contributes to the execution of the Medical Device Risk Management Process and Risk Assessment process when incorporating medical devices and supporting applications onto the Medical IT Network
  • Informs key Medical Device stakeholders (e.g., Clinical Engineering, Supply Chain, medical device manufacturers, risk management personnel, other suppliers of IT software, services, or infrastructure, facilities management, clinical users, and technical support.)
  • Coordinates with the Clinical Engineering team and Information Services team to track and remediate medical device information security risk, updates to the Computerized Maintenance Management System (CMMS) and identify medical devices that require risk assessments.
  • Ensures that software and hardware risk control measures within medical devices are successfully implemented.
  • Maintains documentation obtained from Medical Device Manufacturers (e.g., MDS2 forms, technical documentation, configuration documentation, etc.), providers of other information technology, and other risk management related documentation (e.g., Security Assessment Results, Security Risk Acceptance Decisions, etc.) in the Medical IT-Network Risk Management File.
  • Stays up to date with relevant federal (FDA), international (ISO-80001), national, and state regulations and industry guidance around medical IT-networks and medical devices
  • Uses cybersecurity risk evaluation tools to help reduce organizational cyber risk with medical devices
  • Participates in Cybersecurity Risk Governance process to provide medical device security risks, mitigations and input on other technical risks.
  • Drafts and provides input into the Cybersecurity Risk Management Framework process activities and related documentation pertaining to Medical Device and Biomedical/Clinical Engineering.
  • Identifies opportunities to improve processes and procedures to document the execution of the analysis and assessments of Medical Devices.
  • Supports the development of key performance indicators and reporting key metrics to leadership in a timely manner.
  • Contributes to other Cybersecurity Risk and Assurance programs and functions as needed.
  • Conducts Assessments and monitoring to identify and analyze risk exposure to include those relevant to medical IT laws, regulations, and industry cybersecurity standards.
  • Assists with the development, recommendation, and implementation of action plans and strategies for addressing medical device IT liability, operational and medical device risks.
  • Analyzes and tracks follow up communications to ensure risks are remediated appropriately.
  • Prepares timely management reports and metrics for presentation to leadership.

This document is not an exhaustive list of all responsibilities, skills, duties, requirements, or working conditions associated with the job. Employees may be required to perform other job-related duties as required by their supervisor, subject to reasonable accommodation.

Licensing/Certification

CISSP (Certified Information Systems Security Professional), ISC2 (International Information System Security Certification Consortium), ISACA (Information Systems Audit and Control Association), or SANS (SysAdmin, Audit, Network and Security) (required)

Clinical Engineering technology, ACCE (Association of Chamber of Commerce Executives) or AAMI (Association for the Advancement of Medical Instrumentation) (required)

Education

Bachelors, Biomedical, Clinical Engineering, or related field (required)

Masters, Biomedical, Clinical Engineering, or related field (preferred)

Work Experience

5 years' experience in healthcare delivery in biomed and/or clinical engineering management role, medical IT and/or Bioscience and/or services in a multi-facility organization, or information security engineering or auditing (required)

Training

None

Language

None

Patient Population

Not applicable to this position

Working Conditions

Periods of high stress and fluctuating workloads may occur.

General office environment.

Other: This is an exempt position requiring hours of work that extend beyond the traditional work hours, including evenings and weekends

Physical Requirements

Physical Demands

Frequency 0% 1-33% 34-66% 67-100%

Lifting/ Carrying (0-50 lbs.) x

Lifting/ Carrying (50-100 lbs.) x

Push/ Pull (0-50 lbs.) x

Push/ Pull (50-100 lbs.) x

Stoop, Kneel x

Crawling x

Climbing x

Balance x

Bending x

Work Position

Frequency 0% 1-33% 34-66% 67-100%

Sitting x

Walking x

Standing x

Additional Physical Requirements/Hazards

Physical Requirements

Not applicable to this position

Hazards

Not applicable to this position

Skills

Complex organizational

manage multiple priorities in a rapidly changing environment

maintain composure under pressure

technical skills

Understanding of Medical device IT systems and processes

experience evaluating internal and external technical control systems

security controls

medical device information systems

computing environments

cybersecurity principals and privacy principles

protected health information or data

Medical device risk best practices

security legal requirements

prioritize business risks

enforce appropriate information security measures

capable of working independently

documentation skills

attention to detail

Presentation skills

communications

interacting with leadership team, peers, vendors, and customers

#BSMHITMany of our opportunities reward your hard work with:

Comprehensive, affordable medical, dental and vision plansPrescription drug coverageFlexible spending accountsLife insurance w/AD&DEmployer contributions to retirement savings plan when eligiblePaid time offEducational AssistanceAnd much more

Benefits offerings vary according to employment statusAll applicants will receive consideration for employment without regard to race, color, national origin, religion, sex, sexual orientation, gender identity, age, genetic information, or protected veteran status, and will not be discriminated against on the basis of disability. If you'd like to view a copy of the affirmative action plan or policy statement for Mercy Health - Youngstown, Ohio or Bon Secours - Franklin, Virginia; Petersburg, Virginia; and Emporia, Virginia, which are Affirmative Action and Equal Opportunity Employers, please email recruitment@mercy.com. If you are an individual with a disability and would like to request a reasonable accommodation as part of the employment selection process, please contact The Talent Acquisition Team at recruitment@mercy.com
  • ID: #49182405
  • State: Virginia Richmond 23173 Richmond USA
  • City: Richmond
  • Salary: USD TBD TBD
  • Job type: Permanent
  • Showed: 2023-02-13
  • Deadline: 2023-04-13
  • Category: Et cetera