Cybersecurity Compliance Analyst

New York eHealth Collaborative: Cybersecurity Compliance Analyst New York eHealth Collaborative (NYeC) is a not-for-profit organization working in partnership with the New York State Department of Health to improve healthcare by collaboratively leading, connecting, and integrating health information exchange across the State. Founded in 2006 by healthcare leaders, NYeC works to help New York State achieve the Triple Aim of improving the patient experience of care, delivering better health outcomes, and reducing costs. On behalf of the State, NYeC leads the Statewide Health Information Network for New York (SHIN-NY), a network connecting healthcare providers statewide, develops policies and standards that support the utilization of health technologies, and assists healthcare providers in adopting and effectively using electronic health records.

Position Summary: NYeC is seeking a Cybersecurity Compliance Analyst to play a key role in maintaining and strengthening NYeC's information security and compliance posture within a healthcare data exchange environment. This role ensures that security controls, policies, and practices align with regulatory requirements, industry standards, and frameworks. The analyst collaborates across departments to assess risk, support audits, and drive continuous improvement in cybersecurity and compliance processes.

This role can be operated out of our Albany, NY or Manhattan, NY office on a hybrid schedule. Primary Responsibilities: • Support the ongoing HITRUST certification, including control implementation, documentation, and evidence gathering. • Supports general security control documentation and evidence gathering for regulatory frameworks and industry standards.

• Participates in the creation/updating of enterprise security documents (policies, standards, baselines, guidelines and procedures); • Participates in the creation/updating of and monitoring compliance with NYeC's Information Security Roadmap; • Monitors and ensures timely completion and implementation of remediation activities resulting from all required security risk assessments and tests, whether performed by NYeC or third party assessors, including but not limited to HIPAA Security Risk Assessments and Business Continuity, Incident Response and Disaster Recovery plan testing. • Drafts NYeC's required reports and contractual deliverables related to information security; • Ensures vendor contracts meet security requirements and benchmarks; • Assists in responding to information system security incidents, including investigation, containment, and recovery from computer-based attacks, unauthorized access, and policy breaches. • Analyzes and researches best practices in information security governance including organizational policies, procedures, standards, baselines and guidelines for the use and operation of information systems; • Communicates security compliance requirements and updates to relevant stakeholders and departments.
• Supports additional security and compliance initiatives as needed. • Other duties as assigned. Experience and Skills: • Bachelor's degree in Information Security, Computer Science, or a related field.

Advanced degree in relevant field of study such as Information Security, Business Administration, IT, or related field preferred; • A minimum of 5 years in information security or risk management, with a focus on security operations highly preferred; • Ability to research and draft information security policies and procedures, and recommend new information security technologies for implementation; • Strong attention to detail and excellent documentation skills to support audit trails and compliance evidence; • Experience supporting audits, certification assessments, and control documentation; • Familiarity with implementing regulatory requirements, cybersecurity industry frameworks and standards (HITRUST, HIPAA, MARS-E, FFIEC, NIST, CIS 20 critical controls, PCI-DSS, ISO 27001, etc.); • Understanding of cloud security controls and compliance in AWS and/or Azure environments. • Excellent communication skills and ability to collaborate across technical and non-technical teams; • Familiarity with healthcare data exchange standards and technologies (e.g., HL7, FHIR, HIE environments) a plus; • Working knowledge of cloud computing security principles; AWS, Azure. • Must have the ability to be available after hours as needed; • Must have the ability for occasional travel between NYeC offices as needed.

Preferred Certifications: • HITRUST Certified CSF Practitioner (CCSFP) • CISM (Certified Information Security Manager) • CRISC (Certified in Risk and Information Systems Control) • CISA (Certified Information Systems Auditor) • CompTIA Security+ • CISSP (Certified Information Security System Professional) • ISO 27001 Lead Implementer / Lead Auditor • CGRC (Certified in Governance, Risk & Compliance - ISC²) Expectations of Employees: • Employees work a hybrid in-office schedule (at either our Manhattan, NY or Albany, NY office and then remotely). Barring specific exemptions, team members are expected to work from the office on a regular schedule determined by the CCOO and on other days specified by their manager (no less than 1 day per week in the office). This schedule is subject to change.

• NYeC supports work happening across New York State. From time to time our team members must visit other parts of the state. The most common requirement is for a New York City based team member to travel to Albany and vice versa.

We consider a wide range of factors when determining compensation, which may cause compensation to vary depending on your skills, experience, qualifications, and home office location (Manhattan, NY vs. Albany, NY). The annual base salary range for this role for an Albany, NY based candidate is expected to be $70,000 - $90,000.

The annual base salary range for this role for a Manhattan, NY based candidate is expected to be $85,000 - $110,000. The salary offer will not be based on a candidate's salary history at other jobs, and by law, NYeC will not seek information about salary history, and candidates should not share such information with NYeC. All compensation questions and comments should be directed to the HR Department representative during your application, interview, and hiring process.

For more information about NYeC and to apply for this position, visit our website at https://www.nyehealth.org/careers/. We accept online applications only.