Job Description
Third-Party & Vendor Risk Management:
-Manage the complete third-party risk management (TPRM) program, from initial assessment to ongoing monitoring.
-Conduct security risk assessments for all vendors, especially those handling protected health information (PHI).
-Collaborate with Legal to review security language in vendor contracts and Business Associate Agreements (BAAs).
Audit & Compliance (HIPAA, SOC 2):
-Manage all internal and external audits, including planning, evidence collection, and coordinating with auditors.
-Serve as the main point of contact for external auditors (e.g., for SOC 2, HIPAA).
-Oversee security controls (technical and procedural) to ensure continuous compliance with HIPAA, HITECH, and SOC 2 frameworks.
Enterprise Risk & Security Operations:
-Manage the enterprise risk management program, including conducting annual risk assessments and maintaining the risk register.
-Develop, maintain, and test the company's incident response (IR) plan.
-Run security awareness programs, such as phishing simulations and tabletop exercises.
About Included Health
Included Health is a new kind of healthcare company, delivering integrated virtual care and navigation, aiming to raise the standard of healthcare for everyone.