Description

Job Summary

The Director of Identity & Access Management (IAM), reporting to the CISO, is responsible for the full identity lifecycle for all hospital system staff, contractors, third-party access, and non-human/service accounts. The Director of IAM will be responsible for ensuring compliance with healthcare regulations and the security objectives of the organization (i.e., Zero Trust and least privileged principles). The Director of IAM will collaborate closely with business stakeholders in HR, IT, and clinical leadership to ensure secure and efficient access to systems and patient data, while operating within an Agile delivery model.

Key Responsibilities

- Develop and implement a multi-year IAM roadmap aligned with organizational goals and healthcare regulatory requirements like HIPAA, with input into enterprise IT and security strategic planning.
- Lead and mentor a team of IAM professionals, fostering a culture of continuous improvement, education, and awareness across both IT staff and end-users (including clinical and business users).
- Oversee the design, implementation, and maintenance of IAM systems, including user provisioning, access certification, privileged access management (PAM), multi-factor authentication (MFA), and automated/self-service capabilities (e.g., automated provisioning/deprovisioning, self-service password reset).
- Ensure IAM practices adhere to regulatory obligations and audit requirements, including the creation, maintenance, and periodic review of IAM-related policies, standards, and procedures.
- Identify and mitigate security risks associated with identity management, including establishing incident response processes for IAM-related security events such as access misuse, credential compromise, or insider threats.
- Partner with IT, security, compliance, and business units to align IAM initiatives with organizational objectives, clinical workflows, patient safety, and business continuity.
- Manage the IAM budget, optimize spending, and oversee vendor relationships.
- Oversee identity lifecycle, including provisioning, deprovisioning, and role-based access, emergency/break-glass access, and temporary access requests, with appropriate post-event reviews.
- Lead efforts to integrate IAM with HRIS, ERP, EHR/clinical systems, and business systems.
- Track key performance indicators (KPIs), analyze IAM system effectiveness, and provide reports to executive leadership, including metrics such as time to provision/deprovision, access certification completion rates, number of exceptions, and automation/self-service adoption.
- Support audit readiness and compliance with identity governance, as well as participation in internal/external audits and maturity assessments.
- Ensure strong monitoring, audit logging, and analytics of identity events, including timely review and response to anomalous activity.
- Represent IAM at security/governance committees and provide regular updates to executive leadership.
- Champion adoption of new technologies (cloud IAM, mobile, IoT) and guide the organization through evolving regulatory requirements.

Preferred Qualifications

- Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field, with a Master's degree strongly preferred.
- 10+ years of progressive experience in IAM, with a minimum of 5 years in a leadership role.
- CISSP, CISM, or identity-specific certifications (e.g., SailPoint Certified IdentityNow Professional).
- Experience with IGA platforms (e.g., SailPoint, Saviynt, or One Identity), Epic Security, and cloud platforms (AWS, Azure, GCP).
- Strong understanding of IAM protocols (OAuth, SAML, OIDC, LDAP) and experience in configuring IAM solutions for web, device, and API authentication.

Leadership Experience

- Strong leadership and program management skills; able to interface with stakeholder leadership teams and provide direction to internal and vendor teams.
- Strong communication skills, including the ability to lead executive-level deliverable presentations and briefings, as well as representation at governance committees.
- Develop high-quality deliverables, such as reports, presentations, policies, procedures, and architectural diagrams.

Technical & Domain Expertise

- In-depth knowledge of cybersecurity frameworks (e.g., NIST CSF, ISO 27001, COBIT).
- Strong understanding of network protocols, operating systems, cloud platforms (Azure, GCP), and security technologies (SIEM, EDR, firewalls, WAFs).
- Expertise in one or more of the following cybersecurity domains (or related): Cyber Risk Management, Incident Response, Data Protection, OT Security, Vulnerability Management, Identity and Access Management, Cyber Resilience.
- Experience with risk management methodologies and tools.
- Familiarity with regulatory compliance standards (e.g., GDPR, HIPAA, PCI DSS, SOC 2).
- Understanding of clinical, operational, and business workflows in healthcare environments.

Minimum Requirements

- Bachelor's Degree or 4 years of work experience above the minimum qualification
- 5 years of experience