Information Security Risk Analyst - Intermediate

About the position Join a world-class academic healthcare system, UChicago Medicine, as an Information Security Risk Analyst - Intermediate in our Information Security and Privacy GRC department. This position will be primarily a work-from-home opportunity with the requirement to come onsite as needed. You will need to be based in the greater Chicagoland area. The Information Security Risk Analyst - Intermediate plays a critical role within the Governance, Risk and Compliance (GRC) team in executing and enhancing the organization's information security risk management program. The analyst will independently conduct risk analysis on information systems, platforms, and processes in accordance with established regulatory requirements, organizational policies, and industry standards. The analyst will lead and contribute to the identification, assessment, documentation, mitigation, and communication of information security risks across the organization. This position supports risk-driven decision-making by collaborating with stakeholders, managing risk treatment plans, and ensuring compliance with HIPAA, NIST, and other applicable healthcare cybersecurity regulations and frameworks. The analyst is expected to operate with moderate independence, assist in maturing risk workflows, and contribute to strategic improvements in governance, risk, and compliance activities.

Responsibilities

• Lead and conduct comprehensive information security risk analysis for IT assets, applications, processes, medical devices and third-party vendors.
• Evaluate threats and vulnerabilities affecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) and any other confidential or sensitive information, ensuring alignment with HIPAA Security Rule requirements and other applicable regulatory frameworks (e.g., NIST).
• Lead and manage risk management initiatives based on analysis of outcomes, including maintaining the organization's risk register and scoring methodology.
• Oversee corrective action plans (CAPs), penetration testing results, audit findings, and risk treatment outcomes.
• Collaborate with IT partners and key stakeholders to prioritize, implement, and track remediation efforts.
• Monitor regulatory changes and industry threats to proactively identify emerging risks, recommend mitigation strategies, and document findings.
• Contribute to risk reporting, including executive dashboards, and participate in risk acceptance processes and governance reviews.
• Contribute to the development, review, and improvement of cybersecurity policies, standards, and procedures.
• Evaluate policy exceptions and assist in documenting decisions for governance committees.
• Enhance the organization's cybersecurity awareness and training efforts by communicating risk insights to technical and non-technical audiences.

Requirements

• Bachelor's degree required in Information Security, Computer Science, Engineering, Information Technology, or a related field; master's degree preferred.
• 3+ years of experience in cybersecurity, information security risk management, audit; healthcare industry experience strongly preferred.
• Demonstrated experience with risk assessment methodologies, auditing, information security practices, and familiarity with risk management platforms and risk registers.
• Strong understanding of regulatory compliance and industry best practices towards maintaining compliance with HIPAA, NIST and other relevant healthcare regulations and standards.
• One or more of the following certifications are required or must be obtained within 12 months of hire: CRISC, CISM, CISA or any other applicable certification.
• Ability to lead and structure risk assessments with limited supervision.
• Ability to manage multiple concurrent assessments and projects in a fast-paced healthcare setting.
• Experience preparing both detailed technical risk reports and executive-level summaries, tailored to varied audiences to support informed decision-making and governance oversight.
• Ability to build strong cross-functional relationships and collaboration across departments, including IT, Legal, Compliance, Clinical Operations, and Privacy, to support a collaborative approach to risk management and governance.
• Strong written and verbal communication and interpersonal skills, including ability to translate technical findings into business-relevant language for leadership audiences.
• Experience tracking audit findings, third party vendor risks, and remediation efforts.
• Familiarity with security platforms and tools.
• Ability to analyze contractual security language to identify risk exposure and recommend controls.
• Ability to learn quickly and work effectively in a team environment.
• Ability to understand and work with healthcare professionals, educators, and researchers.
• Ability to integrate cybersecurity risk management with business operations, healthcare delivery, and IT services.

Apply tot his job Apply To this Job