Information Technology Sr. Director of Cybersecurity

At Anne Arundel Dermatology we give exceptional care - to our patients and to eachother. 

Patient First | Caring | Accountability | Trust | One Team | Growth

• The Senior Director of Cybersecurity will lead Anne Arundel Dermatology information security strategy, governance, and operations, playing a crucial role in safeguarding sensitive healthcare data and ensuring strict compliance with regulations such as HIPAA and HITECH. Key strategic functions are:  
  • Oversee all security initiatives and collaborate closely with Business Directors, Clinical Staff, and IT leaders to uphold the confidentiality, integrity, and availability of essential healthcare systems.
  • Utilize extensive expertise in the rapidly changing cybersecurity and risk landscape to drive IT safety and secure operations at both the enterprise and healthcare dermatology practice levels.
  • Provide expert guidance, implementing industry’s best practices, and conducting comprehensive risk reviews and vulnerability assessments, to proactively identify threats and communicate findings to senior leaders and stakeholders.
  • Applying a deep understanding of information security frameworks, including policies and standards, risk and control assessments, access controls, regulatory compliance, technology resiliency, governance metrics, incident management, secure systems development life cycles, vulnerability management, and data protection.

• The Sr. Director of Cybersecurity is a key individual contributor who collaborates effectively within a matrix organization to enhance the protection of vital healthcare services at Anne Arundel Dermatology. Your skills will play an important role in strengthening our security measures for the benefit of our patients and community.

Key Responsibilities

Strategic Leadership

• Develop and execute a multi-year cybersecurity strategy aligned to organizational goals and healthcare regulatory requirements.
• Serve as a trusted advisor to executive leadership on cybersecurity risks, and incident response readiness.
• Lead enterprise risk assessments and define risk mitigation strategies for all data environments.
• Drive a culture of security awareness through training programs for clinicians, staff, and executives.
• Manage vendor relationships for security products, managed services, and consulting partners.
• As an advisor to Business and IT leadership, provide insights into security capabilities, vulnerabilities, current and emerging threats, and risk levels.
• Coordinate with compliance, legal, and audit teams on security audits, investigations, and reporting.
• Offer development guidance and assist in the identification, implementation, and maintenance of organizational information security policies and procedures in coordination with management and compliance leaders.

Cybersecurity Program Management

• Apply hands-on experience in deploying and managing security and network solutions, including Security Information and Event Monitoring (SIEM), Email Security, Endpoint Protection, Data Loss Prevention (DLP), and Intrusion Prevention/Detection Systems (IPS/IDS).
• Partner with department leaders, to ensure that IT security policies, processes, and technologies align with compliance, legislative requirements, and human resources best practices.
• Support audit activities conducted by internal, retained, or external audit sponsors.
• Assess the effectiveness and relevance of all IT security policies and procedures, enforcing compliance across customer Software as a Service (SaaS) environment, vendors, contractors, and all corporate end-users. Develop and maintain new, relevant information security policies as needed to remediate vulnerabilities within information systems.
• Manage and optimize the Security Awareness Program to ensure effective corporate awareness and compliance.
• Continuously evaluate the security capabilities of Technology systems and applications to identify gaps in defenses and pursue solutions to address those gaps.
• Developed a risk management and compliance framework for information security that aligns with the overall compliance strategy for AADermatology.
• Regularly review data and privacy projects within AADermatology to ensure that they support and align with corporate privacy and data security goals and policies.
• Ensure that the development of new products and services complies with AADermatology's information security policies and legal obligations.
• Established a process for receiving, documenting, tracking, investigating, and acting on information security incidents that affect the organization's information security policies and procedures.
• Aid in the planning, design, and evaluation of information security-related projects and have established an internal monitoring program for information security.
• As necessary, or according to established procedures, review the information security program and revise it based on changes in laws, regulations, or company policy.
• Monitor system development and operations to ensure compliance with information security standards.
• Conduct periodic information security assessments and ongoing compliance monitoring activities in conjunction with other organizational compliance and operational assessments.
• Oversee service providers by proposing reasonable steps for their selection and retention, ensuring they can maintain appropriate safeguards for AADermatology's information assets.
• Develop, maintain, and update the incident response capability for information security, ensuring it includes the detection, reporting, response, and mitigation of security incidents.
• Create and implement action plan procedures related to information security and ensure the preparation and maintenance of continuity plans for information systems that facilitate the operations and assets of AADermatology. Healthcare Compliance & Regulatory Oversight

• Ensure compliance with HIPAA, HITECH, CMS, PCI DSS, and applicable state regulations.
• Lead security risk assessments for EHRs, telehealth platforms, and other clinical technologies.

Technology & Operations

• Direct security architecture reviews for new systems, including EHR integrations, cloud migrations, and connected medical devices (IoMT).
• Oversee endpoint security, network security, and encryption strategies at all levels
• Lead disaster recovery (DR) and business continuity (BC) planning from a security perspective.
• Oversee the continuous monitoring and analysis of security alerts and logs, developing processes to respond appropriately to alerts.

Incident Response & Threat Management

• Act as the executive incident commander for security incidents, breaches, and ransomware attacks.
• Maintain and continuously test incident response plans.
• Collaborate with legal teams, Cyber Insurance providers, relevant agencies, and industry peers on threat intelligence information sharing and prevention methods.

Experience

• 10+ years of progressive experience in information security, with at least 5 years in a senior leadership role.
• Direct experience in healthcare cybersecurity, including EHR and other Clinical Systems and IoMT security.
• Proven track record leading enterprise security programs, risk management, and incident response in regulated industries.
• Strong knowledge of HIPAA, HITECH, NIST Cybersecurity Framework, and HITRUST CSF.

Skills & Competencies

• Exceptional leadership, communication, and influencing skills across clinical, business, and IT stakeholders.
• Ability to translate complex cybersecurity concepts into business terms for executives.
• Strong analytical and problem-solving skills with a focus on risk-based decision-making.
• Experience managing multimillion-dollar security budgets.

Performance Metrics

• Compliance audit pass rates (HIPAA/HITRUST).
• Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) for security incidents.
• Reduction in critical vulnerabilities year after year.
• Employee security awareness scores.
• Successful execution of DR/BC tests, and Incident Response plans with minimal downtime.

Physical Requirements:

• Prolonged periods of sitting at a desk and working on a computer.
• Must be able to lift fifteen pounds at times.

Education & Certification

• Bachelor’s degree in information security, Computer Science, or related field (master’s preferred).
• Relevant certifications such as CISSP, CISM, CISA, HCISPP, or CHPS strongly preferred.