Information Security Risk Analyst - Intermediate

Join a world-class academic healthcare system, UChicago Medicine, as an Information Security Risk Analyst – Intermediate in our Information Security and Privacy GRC department. This position will be primarily a work-from-home opportunity with the requirement to come onsite as needed. You will need to be based in the greater Chicagoland area.   

The Information Security Risk Analyst – Intermediate plays a critical role within the Governance, Risk and Compliance (GRC) team in executing and enhancing the organization’s information security risk management program. The analyst will independently conduct risk analysis on information systems, platforms, and processes in accordance with established regulatory requirements, organizational policies, and industry standards. The analyst will lead and contribute to the identification, assessment, documentation, mitigation, and communication of information security risks across the organization.  

This position supports risk-driven decision-making by collaborating with stakeholders, managing risk treatment plans, and ensuring compliance with HIPAA, NIST, and other applicable healthcare cybersecurity regulations and frameworks. The analyst is expected to operate with moderate independence, assist in maturing risk workflows, and contribute to strategic improvements in governance, risk, and compliance activities. 

The ideal candidate will have a strong understanding of security frameworks, risk assessment methodologies, risk assessments, risk registers, and the management of audit and penetration testing findings. The ideal candidate should be adept at monitoring regulatory developments while promoting a culture of risk awareness across the organization. 

Essential Job Functions     

• Lead and conduct comprehensive information security risk analysis for IT assets, applications, processes, medical devices and third-party vendors.  

• Evaluate threats and vulnerabilities affecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) and any other confidential or sensitive information, ensuring alignment with HIPAA Security Rule requirements and other applicable regulatory frameworks (e.g., NIST,). 

• Lead and manage risk management initiatives based on analysis of outcomes, including maintaining the organization’s risk register and scoring methodology.  

• Oversee corrective action plans (CAPs), penetration testing results, audit findings, and risk treatment outcomes.  

• Collaborate with IT partners and key stakeholders to prioritize, implement, and track remediation efforts.  

• Monitor regulatory changes and industry threats to proactively identify emerging risks, recommend mitigation strategies, and document findings.  

• Contribute to risk reporting, including executive dashboards, and participate in risk acceptance processes and governance reviews. 

• Contribute to the development, review, and improvement of cybersecurity policies, standards, and procedures.  

• Evaluate policy exceptions and assist in documenting decisions for governance committees. 

• Enhance the organization’s cybersecurity awareness and training efforts by communicating risk insights to technical and non-technical audiences.   

• Other duties as assigned 

Required Qualifications     

• Bachelor's degree required in Information Security, Computer Science, Engineering, Information Technology, or a related field; master’s degree preferred 

• 3+ years of experience in cybersecurity, information security risk management, audit; healthcare industry experience strongly preferred 

• Demonstrated experience with risk assessment methodologies, auditing, information security practices, and familiarity with risk management platforms and risk registers 

• Strong understanding of regulatory compliance and industry best practices towards maintaining compliance with HIPAA, NIST and other relevant healthcare regulations and standards 

• One or more of the following certifications are required or must be obtained within 12 months of hire: CRISC, CISM, CISA or any other applicable certification 

• Ability to lead and structure risk assessments with limited supervision 

• Ability to manage multiple concurrent assessments and projects in a fast-paced healthcare setting 

• Experience preparing both detailed technical risk reports and executive-level summaries, tailored to varied audiences to support informed decision-making and governance oversight 

• Ability to build strong cross-functional relationships and collaboration across departments, including IT, Legal, Compliance, Clinical Operations, and Privacy, to support a collaborative approach to risk management and governance 

• Strong written and verbal communication and interpersonal skills, including ability to translate technical findings into business-relevant language for leadership audiences 

• Experience tracking audit findings, third party vendor risks, and remediation efforts 

• Familiarity with security platforms and tools  

• Ability to analyze contractual security language to identify risk exposure and recommend controls 

• Ability to learn quickly and work effectively in a team environment 

• Ability to understand and work with healthcare professionals, educators, and researchers 

• Ability to integrate cybersecurity risk management with business operations, healthcare delivery, and IT services    

Position Details     

• Job Type/FTE: Full Time  

• Shift: Days    

• Location: Flexible (Hyde Park; Darien)   

• Unit/Department: Information Security Office    

• CBA Code: Non-Union  

We’ve been at the forefront of medicine since 1899. We provide superior healthcare with compassion, always mindful that each patient is a person, an individual. To accomplish this, we need employees with passion, talent and commitment… with patients and with each other. We’re in this together: working to advance medical innovation, serve the health needs of the community, and move our collective knowledge forward. If you’d like to add enriching human life to your profile, UChicago Medicine is for you. Here at the forefront, we’re doing work that really matters. Join us. Bring your passion.

UChicago Medicine is growing; discover how you can be a part of this pursuit of excellence at: UChicago Medicine Career Opportunities.

UChicago Medicine is an equal opportunity employer.  We evaluate qualified applicants without regard to race, color, ethnicity, ancestry, sex, sexual orientation, gender identity, marital status, civil union status, parental status, religion, national origin, age, disability, veteran status and other legally protected characteristics.

Must comply with UChicago Medicine’s COVID-19 Vaccination requirement as a condition of employment. If you have already received the vaccination, you must provide proof as part of the pre-employment process. This is in addition to your compliance with the Flu Vaccination requirement as well. Medical and religious exemptions will be considered consistent with applicable law. Lastly, a pre-employment physical, drug screening, and background check are also required for all employees prior to hire.

Compensation & Benefits Overview

UChicago Medicine is committed to transparency in compensation and benefits.  The pay range provided reflects the anticipated wage or salary reasonably expected to be offered for the position.

The pay range is based on a full-time equivalent (1.0 FTE) and is reflective of current market data, reviewed on an annual basis. Compensation offered at the time of hire will vary based on candidate qualifications and experience and organizational considerations, such as internal equity. Pay ranges for employees subject to Collective Bargaining Agreements are negotiated by the medical center and their respective union.

Review the full complement of benefit options for eligible roles at Benefits - UChicago Medicine.