IT Security & Compliance Lead (Healthcare)

AdministrationLocation:620 Foster Avenue, Brooklyn, NY 11230HoursFull TimePremium Health is looking for outstanding Security & Compliance candidates for our Information Technology department. ‍Premium Health’s Information Technology (IT) department is based in our Administration office and is responsible for managing and maintaining the entire infrastructure of multiple health practices across Brooklyn. The IT department is a team that is projected to grow as the organization does and is lead by our Chief Digitial Information Officer. We are seeking a hands-on IT Security & Compliance Lead to own and operate the organization’s security, risk, and compliance program across a multi-site ambulatory healthcare environment.‍This role is responsible for day-to-day execution of security controls, HIPAA compliance, audit readiness, vendor risk management, and AI governance, ensuring systems and data are protected while enabling efficient clinical and operational workflows.‍The role serves as the internal owner of security programexecution, working closely with IT, clinical applications, data, andoperational teams, as well as external partners. The role will also establish and managepractical AI governance, enabling safe and effective use of emerging AI toolsacross the organization.‍This individual will help define and execute a practicalsecurity roadmap to continuously mature the organization’s security controls,operational practices, and risk management capabilities, aligned to healthcareregulatory requirements and industry-standard frameworks such as NIST.‍Success in this role requires a balance of operationalexecution, hands-on security administration, cross-functional collaboration,and pragmatic risk management while supporting a rapidly evolving healthcareenvironment.‍‍Time Commitment 40 hours per week (Monday – Friday) Opportunity for remote work for up to 20% of scheduled hoursResponsibilitiesSecurity Program Ownership& ExecutionOwn and operate the organization’s security program, ensuring policies, procedures, and controls are consistently implementedMaintain and update security policies, standards, and proceduresEnsure alignment with regulatory and organizational requirementsSupport ongoing maturation of the organization’s security posture and controls framework, including alignment with industry-standard practices such as NISTStay current on emerging cybersecurity threats, vulnerabilities, technologies, AI-related risks, and evolving industry best practices, proactively identifying opportunities to strengthen the organization’s security posture and risk management capabilitiesSecurity Tooling & ControlAdministrationAdminister and support security technologies and operational controls across the environment, including email security, endpoint protection, identity and access management, MFA, conditional access, DLP, and firewall/security platformsConfigure, tune, monitor, and maintain security rules, alerts, policies, and protections across Microsoft 365, SaaS, endpoint, and network security platforms in collaboration with internal IT teams and external security partnersSupport email security administration, including phishing protection, impersonation protection, quarantine management, and coordination of SPF/DKIM/DMARC-related controlsCoordinate and manage phishing simulations, user remediation, and security awareness follow-up activitiesSupport SaaS application governance and review of third-party application access, permissions, and security risksPartner with outsourced SOC/EDR providers to investigate alerts, validate remediation actions, and continuously improve detection and response capabilitiesCompliance & AuditReadiness (HIPAA)Lead HIPAA compliance efforts, including risk assessments and remediation trackingCoordinate internal and external audits, ensuring documentation and evidence are maintained continuouslyMonitor compliance with security policies and regulatory requirementsEnsure controls are functioning and documented (not just defined)Vendor & Third-Party RiskManagement Own vendor security review process Ensure BAAs and security requirements are inplace and tracked Maintain vendor inventory and riskclassificationIdentity & AccessManagementOversee user access controls, including onboarding, offboarding, and role-based access controlsLead periodic access reviews across key systemsEnsure least-privilege access and proper audit trails Security Operations &Incident CoordinationServe as the internal point of contact for security incidents, coordinating response with outsourced SOC/EDR providersDefine and maintain incident response processes and escalation pathsTrack and ensure follow-up on security alerts and incidentsAI Governance & EmergingTechnology RiskEstablish and maintain practical AI governance guidelines, including acceptable use of tools such as ChatGPT and Microsoft CopilotDefine guardrails for responsible use of AI, including PHI protection and data handlingSupport evaluation of AI-enabled tools and vendorsPartner with IT and operational teams to enable safe adoptionSecurity Awareness &TrainingSupport security awareness initiatives, including phishing simulations and staff educationProvide guidance on secure use of systems, data, and AI toolsCollaboration & ReportingPartner with IT, Clinical Applications, Data, and Operations teams to ensure security practices align with workflows and business needsProvide regular reporting on security posture, risks, and compliance status to leadershipIdentify opportunities to improve processes, reduce risk, and strengthen controls‍RequirementsQualified candidates must have 5 years of experience, be self-driven and know: 5+ years of experience in IT security, compliance, or risk managementExperience in healthcare or regulated environments (HIPAA strongly preferred)Experience managing or supporting security programs, audits, and compliance initiativesStrong understanding of identity and access management, vendor risk, and security controlsAbility to work cross-functionally and translate security requirements into practical processesHands-on experience administering or supporting security technologies and operational controls, including areas such as identity and access management, endpoint protection, email security, MFA/conditional access, DLP, or SaaS security administration‍‍PreferredExperience working with SaaS-heavy environments and third-party vendorsExperience working with Microsoft 365 security technologies, endpoint protection, email security, SIEM, DLP, conditional access, or related security platformsExperience developing or supporting security policies and governance frameworksFamiliarity with NIST, CIS Controls, or similar frameworksExposure to AI tools and interest in emerging technology governance‍‍‍‍CompensationCommensurate with Experience‍Benefits Paid time Off, Medical, Dental and Vision plans, Retirement plans Public Service Loan Forgiveness (PSLF)