Analyst, IT Governance, Risk, and Compliance

P3 Health Partners is committed to ensuring the health and safety of our team members, patients and communities we serve. As a part of this commitment, all candidates must receive their COVID-19 vaccine prior to joining the team. If you have any questions about our interview and hiring procedures, please contact PeopleServices@p3hp.org.

People. Passion. Purpose.

At P3 Health Partners, our promise is to guide our communities to better health, unburden clinicians, align incentives and engage patients.

We are a physician-led organization relentless in our mission to overcome all obstacles by positively disrupting the business of health care, transforming it from sickness care into wellness guidance.

We are looking for an IT Governance, Risk, and Compliance (GRC) Analyst. If you are passionate about your work; eager to have fun; and motivated to be part of a fast-growing organization in Las Vegas, Nevada, or remote then you should consider joining our team.

Job Purpose

P3 Health Partners is seeking a Governance, Risk & Compliance (GRC) Analyst to assist with Information Security governance, risk, and compliance policies, processes, technologies, and assessments. Reporting to IT GRC Director, the analyst provides assurance for adherence to company policies and procedures, and contributes to activities related to the development, implementation, compliance, and adherence to the organization’s IT policies and assessment activities.

This position works closely with the P3 Health Partners Information Security team for security reviews and evidence collection activities that align with internal and external auditing requirements as well as any security investigations and incidents. This position will also be responsible for the reporting, tracking and verification of IT Change Management procedures and Business Continuity and Disaster Recovery (BCDR) testing processes.

Essential Functions and Responsibilities

• Must have a strong customer service focus and the ability to project that attitude to customers in corporate and remote locations.
• Manage the reporting requirements for P3’s IT GRC program, ensuring IT activities, processes, and procedures meet defined requirements, policies, and regulations. Manage assessments and gap analyses of P3's IT control environment against industry and regulatory governance frameworks (i.e., NIST Cyber Security Framework, ISO 27001, SOC 1/2, COBIT, ITIL, Sarbanes-Oxley, and CCPA/GDPR).
• Apply GRC expertise across key lines of business, including products, practices, and procedures. Coordinate and track IT related audits activities including scope, timelines, evidence gathering, and remediation task outcomes. Ensure P3 IT teams maintain up-to-date configuration documentation for systems and processes. Provide guidance, evaluation, and advocacy on audit responses for the department.
• Produce metrics, reports, and dashboards as applicable. Execute P3 Information Services strategy for dealing with increasing number of audits, compliance checks and external assessment processes.
• Oversee the management of system user access reviews including data collection and follow-up with system owner approvals and timely submissions as required.
• Support third-party risk assessments and manage third-party risk and remediation activities. Ensures proper reporting and response to alleged violations of company rules, regulations, policies, procedures, and standards of conduct by initiating and cooperating in investigative procedures.
• Work with auditors as appropriate to keep audit focus in scope and remediation delivery commitments. Maintain excellent relationships with audit entities and provide a consistent perspective that continually puts P3 Health Partners in its best light.
• Facilitate Business Continuity/Disaster Recovery Planning and Testing exercises.
• Support the development of strategies to address GRC awareness and training for all stakeholders and provide on-site guidance and instructions to other IT teams as needed.
• Maintain and enforce confidentiality regarding information being processed, stored, or accessed by the system.

Education and Experience

Required

• Bachelor’s or advanced degree in healthcare, computer science, or business, or equivalent work experience
• Minimum of 3 years’ experience responding to, analyzing, and communicating information security incidents and overseeing remediation actions to completion
• Minimum of 2 years of experience developing security standards, guidelines, and remediation planning based on best practices and industry standards
• Minimum of 1 years of healthcare IT experience
• Strong verbal and written communication skills are required
• Demonstrated experience managing multi-tasked situations and requirements
• Exceptional written and verbal communication skills, and proven ability to translate security and risk to all levels of the business. Experience with policy writing, implementation, and enforcement.
• Understanding of a wide range of incident response, system configuration, vulnerability management and hardening guidelines.
• Working knowledge of technologies such as cloud computing, database management, DevOps and application security.

Desired

• Experience and knowledge of Healthcare Compliance Requirements (SOX, HIPAA, HITRUST, etc.)
• Demonstrated skills documenting IT risk and compliance activities
• Experience training small groups of end users
• Experience managing periodic performance reports and metrics.
• Certifications such as CISSP, CISA, CRISC and/or CIPP are a plus.

Knowledge, Skills, and Abilities

• Knowledge of audit controls and how to effectively implement and remediate audit response actions.
• Knowledge of Risk Management framework, reporting and remediation
• Ability to provide product documentation and GRC awareness training
• Knowledge of healthcare workflows
• Excellent presentation and interpersonal skills
• Strong analytical and problem-solving skills
• Ability to learn new tools and technologies
• Ability to effectively collaborate with P3 Leadership, P3 family, physicians, and vendors
• Ability to identify and troubleshoot potential issues and participate in their resolution with highest customer satisfaction
• Ability to work a flexible schedule to meet the needs of the group growth and expansion
• Ability to communicate technical issues to non-technical end users
• Knowledge of core Microsoft business applications, word, excel, outlook, etc.
• Work independently as well as in a group setting