Job Description:
Join a world-class academic healthcare system, UChicago Medicine, as an Information Security Risk Analyst – Intermediate in our Information Security and Privacy GRC department. This position will be primarily a work-from-home opportunity with the requirement to come onsite as needed. You will need to be based in the greater Chicagoland area.
The Information Security Risk Analyst – Intermediate plays a critical role within the Governance, Risk and Compliance (GRC) team in executing and enhancing the organization’s information security risk management program. The analyst will independently conduct risk analysis on information systems, platforms, and processes in accordance with established regulatory requirements, organizational policies, and industry standards. The analyst will lead and contribute to the identification, assessment, documentation, mitigation, and communication of information security risks across the organization.
This position supports risk-driven decision-making by collaborating with stakeholders, managing risk treatment plans, and ensuring compliance with HIPAA, NIST, and other applicable healthcare cybersecurity regulations and frameworks. The analyst is expected to operate with moderate independence, assist in maturing risk workflows, and contribute to strategic improvements in governance, risk, and compliance activities.
The ideal candidate will have a strong understanding of security frameworks, risk assessment methodologies, risk assessments, risk registers, and the management of audit and penetration testing findings. The ideal candidate should be adept at monitoring regulatory developments while promoting a culture of risk awareness across the organization.

REQUIRED QUALIFICATIONS

• Bachelor’s degree required in Information Security, Computer Science, Engineering, Information Technology, or a related field; master’s degree preferred
• 3+ years of experience in cybersecurity, information security risk management, audit; healthcare industry experience strongly preferred
• Demonstrated experience with risk assessment methodologies, auditing, information security practices, and familiarity with risk management platforms and risk registers
• Strong understanding of regulatory compliance and industry best practices towards maintaining compliance with HIPAA, NIST and other relevant healthcare regulations and standards
• One or more of the following certifications are required or must be obtained within 12 months of hire: CRISC, CISM, CISA or any other applicable certification
• Ability to lead and structure risk assessments with limited supervision
• Ability to manage multiple concurrent assessments and projects in a fast-paced healthcare setting
• Experience preparing both detailed technical risk reports and executive-level summaries, tailored to varied audiences to support informed decision-making and governance oversight
• Ability to build strong cross-functional relationships and collaboration across departments, including IT, Legal, Compliance, Clinical Operations, and Privacy, to support a collaborative approach to risk management and governance
• Strong written and verbal communication and interpersonal skills, including ability to translate technical findings into business-relevant language for leadership audiences
• Experience tracking audit findings, third party vendor risks, and remediation efforts
• Familiarity with security platforms and tools
• Ability to analyze contractual security language to identify risk exposure and recommend controls
• Ability to learn quickly and work effectively in a team environment
• Ability to understand and work with healthcare professionals, educators, and researchers
• Ability to integrate cybersecurity risk management with business operations, healthcare delivery, and IT services

Please refer the Job description for details