Position Overview The Guthrie Clinic is a non‑profit, multispecialty health system that integrates clinical care, hospital services, research, and education. As one of the nation’s longest‑established group practices, Guthrie has grown into an organization of more than 10,000 caregivers, including nearly 1,000 physicians and advanced practice providers spanning the full spectrum of medical specialties. Serving a region of approximately 11,000 square miles across northeastern Pennsylvania and upstate New York, Guthrie’s six hospital campuses are complemented by an extensive network of outpatient facilities across 14 counties. The Vice President, Cybersecurity and Chief Information Security Officer (CISO) is a key executive leadership role reporting to the Senior Vice President & Chief Digital Officer. As a strategic member of the Information Services Leadership Team, the CISO shapes and leads the enterprise cybersecurity vision for The Guthrie Clinic, ensuring the confidentiality, integrity, and availability of critical information systems across the health system. The CISO partners closely with senior executives, clinical and operational leaders, and organizational stakeholders to drive a comprehensive cybersecurity program. This role provides oversight for system‑wide cybersecurity strategy, cyber risk management, AI‑related cyber governance, medical device security, third‑party risk management (TPRM), and regulatory compliance, including HIPAA Security Rule and NY DOH Cybersecurity Regulations. Key responsibilities include leading enterprise information security policy, cybersecurity operations, incident response, vulnerability management, and system‑wide security awareness. The CISO also provides cybersecurity reporting to the Audit Committee and delivers annual briefings to the Guthrie Clinic Board of Directors. This leader manages and mentors a high‑performing, multidisciplinary cybersecurity team and actively participates in healthcare cybersecurity communities to advance best practices, threat‑intelligence sharing, and sector‑wide resilience. Experience Requirements + 10+ years of combined experience in cybersecurity, risk management, and information technology, with at least four years in a senior leadership role. + Demonstrated experience and measurable outcomes in: + Healthcare cybersecurity leadership. + Cyber threat and risk frameworks and executive‑level risk reporting. + NIST CSF and or HITRUST CSF implementation and maturity progression. + Incident response, threat detection, digital forensics, SOC operations, and vulnerability management. + Third‑party risk management (TPRM) and vendor cybersecurity due diligence. + HIPAA and NY DOH cybersecurity regulatory compliance. + AI governance and AI threat related risk mitigation. + Medical device and IoT security programs. + Ability to concisely communicate complex cybersecurity and risk concepts to executive, clinical, and non‑technical audiences. + Proven success building and maturing enterprise security programs in dynamic healthcare environments. + Strong analytical and problem‑solving skills; proven calm, composed leadership under pressure. + Experience negotiating contracts, managing budgets, and leading cross‑functional and interdisciplinary teams. Industry Memberships, Active Engagement & Professional Contributions To ensure alignment with healthcare cybersecurity best practices, threat intelligence collaboration, and sector-wide resilience, a history of active membership and engagement in healthcare industry cybersecurity organizations is strongly preferred: + Health‑ISAC (Health Information Sharing and Analysis Center) + HSCC (Health Sector Coordinating Council) Cybersecurity Working Group + CHIME/AEHIS (Association for Executives in Healthcare Information Security) Essential Functions The CISO is a strategic thought leader, consensus builder, and integrator who balances cybersecurity with organizational agility and mission needs. Responsibilities include, but are not limited to: Leadership, Governance & Strategy + Develop, maintain, and oversee a comprehensive enterprise information security and IT risk management program, grounded in HITRUST CSF, NIST CSF, and leading industry frameworks. + Lead all cybersecurity and infrastructure operations teams, including hiring, development, and performance management. + Establish and chair an Information Security Steering Committee. + Provide cybersecurity program reporting to The Guthrie Clinic Audit Committee and annual program reporting to the full Guthrie Clinic Board of Directors, and other leadership and Guthrie hospital board meetings as requested. Policy, Compliance & Regulatory Oversight + Develop, publish, and maintain security policies, standards, and guidelines. + Ensure compliance with the HIPAA Security Rule, NY DOH cybersecurity regulations, PCI DSS, and other applicable federal and state healthcare cybersecurity regulations. + Work with enterprise business units to define acceptable residual risk levels and manage risk remediation plans. Risk Management & Cyber Risk Quantification + Lead formal risk assessment processes, including cyber risk quantification to inform executive decision‑making. + Create and maintain a robust program for information classification, ownership, accountability, and protection. + Monitor external threats and emerging technologies, including AI‑related risks, and advise on appropriate mitigation strategies. + Support annual cyber insurance renewal process Third‑Party & Medical Device Security + Lead a comprehensive TPRM program, including evaluation, onboarding, monitoring, and continuous assessment of vendor cybersecurity and cloud service providers. + Oversee medical device cybersecurity programs, coordinating with clinical engineering and biomedical teams to protect connected clinical technologies. Operational Security & Incident Response + Oversee security operations center (SOC) functions and SIEM, SOAR, and DLP technologies. + Lead incident response and investigation processes, including post‑incident analysis and continuous improvement. + Oversee vulnerability management, penetration testing, and configuration hardening programs. Architecture, Technology & Innovation + Partner with enterprise architecture teams to ensure alignment between security principles and system design. + Provide security guidance for IT projects, cloud adoption, AI initiatives, and new clinical technology implementations. + Ensure the secure design, implementation, and continuous cyber governance of the organization’s Epic electronic health record (EHR) environment, spanning access controls, third ‑ party risk, and SEER compliance. Awareness, Training & Culture + Develop and deliver cybersecurity training programs for all employees, contractors, and system users. + Drive a culture of security awareness and shared accountability across the organization. Metrics, Reporting & Continuous Improvement + Create a metrics and reporting framework to measure program maturity, operational performance, and risk exposure. + Manage internal and external cybersecurity resources, contracts, and consulting partnerships. Additional Responsibilities + Perform other duties as required in support of The Guthrie Clinic’s mission and objectives. Education & Certifications + Bachelor’s degree in information technology, Computer Science, Information Security, or related field required. + Master’s degree preferred in Cybersecurity, Information Systems, Business Administration, Healthcare Administration, or a related discipline. + At least one active professional information security certification that requires CPEs such as CISSP, CISM, CISA, or similar required. + GIAC Certifications (SANS Institute), FAIR, ITIL, PMI, or technical certifications (Microsoft, Cisco, Epic, etc.) preferred. #LI-RS1 Joining the Guthrie team allows you to become a part of a tradition of excellence in health care. In all areas and at all levels of Guthrie, you’ll find staff members who have committed themselves to serving the community. The Guthrie Clinic is an Equal Opportunity Employer. The Guthrie Clinic is a non-profit, integrated, practicing physician-led organization in the Twin Tiers of New York and Pennsylvania. Our multi-specialty group practice of more than 500 physicians and 302 advanced practice providers offers 47 specialties through a regional office network providing primary and specialty care in 22 communities. Guthrie Medical Education Programs include General Surgery, Internal Medicine, Emergency Medicine, Family Medicine, Anesthesiology and Orthopedic Surgery Residency, as well as Cardiovascular, Gastroenterology and Pulmonary Critical Care Fellowship programs. Guthrie is also a clinical campus for the Geisinger Commonwealth School of Medicine.