Senior Consultant for HIPAA and IT Security Policy Compliance.

OBJECTIVE

 

The Engineers' Group, Inc. is seeking for a Senior Consultant for HIPAA and IT Security Policy compliance.  The selected candidate will be assigned to our client the County of Los Angeles, Department of Public Health (DPH). 

 

Your duties will be to provide Security Assessment and Risk Analysis Services, and document the state of Department of Public Health (DPH) security for electronic Protected Health Information (ePHI), as compared to the security standards of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the approved County and DPH IT Security Policies. The work shall be performed within the DPH Wide Area Network (WAN), and the Public Health Information Systems, and all DPH local area networks.

 

The Consultant shall assist the Information Security Officer to develop a Security Risk Management Plan that will result in DPH’s ongoing compliance with the requirements of the HIPAA Final Security Rule, County and DPH IT Security Policies.

 

The HIPAA Final Security Rule specifies administrative, technical and physical security standards and implementation specifications that DPH must implement or consider.

The Consultant’s Security Assessment and Risk Analysis shall assess the implementation of County and DPH IT Security policies and procedures, operations, and information systems in light of all standards and specifications of the Final Security Rule, both those that are required and those that are addressable. The assessments shall identify, analyze and categorize all potential risks, threats, vulnerabilities, liabilities, and flaws that could impact the confidentiality, integrity and availability of confidential and sensitive information, including ePHI.

 

The Consultant will work with IT Directors at PH Programs, System Managers/Owners, and System Developers to create an ongoing program to self-assess their environments and ensure that sufficient controls are in place.

 

The Consultant will assist in conducting Security audits and will assist in developing, updating, and reviewing security policies, procedures, and standards.

 

MINIMUM REQUIREMENTS

 

The Consultant must meet all of the following requirements:

 

1.  Three (3) years or more experience, within the last six (6) years creating information security policies, procedures and protocols in advanced network and security architectures.

 

2.  Three (3) years or more experience, within the last six (6) years conducting an assessment of security and audit requirements for health care applications and infrastructure.

 

3.  Three (3) years or more experience, within the last six (6) years applying Health Care methodologies, regulations, industry standards, and best practices for information security management.

 

4.  Three (3) years or more experience, within the last six (6) years performing security impact assessments, gap analysis, and audit analysis studies for companies of 5,000 employees or more.

 

5.  Three (3) years or more experience, within the last six (6) years performing network security analysis studies in a Cisco Systems infrastructure (including routers, firewalls, etc.), for HIPAA compliance.

 

6.  Three (3) years or more experience, within the last six (6) years experience with TCP/IP protocols, SSL, VPN, encryption algorithms, and the OSI layers.

 

7.  Three (3) years or more experience, within the last six (6) years using any of the following industry standard security vulnerability analysis tools; Foundstone, Qualys, Etherreal, Nessus, GFI LanGuard, Metasploit, ISS Database and Network Scanner.

 

8.  Three (3) years or more experience, within the last six (6) years interfacing with vendors/customers to successfully deploy security tools.

 

9.  Three (3) years or more experience, within the last six (6) years interfacing with different levels within an organization to ensure successful and timely completion of security assessments.

 

10.  Completed two (2) projects within the last four (4) years that provided HIPAA security consulting services, as described in this Statement of Work, with companies of 5,000 current employees or more. If called upon for an interview, consultant is to bring proof of engagement(s), along with any report written by Consultant, not anyone else. This could include audit results using audit tools, network security analysis reports, and HIPAA security compliance audit reports.

 

11.  Completed at least one of the following Certifications:

 

• SSCP (Systems Security Certified Practitioner)

• Cisco Security Specialist 1 (CSSI) Certification

• Certified Information Systems Security Professional (CISSP)

• Cisco Certified Security Professional (CCSP)

• Cisco Certified Network Professional (CCNP)

• Cisco Certified Internetwork Export (CCIE)

• Certified Information Security Manager (CISM)

 

BACKGROUND

 

Governmental mandates require that DPH implement sufficient security measures on the DPH WAN and Local Area Networks (LAN). As part of the overall design, DPH has implemented a complex security environment utilizing firewalls to secure specific segments of the network. Services will be provided to the DPH Information Systems Division. This division has responsibilities for HIPAA and County and DPH IT Security

Policy compliance, risk assessment and evaluation, audits, information dissemination, information security training and awareness, and security policy and procedures.

 

The Consultant will facilitate the transition of support to DPH staff through training, mentoring, knowledge, and skills transfer.

 

SCOPE

 

The scope of work includes, but is not limited to, the following:

 

• Security Assessment and Risk Analysis — Prepare overall Security

Assessment and Risk Analysis plan, including an estimate of the number of hours needed accomplish each task.

 

• Reports — Prepare assessment, gap, threat, and vulnerability reports documenting risks and areas requiring improvement. The review, analysis, and assessment of administrative vulnerabilities must be described in the reports.

 

• Procedures and Standards — This includes the development of Information Security self-assessment procedures and standards in support of current DPH IT Security Policies.

 

• Mentoring and Knowledge Transfer — This includes working with DPH technical staff and facilitating the transition of support responsibilities to DPH technical staff.