Director of IT Security (HHSC 04-24)

DATE POSTED:  June 19, 2024

POSITION TITLE: Director of IT Security


POSITION STATUS: Exempt/Full-Time with Benefits

LOCATION:  Hawaii Health Systems Corporation (HHSC), Corporate, Honolulu, HI

SALARY RANGE: $$144,785 – $173,742 per year


The Director of IT Security’s primary function is the design, oversight and ongoing management of the information security program, including policies, procedures, technical systems, and workforce training in order to maintain the confidentiality, integrity, and availability of data within the organization information systems framework. The Director of IT Security’s role addresses electronic system architecture and functionality as it affects safeguards of Protected Health Information (PHI) and business information assets. The Corporate Office is located in Leahi Hospital, Honolulu, Hawaii.

The Director of IT Security acts as a focus and resource for the organization’s information security matters. Works with those in corresponding roles at the hospitals. Takes direction from the VP & Chief Information Officer to achieve the goals of the organization. Investigates and recommends secure solutions that implement information security policy and standards. Coordinates Office of Information Security activities and works with staff as required. Oversees, implements, and monitors the security requirements levied by Federal and State Rules and Regulations.


A.  IT Security and Audit      50%

  1. Designs and performs information systems audits, critical responsibilities for this duty include but are not limited to:
    1. For each HHSC information system that contains confidential information, such as, Protected Health Information (PHI) or Personally Identifiable Information (PII), design, build, test and utilize audit reports that highlight information security breaches.
    2. Develop policies, procedures and standard reports for identifying and/or verifying potential breach of information security, confidentiality and privacy.
    3. Establish a proactive audit process that reviews IT Security policy compliance of HHSC employees once per year.
    4. Create new information system audits as part of all system implementations managing patient information.
    5. Modify existing information system audits as part of all system upgrades managing patient information.
    6. Develop, maintain and utilize system for tracking all audit results (proactive and reactive).
    7. Work with Human Resources, Compliance, and Legal to address any confirmed breach situations.
  2. Designs and performs Internet access and usage audits; critical responsibilities for this duty include but are not limited to
    1. Participate in the selection of an Internet monitoring solution.
    2. Design, build, test and utilize Internet access and monitoring reports that highlight employee abuse of the privilege.
    3. Develop policies, procedures and standard reports for identifying and/or verifying abuse of Internet privilege.
    4. Establish a proactive audit process that reviews each HHSC employee once per year (as available via Active Directory log-ins).
    5. Identify and block inappropriate Web Sites.
    6. Work with Human Resources to address any confirmed abuse situations.
  3. Provides application support and security administration activities for assigned software applications as they are assigned by IT Leadership as defined in the IT Staffing Application and Project matrix; critical responsibilities for this duty include but are not limited to:
    1. Responsible for ensuring System/Data owners maintain security management controls for application dictionaries and user profiles which impact system and user security.
    2. Review and audit the process to maintain system security for administering user codes and passwords.
    3. Review and audit the process to maintain system security for granting and removing access to IT department key punch doors or electronic swipe auto locks.
    4. Develop a collaboration information sharing process with Human Resources to ensure that IT receives timely and accurate terminations, transfers and new hire information.
  4. Champions continuous readiness of security regulations; critical responsibilities for this duty include but are not limited to:
    1. Chair the Information Security Workgroup.
    2. Facilitate work group meetings, status meetings and any other brainstorming type of meetings related to information security.
    3. Perform walkthroughs with HHSC Corporate Compliance & Privacy Officer to identify existing non-compliance areas and issues.
    4. Track and actively work to resolve non-compliance issues identified through the Security Workgroup and/or walkthroughs.
    5. On a routine basis, select an information security consulting firm to perform internal/external vulnerability assessment.
    6. Manage the relationship with the information security partner coordinate all aspects of the security assessment projects.
  5. Serves as HHSC educator for information security; critical responsibilities for this duty include but are not limited to developing content for:
    1. General Orientation.
    2. Annual job specific role-based access training.
    3. IT department in-services.

B.  Information Security      45%

  1. Establish an information security program and management infrastructure to ensure that technology risks are identified and managed.
  2. Advise senior management about risks to the business due to the implementation of technology used to operate the business.
  3. Serve the role of Chief Information Security Officer to provide system-wide staff with a single point of contact for all issues involving information security including, but not limited to, general questions regarding information security, physical security of computers and facilities in which they are located, security alerts, viruses and breaches of security.
  4. Inform Executive Management of security breaches, information and related physical security issues and risks.
  5. Implement and maintain a process for defining the organization’s goals and objectives for information and related physical security.
  6. Review and advise on Security audit recommendations and responses.
  7. Ensures information security policies and procedures are established and implemented and contingency plans are in place that will provide continuing operations in the event of an emergency. Contingency plans would include disaster recovery procedures and emergency mode operation plans are in place.
  8. Assist Legal and Compliance with E-Discovery.
  9. Analyze and evaluate new technologies for cost effective, efficient operation, and adherence to healthcare security requirements to support the HHSC environment; prepare feasibility studies, monitor technical design in relation to security changes.
  10. Identify opportunities for improving financial/clinical security processes through automation; prepare proposals to develop new systems or enhancements to existing systems.
  11. Determine allocation of resources and install schedules.
  12. Assure proper planning, engineering, documentation, installation and testing of systems to meet end user requirement; manage system maintenance activities.
  13. Prepare budgetary cost estimates and develop project implementation proposals, documentation and scheduling; write technical specifications and request for proposals.

C. Other Duties                5%

  1. Works with Corporate Compliance & Privacy Officer to ensure information security policies and procedures are meeting all regulatory requirements.
  2. Performs other duties as assigned.

THE MINIMUM QUALIFICATION REQUIREMENTS ARE: Applicants must meet all of the following requirements.  Please note that unless specifically indicated, the required education and experiences may not be gained concurrently. In addition, qualifying work experiences are based on a 40-hour work week.

EDUCATION:  A Bachelor’s degree from an accredited university or college or equivalent work experience.

EXPERIENCE: Must have five (5) years general experience with functions pertaining to IT Security, Privacy, and Confidentiality; managing security projects, strategic planning related to security, and quality control support.   Five (5) years management experience in IT security and/or managing a technical team in an information technology environment.

CERTIFICATION: Certification as a Certified Information Systems Security Professional is preferred. Knowledge of HIPAA, NIST CSF, and IT security best practices.



Knowledge of:  All areas of information and related physical security including but not limited to security alerts, warnings, computer virus activity, and advances in security techniques.  Information use and flow in the organization, and understanding the rules and regulations pertaining to information security and confidentiality at both federal and state levels and healthcare industry standards.  Broad knowledge of current technical and procedural techniques in information and related physical security.

Ability to: Manage and direct workers including the ability to provide counseling and mediation; communicate effectively both orally and in writing; communicate clear expectation to subordinates and motivate them to perform effectively; establish and maintain good working relations with department personnel, staff, vendors, peer, and management; understand and learn a variety of business procedures and processes; develop new approaches and solutions outside of existing theories and principles; engage in high level consulting; advise and interpret policies, procedures and standards, prioritize requests for services.

Communicate technical, application and security related concepts to a broad range of technical and non-technical staff.  Identify and evaluate information and related physical security risks and exposures.  Establish liaisons with internal and external constituencies with respect to information and related physical security matters.


Work to be performed primarily in an HHSC office setting.  Incumbent may be required to attend meetings in the Honolulu office, at locations throughout Oahu and throughout the State of Hawaii, and potentially the mainland United States.  Travel may require occasional overnight stays of one or more days out of town, or out of state.  Light lifting and carrying of papers and books up to fifty pounds will occasionally be required.  Occasionally and on short notice throughout the year incumbent will be required to work long, additional hours in the evenings and on weekends and holidays.

Please provide three (3) professional references (name, job title, employer, work/cell number and email), along with your salary expectation. 

To apply for this job email your details to