At Onyx, we strive to innovate and create cutting-edge solutions healthcare interoperability. Our team is passionate about using scalable technologies to solve real-world problems that enable us to deliver impactful solutions to our clients.
We are looking for a motivated and talented Director of Information Security to join our dynamic team. This position offers an opportunity to contribute hands-on experience and contribute to meaningful projects.
Location: Remote / Hybrid – U.S. (Eastern or Central Time Zones Preferred)
The Director of Information Security is a strategic and technically proficient leader responsible for driving the security and compliance posture of a cloud-native SaaS organization serving the healthcare industry.
This role combines hands-on cybersecurity expertise with leadership in HITRUST i1/r2, HIPAA, and CMS interoperability (FHIR®-based) compliance frameworks. Working closely with the Chief Interoperability Officer, this position ensures that all cloud, data, and product environments meet the highest standards of security, privacy, and interoperability.
The Director will guide the company’s security roadmap, lead audit and certification efforts, and cultivate a culture of security-by-design across distributed, virtual teams
Key Responsibilities:
The job responsibilities for this position will include but are not limited to:
1. Information Security Program Leadership
• Develop, implement, and maintain the company’s Information Security Management System (ISMS) aligned with HITRUST i1 or r2, HIPAA, SOC 2 Type II, and NIST 800-53 frameworks.
• Lead HITRUST certification readiness, control documentation, evidence collection, and audit coordination.
• Establish risk management, incident response, and governance processes for the entire organization.
• Integrate security objectives into product, DevOps, and interoperability initiatives.
2. Cloud Security & Architecture
• Serve as the security authority for Microsoft Azure (primary) and AWS (secondary) environments.
• Implement identity management, encryption, network segmentation, and compliance monitoring using Azure Security Center, Defender for Cloud, and related tools.
• Define secure deployment and automation standards for Infrastructure-as-Code (IaC) environments (Terraform, Bicep).
• Oversee vulnerability management, penetration testing, and cloud compliance monitoring.
3. Regulatory Compliance & Interoperability Security
• Ensure compliance with the CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) and secure implementation of FHIR® APIs including Patient Access, Provider Access, and Payer-to-Payer data exchange .
• Work with legal, product, and engineering teams to safeguard PHI and PII across data flows.
• Align interoperability services with HL7 FHIR®, SMART App Launch, CARIN Blue Button®, and Da Vinci PDex implementation guides.
• Lead vendor and third-party security assessments in accordance with HITRUST and HIPAA standards.
4. Strategic Security Operations
• Oversee day-to-day operational security including SIEM, endpoint protection, and access governance.
• Manage incident response plans, tabletop exercises, and forensic investigations.
• Maintain and test business continuity and disaster recovery programs.
• Establish clear metrics and dashboards to measure risk posture and audit readiness.
5. Leadership, Culture, and Collaboration
• Build and lead a high-performing, virtual information security team.
• Partner with the Chief Interoperability Officer to align data exchange goals with security strategy.
• Drive organization-wide security awareness and compliance training programs.
• Serve as the company’s trusted voice in client security reviews and industry working groups.
Required Skills & Qualifications:
Education & Experience
• Bachelor’s degree in Information Security, Computer Science, or related field (Master’s preferred).
• 5–8 years of progressive experience in cybersecurity, with at least 3 years in a leadership role within a SaaS or health IT environment.
• Proven experience implementing or managing HITRUST i1 or r2 frameworks from readiness to certification.
• Demonstrated success building or maturing cloud security programs in Azure and AWS.
Technical Skills
• Strong command of Azure security architecture, including AAD, Key Vault, and Defender for Cloud.
• Familiarity with FHIR®, OAuth 2.0, and OpenID Connect for secure API development.
• Expertise in NIST 800-53, ISO 27001, HIPAA, SOC 2, and data encryption standards.
• Knowledge of SIEM solutions (e.g., Sentinel, Splunk) and GRC platforms.
• Hands-on experience integrating DevSecOps practices across CI/CD pipelines.
Soft Skills
• Exceptional communication and stakeholder management skills.
• Ability to influence and lead in a fully remote, cross-functional team environment.
• Strategic thinker who can balance risk management with innovation.
• High integrity, accountability, and commitment to continuous learning.
Preferred Certifications:
• HITRUST Certified CSF Practitioner (CCSFP) or equivalent.
• Microsoft Certified: Cybersecurity Architect Expert or Azure Security Engineer Associate.
• CISSP, CISM, or CCSP.
• HCISPP (Healthcare Information Security and Privacy Practitioner).
Onyx is committed to hiring and retaining a diverse workforce. We are proud to be an Equal Opportunity/Affirmative Action Employer, making decisions without regard to race, color, religion, creed, sex, sexual orientation, gender identity, marital status, national origin, age, veteran status, disability, or any other protected class. Onyx is a proud Veteran-friendly employer.