Information Security Analyst, GRC

About Paytient:
We’re on a mission to help people better access and afford care.  

Every day, millions of people, and their loved ones, need to see a doctor. For most of us, that moment is an uncertain one - we’re unsure of what’s wrong, who to go to, how long it’ll take to be seen, when we’ll feel better, and what it’ll cost.

Paytient partners with thoughtful employers and health plans who understand the impact of that moment and want to ensure that every one of their plan members are easily able to access and afford care. Our clients understand that an improved ability to self-pay for care changes patient behavior and creates value for the health plan.  This founding belief is becoming an emerging standard of care in health plan design and is now, in fact, a mandatory capability in some governmental health plans. Founded in 2018, Paytient is now part of nearly 6,000 employer health plans and providing certainty that people are better able to access and afford care.

About the Role

Paytient is built on the belief that financial barriers should never stand between a person and the care they need. We partner with employers and health plans to provide a Health Payment Account (HPA), allowing members to pay for out-of-pocket healthcare costs over time, interest-free.

Because we operate at the intersection of healthcare and finance, trust is our most important asset. We are seeking an Information Security GRC Analyst - a disciplined professional who understands that rigorous compliance is the bedrock of our ability to serve our members safely.  The Information Security GRC Analyst is a pivotal member of the Information Security team, responsible for the integrity of our security frameworks and the maturity of our compliance programs. Your primary focuses will be ensuring our policies and procedures align with SOC2 and HITRUST, administering and maturing the risk management program, and serving as a key stakeholder in the Vendor Risk Management process.

This role requires a high degree of craft and diligence. We are looking for a builder who can meticulously manage multiple tasks while possessing a broad understanding of information technologies and security practices to ensure security controls are integrated seamlessly into our operational workflows.

Primary Responsibilities

• HITRUST and SOC2 Alignment: Manage the alignment of internal policies, procedures, and controls with the HITRUST CSF and SOC2. Contribute to the design and implementation of robust security controls across the organization.
• Policy Governance: Collaborate with stakeholders to draft and update information security policies and standards, ensuring they are well-designed and meet stringent requirements.
• Audit Facilitation: Act as a primary participant in SOC2 and HITRUST assessments and audits, managing evidence gathering, documentation, and technical interaction with external auditors.
• Control Validation: Work closely with IT and Security teams to verify that controls are designed correctly and operating effectively within our environment.
• Risk & Vulnerability Tracking: Assist in identifying vulnerabilities and participate in risk assessments for proposed business changes to ensure they do not compromise our compliance posture.
• Vendor Management: Facilitate the Vendor Management Program by performing third party risk reviews for a broad range of technology vendors and reporting risk findings to technology stakeholders.

What You’ll Bring

• The Core Requirement: Verifiable experience leading or playing a high-level role in a successful Information Security GRC program that encompasses vendor lifecycle management, alignment with compliance frameworks, and risk management.
• Professional Experience: 2+ years in Information Security, IT Audit, or a Security GRC role.
• Technical Acumen: A strong understanding of networking, operating systems, cloud security, and encryption. You should be able to speak the same language as our engineers.
• Framework Knowledge: An in-depth knowledge of HITRUST CSF and SOC2 and a working knowledge of NIST and ISO 27001.
• Paramount Communication: Exceptional written communication skills with the ability to create clear, accurate documentation that stands up to auditor scrutiny.
• Tool Proficiency: Experience with Jira, Google Workspace, and GRC platforms such as Vanta, Drata, or similar products. 

Our Values

• Live the Mission: We are missionaries, not mercenaries.
• Lift Others: We succeed by elevating our customers and our teammates.
• Light the Way: We stand out, bring clarity, and blaze a path for others to follow.

Benefits We Offer for Full-Time Roles: 

• Medical, dental and vision insurance
• $4,400 annual HSA contribution
• Paytient Health Payment Account (HPA)
• Monthly lifestyle spending stipend
• Five weeks of annual PTO
• Week-long fully paid 'summer break' for all employees!
• Ten weeks of bonding leave for new parents
• Two weeks of caregiver leave
• Employer paid short-term and long-term disability
• 401k plan access with a 4% employer match
• Stock options in Paytient
• ...and more!

Paytient is an equal opportunity employer, and all qualified applicants will receive consideration for employment without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

⚠️ Important Notice ⚠️ Please note that all official Paytient recruiting emails come from @paytient.com. If you receive emails from any domain other than @paytient.com, do not respond and report it to us immediately.